RE: VPN Assistance

---

• From: Colin <Colin@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 23 Jun 2008 14:54:06 -0700

---

Hi,

Glad it's working - now try to convince the client that using the Cisco VPN
client is more secure than using PPTP. SBS 2008 is 1 NIC only. There's a
reason for that :)

Regards Colin.

"Northwest Upgrades Plus" wrote:

Thanks again for the help. I shut off the Cisco VPN and set the commands
within the PIX. All is working now.
--
Thanks for your help.


"Colin" wrote:

Hi,

Yes, with 2 NIC's, you are not going to be able to use the Cisco IPSec VPN
Client - shame. You'll need to use the SBS box as a PPTP server in this
scenario. Unless of course you can pull a NIC out and use the Pix on it's own
? I would! Then, as I said before, you'll be able to use the Cisco client -
much more secure.

The commands you need for the Pix to allow PPTP passthrough are:

Fixup protocol pptp 1723

access-list mylist (or whatever you called your access list) permit tcp any
interface outside eq pptp
You'll also need the corresponding static statement applied before your
'access-group' statement:

static (inside,outside) tcp interface pptp 192.168.16.2 pptp netmask
255.255.255.255 0 0

Again, I'm doing this from memory with 1/2 a bottle of red in it so if you
have a SmartNet contract, do contact Cisco for verification before applying
these commands to your Pix, I ain't taking the hit for a knackered network :)

Substitute correct IP's for your server and outside interface if required.
HTH.

Regards Colin.

"Northwest Upgrades Plus" wrote:

OK. Currently I have 2 NIC's on the system. 1 for the Internal and 1 for the
External. So you are saying I do not need to use the Cisco VPN Wizard? That
is where I think the confusion is on my part. With 2 NIC's then I am unable
to just use the PIX for the VPN. is that correct? I will contact Cisco to
verify that the ports are correct. Thanks for the input.
--
Thanks for your help.


"Colin" wrote:

Hi,

How many NIC's in this SBS box ? If you want the SBS box to be the PPTP VPN
endpoint, then you need to enable PPTP pasthrough on the Pix. You've got a
statement in your Pix config that forwards port 443 and 4125 to the SBS box
(for RWW). Add another statement with the same syntax, but for port 1723
(PPTP). There is no need to run the VPN wizard in the Pix PDM unless of
course you want the Pix to be the VPN server ? There is another command you
need to enter on the Pix to pass through protocol 47 (GRE). For the life of
me I can't remember this off the top of my head! Look at the 'Fixup' commands
- you need to add it here - again, add another line with the same syntax, but
replace the end parameter with 'pptp'.
Personally, if you have 1 NIC I'd use the Cisco VPN IPSec Client rather than
the PPTP VPN provided by SBS, you'll have better security and running the VPN
wizard in PDM is a piece of cake. You will also have XAuth - double
authentication rather than relying on single domain credentials with the SBS
PPTP VPN. As soon as the Cisco client initiates the VPN, your users will be
prompted for a 2nd username/password combo, (different to domain credentials)
from the Pix local user database. HTH.

Regards Colin.

"Northwest Upgrades Plus" wrote:

I have a client that I am trying to set up VPN for. RWW works fine, and the
Routing and Remote Access wizard has been run and is enabled. However, When I
try to VPN I can not get through. I have a Cisco PIX 501 Firewall and have
run the VPN wizard on that as well. I am a bit confused in that the Cisco
router must have an IP range for DHCP enetered. When I try to connect to the
VPN from the internal network, I get Error 733, but if I select accept it
connects. However, no such luck from outside. All I get is the 721 Error.
Please help if you can.
--
Thanks for your help.

.

---

• Follow-Ups:
  • RE: VPN Assistance
    • From: Northwest Upgrades Plus

• References:
  • RE: VPN Assistance
    • From: Colin
  • RE: VPN Assistance
    • From: Northwest Upgrades Plus

• Prev by Date: RE: Purchasing a new SBS box
• Next by Date: Re: companyweb - Sharepoint services
• Previous by thread: RE: VPN Assistance
• Next by thread: RE: VPN Assistance
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: VPN Assistance ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ... (microsoft.public.windows.server.sbs) RE: VPN Assistance ... Yes, with 2 NIC's, you are not going to be able to use the Cisco IPSec VPN ... Unless of course you can pull a NIC out and use the Pix on it's own ... The commands you need for the Pix to allow PPTP passthrough are: ... (microsoft.public.windows.server.sbs) RE: Firewall Hardware Recommendations ... but Cisco makes for good medicine also. ... next time I setup a PIX I'll have to load it on up and give it a shot. ... WatchGuard has you pay for VPN lic's. ... (Security-Basics) Re: Cisco PIX 501 private addressing ... >Currently PIX 501 sits behind an ADSL router. ... >VPN traffic filtered through access list? ... then your PPTP traffic will NOT be filtered by the ACLs. ... (comp.dcom.sys.cisco) Re: VPN Assistance ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ... Unless of course you can pull a NIC out and use the Pix on ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2008-06