SonicWALL

Home

What We Do!

Contact Us!

Online Help

SonicWALL Firewalls

Hot Topics

Prices and Company Policies

Our Partners

Products

Recommendations

Frequently Asked Questions

Concepts

Monster Bugs!

Payment Information

Philosophy

Corporate Resume

Privacy Policy

 

How to Pass a Microsoft PPTP VPN to a Microsoft Server, through a CISCO Router or PIX.

Background

Bob Lin's ChicagoTech website is fantastic; the best networking site we've seen.  Bob's site is to the point and easy to search. Here is his VPN Page:  Some other related pages:

Microsoft's PPTP Page

MSDN's PPTP Page

The SANS page

Cisco's Help Page

Solution

The trick is to pass all of the through the firewall, without opening anything else:  You have to pass TCP 1723, GRE, and UDP 500.  Unfortunately, the correct CISCO CLI commands aren't easily available.

This is ONE way to do pass Microsoft's VPN to a Microsoft Server, through a Cisco Router.   There are many other options...  The Microsoft PPTP implementation can be passed through the firewalls with access lists and an IP NAT command. 

access-list 101 permit tcp any host Router.Public.IP.ADD.RESS eq 1723
access-list 101 permit gre any host Router.Public.IP.ADD.RESS any
access-list 101 permit udp any host Router.Public.IP.ADD.RESS eq 500
!
ip nat inside source static udp MY.SER.VER.IP 500 interface FastEthernet4 500
 

With fake addresses, the lines look like this.

access-list 101 permit tcp any host 4.2.2.2 eq 1723
access-list 101 permit gre any host 4.2.2.2 any
access-list 101 permit udp any host 4.2.2.2 eq 500
!
ip nat inside source static udp 192.168.1.254 500 interface FastEthernet4 500

Note 0:  A Cisco PIX may require a fixup command, depending on your revision

fixup protocol pptp 1723

Note 1:  Cisco's L2TP VPN is more secure than Microsoft's PPTP VPN because the Cisco VPN can be used with two levels of authentication.  However, Microsoft's VPN is adequate when managed with an adequate security policy.  Microsoft's VPN is also easy to deploy because it is included in Windows XP, Vista, and Server 2003.   You control access via the MS Server.  No additional software is required.

Note 2:  You have to choose between Cisco Transport over UDP NAT/PAT translation VPN and Microsoft's PPTP VPN because both technologies use UDP 500.  It is not practical to have the UDP packets go to the Windows Server for the MS VPN, and go to the Cisco router for the Cisco VPN on the same router 

Choose the technology that meets your requirements and secure it via best practices 

If you need both clients at the same router/server, the only practical option is to use CISCO's IPSEC over TCP

Note 3:  There are known issues with multiple VPN clients on the same Windows machines.

 

 Our SSL Certificate Store


 

 

JK Technologies

Newport News, VA  23602

757-291-5545

757-299-8205 FAX

Site last updated August 15, 2013

Google