1. Home
  2. Cisco Systems
  3. PPTP & PIX Question

PPTP & PIX Question

Hi I have a range of static IP's as part of a /29 assigned from our ISP I am using one of these IP's for VPN usage The RRAS server is located in the DMZ on 192.168.1.12 This is what I am seeing in the PDM log

pix(config)# sh pdm log | i 192.168.1.12

6|Feb 23 2007 11:32:53|302013: Built inbound TCP connection 20758708 for outside :144.138.106.93/1462 (144.138.106.93/1462) to dmz1:192.168.1.12/1723 (203.59.123 .46/1723) 6|Feb 23 2007 11:32:53|106015: Deny TCP (no connection) from 192.168.1.12/1723 t o 144.138.106.93/1462 flags SYN ACK on interface inside

I assume what is happening is that port 1723 is coming in on

203.59.123.46 and is being passed to the RRAS server on 192.168.1.12 on port 1723 I have an access list that says anything (0.0.0.0) from the outside coming in on any TCP port pass it to 192.168.1.12 on port 1723

Can anyone tell me where I am going wrong and why it is trying to reference the inside i/f when I have not specified anything here?

cheers

Scott

Reply to
Scooty
Loading thread data ...

Does the DMZ device have multiple interfaces? Or is your DMZ seperated from your main LAN by way of a VLAN?

The log messages are consistant with the reply from the DMZ device

-somehow- being routed to the inside interface. Is that "physically impossible" in your network, or is it just "logically impossible (assuming nothing has been misconfigured)"?

Reply to
Walter Roberson

Hi Walter Good question. The DMZ is a single interface on the PIX that connects to a 100Mb hub, this is where the proxy server lives as well as the mail marshall server and of course the RRAS server. The RRAS server has two interfaces one in the DMZ and one in it's own VLAN that connects back to the main Catalyst Switch, the catalyst switch is simply running RIP as is the PIX Here is the show route command and PEWVP01 is the RRAS server.

192.168.1.1 is the DMZ interface on the PIX pix# sh route outside 0.0.0.0 0.0.0.0 Gateway837 1 OTHER static inside VPNContivity 255.0.0.0 10.200.3.18 1 OTHER static dmz1 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static dmz1 PEWMM01 255.255.255.255 192.168.1.1 1 OTHER static dmz1 PEWVP01 255.255.255.255 192.168.1.1 1 OTHER static dmz2 192.168.2.0 255.255.255.0 192.168.2.1 1 CONNECT static dmz3 192.168.3.0 255.255.255.0 192.168.3.1 1 CONNECT static dmz4 192.168.4.0 255.255.255.0 192.168.4.1 1 CONNECT static inside BalcattaLAN 255.255.255.0 192.168.26.1 1 OTHER static inside DataCentreLAN 255.255.255.0 192.168.100.37 1 CONNECT static inside ScoresbyLAN 255.255.255.0 192.168.200.1 2 OTHER static inside ErmingtonLAN 255.255.255.0 192.168.201.1 2 OTHER static inside UnderwoodLAN 255.255.255.0 192.168.202.1 1 OTHER static inside UnleyLAN 255.255.255.0 192.168.203.1 1 OTHER static inside howanrouter 255.255.255.0 192.168.100.1 1 OTHER static outside 203.59.123.40 255.255.255.248 203.59.123.42 1 CONNECT static

pix# sh rip rip inside default version 2 rip dmz1 default version 2

Do you think it's the RIP thats doing it? And with that would I be better off confioguring RIP on the DMZ interface of the RRAS server?

Cheers Scott

Reply to
Scooty

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.