注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

欢迎光临shaying110的博客

RSed-ISPing

 
 
 

日志

 
 

PIX pptp穿透技术  

2012-02-07 14:27:11|  分类: CISCO网络 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

This document discusses the configuration required on the Cisco Secure PIX Firewall to allow a Point-to-Point Tunneling Protocol (PPTP) client to connect to a PPTP server through Network Address Translation (NAT).

Refer to Configuring the Cisco Secure PIX Firewall to Use PPTP in order to configure a security appliance to accept PPTP connections.

In order to attempt this configuration, you must have a working PPTP server and client before you involve the PIX.

The information in this document is based on these software versions:

Cisco PIX Firewall Versions 7.1(1), 6.3(1), 6.2(1), and 6.1(1)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

PPTP is described in RFC 2637 leavingcisco.com. This protocol uses a TCP connection that uses port 1723 and an extension of generic routing encapsulation (GRE) [protocol 47] to carry the actual data (PPP frame). The TCP connection is initiated by the client, followed by the GRE connection that is initiated by the server.

Version 6.2 and Earlier Information

Because the PPTP connection is initiated as TCP on one port and the response is GRE protocol, the PIX Adaptive Security Algorithm (ASA) does not know that the traffic flows are related. As a result, it is necessary to configure ACLs to allow the return traffic into the PIX. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

Version 6.3 Information

The PPTP fixup feature in version 6.3 allows the PPTP traffic to traverse the PIX when configured for PAT. Stateful PPTP packet inspection is also performed in the process. The fixup protocol pptp command inspects PPTP packets and dynamically creates the GRE connections and translations necessary to permit PPTP traffic. Specifically, the firewall inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing call request and reply sequence is tracked. Connections and/or translations are dynamically allocated as necessary to permit subsequent secondary GRE data traffic. The PPTP fixup feature must be enabled for PPTP traffic to be translated by PAT.

Version 7.x Information

The PPTP Application Inspection Engine in version 7.x operates in the same fashion as fixup protocol pptp does in version 6.3.

Refer to Cisco Technical Tips Conventions for more information on document conventions.

This document uses this network setup:

PC(PPTP-Client)<---------->PIX<------------------->PPTP-Server

Complete these steps to add commands for version 6.2:

Define the static mapping for the inside PC. The address seen on the outside is 10.0.0.4.

pixfirewall(config)#static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0 

Configure and apply the ACL to permit the GRE return traffic from the PPTP server to the PPTP client.

pixfirewall(config)#access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5 

Apply the ACL.

pixfirewall(config)#access-group acl-out in interface outside 

 Complete these steps to add commands for version 6.3:

Enable the fixup protocol pptp 1723 using this command.

pixfirewall(config)#fixup protocol pptp 1723 

You do not need to define a static mapping because the PPTP fixup protocol is enabled. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0 
pixfirewall(config)#global (outside) 1 interface 

Complete these steps to add commands for version 7.x:

Add PPTP inspection to the default policy-map using the default class-map.

pixfirewall(config)#policy-map global_policy 
pixfirewall(config-pmap)#class inspection_default 
pixfirewall(config-pmap-c)#inspect pptp 

You do not need to define a static mapping because the PIX now inspects PPTP traffic. You can use PAT.

pixfirewall(config)#nat (inside) 1 0.0.0.0 0.0.0.0 0 0 
pixfirewall(config)#global (outside) 1 interface 

PPTP-Server<----------------->PIX<------------------------>PPTP-Client

In this configuration example, the PPTP server is 209.165.201.5 (static to 10.48.66.106 inside), and the PPTP client is at 209.165.201.25.

access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5 
access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5 eq 1723 
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0 
access-group acl-out in interface outside 

 There is currently no verification procedure available for this document.

This section provides information you can use to troubleshoot your configuration.

You can only have one PPTP connection through the PIX Security Appliance when you use PAT. This is because the necessary GRE connection is established over port 0 and the PIX Security Appliance only maps port 0 to one host.

  评论这张
 
阅读(740)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018