VPN with multiple Firewalls

quackers

quackers

quackers

Soldato
Joined
18 Oct 2002
Posts
5,804
Location
Liverpool :-)
Thought i'd ask this in here rather than the networking section

Basically, we moved out of our old office into a new serviced office in the last couple of weeks, before we had:

net -- modem -- pix501 - internal network ( A simple setup )

We've been using a pptp vpn without any problems, since we've moved into the new office we are now having a problem. I'm not sure exactly what hardware they have, but we now have a translated address on the pix outside interface instead of our old static public ip.

I've tested the pptp vpn by plugging directly into the outside interface of the pix with a static ip on my pc and it connects fine, so i know the code is still ok. When you dial in from the outside, it gets to the username/password authenication and get's stuck and give's you an error back.

My question it this, i've no experience of the type of firewall-firewall setup and vpns, it's like the vpn response is getting lost in the translation.

Has anyone setup a cisco pptp vpn before with multiple firewalls?
 
sounds like fun!

is your managed office accomodation prepared to supply you with a public ip address translated to your allocated private address, and supply a firewall rule that permits incoming pptp connections?

if not, i don't really see how you can proceed - you need to be able to map from outside -> inside! also, i imaging your translating on your pix too? double nat and vpn doesn't usually go down all that well!

it would be better if they would just patch through a connection directly to the outside world, but i can understand why they might be hesitant to do so. alternatively, dependant upon your bandwidth requirements, is there no way you just have a line piped straight into your office? dsl-enabled pstn line for example?
 
Last edited:
thanks for the reply atomiser, i think we need to speak to them regarding a firewall rule on their firewall. We'd have to look into the line piped straight in, couldnt imagine that would be cheap! :)
 
you can't be the only occupant who requires remote access to their office network, so they must have some means of accomodating it. no doubt there will be a service charge though, the joys of managed accomodation! are all your phones on internal extensions of their telephone switch, and do they just charge you for usage? or do you have your own incoming lines? what are your bandwidth requirements?
 
Lol - as mentioned, this type of configuration gives you a world of pain.

PPTP VPN's use TCP 1723 (which is easily port forwarded), but they also use GRE, also known as protocol 47 or IP 47. Not many providers are able to forward this. You could always ask though as they might be able to forward IP 47, or do PPTP passthrough
 
if pptp is no go perhaps move to openvpn, once the initial configs are made (took me a few hours) it is really simple and causes no prboelms comapred to pptp (connecting from pptp was always dodgy from places like Kuwait and China)
 
Sone said:
if pptp is no go perhaps move to openvpn, once the initial configs are made (took me a few hours) it is really simple and causes no prboelms comapred to pptp (connecting from pptp was always dodgy from places like Kuwait and China)
Click to expand...

I might be being a dumbass here, but could you elaborate on the problems from Kuwait and China? I'm aware that there are restrictions on these countries, is this the problem? Would an SSL VPN be more appropriate? Sorry for the thread hijack.
 
We have a sales fella who was in China recently and he couldnt use the PPTP VPN (encrypted by RSA SecurID), so I can vouch for problems from China. Do they blanket block GRE or something?
 
You must log in or register to reply here.
Back
Top Bottom