Re: VPN Assistance

Hi,

One other thing I forgot to mention is that depending on how many users, you
could limit the access list statement to only allow the remote users' IP
addresses if static (or ISP subnet if they all use the same ISP and use
dynamic) instead of 'any'. This will expose port 1723 on th Pix to only these
users instead of the whole world.

Rgerads Colin.

"SteveB" wrote:

No firm date. Hopefully later this fall.

"Northwest Upgrades Plus" <andyn@xxxxxxxxxxxxxxxxxx(donotspam)> wrote in
message news:74D0D588-C5BA-48F9-A4DD-C1128FF6261B@xxxxxxxxxxxxxxxx
When is SBS 2008 scheduled for release?
--
Thanks for your help.


"Colin" wrote:

Hi,

Glad it's working - now try to convince the client that using the Cisco
VPN
client is more secure than using PPTP. SBS 2008 is 1 NIC only. There's a
reason for that :)

Regards Colin.

"Northwest Upgrades Plus" wrote:

Thanks again for the help. I shut off the Cisco VPN and set the
commands
within the PIX. All is working now.
--
Thanks for your help.


"Colin" wrote:

Hi,

Yes, with 2 NIC's, you are not going to be able to use the Cisco
IPSec VPN
Client - shame. You'll need to use the SBS box as a PPTP server in
this
scenario. Unless of course you can pull a NIC out and use the Pix on
it's own
? I would! Then, as I said before, you'll be able to use the Cisco
client -
much more secure.

The commands you need for the Pix to allow PPTP passthrough are:

Fixup protocol pptp 1723

access-list mylist (or whatever you called your access list) permit
tcp any
interface outside eq pptp
You'll also need the corresponding static statement applied before
your
'access-group' statement:

static (inside,outside) tcp interface pptp 192.168.16.2 pptp netmask
255.255.255.255 0 0

Again, I'm doing this from memory with 1/2 a bottle of red in it so
if you
have a SmartNet contract, do contact Cisco for verification before
applying
these commands to your Pix, I ain't taking the hit for a knackered
network :)

Substitute correct IP's for your server and outside interface if
required.
HTH.

Regards Colin.

"Northwest Upgrades Plus" wrote:

OK. Currently I have 2 NIC's on the system. 1 for the Internal and
1 for the
External. So you are saying I do not need to use the Cisco VPN
Wizard? That
is where I think the confusion is on my part. With 2 NIC's then I
am unable
to just use the PIX for the VPN. is that correct? I will contact
Cisco to
verify that the ports are correct. Thanks for the input.
--
Thanks for your help.


"Colin" wrote:

Hi,

How many NIC's in this SBS box ? If you want the SBS box to be
the PPTP VPN
endpoint, then you need to enable PPTP pasthrough on the Pix.
You've got a
statement in your Pix config that forwards port 443 and 4125 to
the SBS box
(for RWW). Add another statement with the same syntax, but for
port 1723
(PPTP). There is no need to run the VPN wizard in the Pix PDM
unless of
course you want the Pix to be the VPN server ? There is another
command you
need to enter on the Pix to pass through protocol 47 (GRE). For
the life of
me I can't remember this off the top of my head! Look at the
'Fixup' commands
- you need to add it here - again, add another line with the same
syntax, but
replace the end parameter with 'pptp'.
Personally, if you have 1 NIC I'd use the Cisco VPN IPSec Client
rather than
the PPTP VPN provided by SBS, you'll have better security and
running the VPN
wizard in PDM is a piece of cake. You will also have XAuth -
double
authentication rather than relying on single domain credentials
with the SBS
PPTP VPN. As soon as the Cisco client initiates the VPN, your
users will be
prompted for a 2nd username/password combo, (different to domain
credentials)
from the Pix local user database. HTH.

Regards Colin.

"Northwest Upgrades Plus" wrote:

I have a client that I am trying to set up VPN for. RWW works
fine, and the
Routing and Remote Access wizard has been run and is enabled.
However, When I
try to VPN I can not get through. I have a Cisco PIX 501
Firewall and have
run the VPN wizard on that as well. I am a bit confused in that
the Cisco
router must have an IP range for DHCP enetered. When I try to
connect to the
VPN from the internal network, I get Error 733, but if I select
accept it
connects. However, no such luck from outside. All I get is the
721 Error.
Please help if you can.
--
Thanks for your help.



.

Relevant Pages

  • RE: VPN Assistance
    ... Yes, with 2 NIC's, you are not going to be able to use the Cisco IPSec VPN ... Unless of course you can pull a NIC out and use the Pix on it's own ... The commands you need for the Pix to allow PPTP passthrough are: ...
    (microsoft.public.windows.server.sbs)
  • RE: Firewall Hardware Recommendations
    ... but Cisco makes for good medicine also. ... next time I setup a PIX I'll have to load it on up and give it a shot. ... WatchGuard has you pay for VPN lic's. ...
    (Security-Basics)
  • Re: Cisco PIX 501 private addressing
    ... >Currently PIX 501 sits behind an ADSL router. ... >VPN traffic filtered through access list? ... then your PPTP traffic will NOT be filtered by the ACLs. ...
    (comp.dcom.sys.cisco)
  • RE: VPN Assistance
    ... Glad it's working - now try to convince the client that using the Cisco VPN ... You'll need to use the SBS box as a PPTP server in this ... Unless of course you can pull a NIC out and use the Pix on it's own ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Assistance
    ... When is SBS 2008 scheduled for release? ... Glad it's working - now try to convince the client that using the Cisco VPN ... Unless of course you can pull a NIC out and use the Pix on it's own ...
    (microsoft.public.windows.server.sbs)