# Pix 515e VPN Issues



## rajthampi (Oct 30, 2004)

Hi guys
Our network structure is as follows:
ISP Terminating device->Pix 515e V6.3->ISA 2004 SP2->Internal network

We had configured our ISA 2004 server as VPN server recently, but ended up with VPN error 721 once after the client receives "Verifying username and password" dialog box. After referring many technical sites we are assuming that the error is because IP protocol GRE (47) is not properly configured with our PIX device. Our pix configuration is as following:

```
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ********* encrypted
passwd ******** encrypted
hostname pix515e
domain-name xxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service MAIL tcp
  port-object eq www
  port-object eq https
  port-object eq pop3
  port-object eq smtp
  port-object eq ftp
  port-object eq 802
  port-object eq 3389
  port-object eq 8128
  port-object eq daytime
  port-object eq pptp
object-group service Citrix tcp
  port-object eq www
  port-object eq 2598
  port-object eq citrix-ica
  port-object range 1023 5000
object-group service FTP tcp
  description f
  port-object eq ftp
  port-object eq ftp-data
  port-object eq 500
  port-object range 50 51
  port-object eq pptp
  port-object eq citrix-ica
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any interface outside object-group MAIL

access-list outside_access_in permit tcp any host 62.150.72.122 object-group Cit
rix
access-list outside_access_in permit tcp any host 62.150.72.123 object-group FTP

access-list inside_outbound_nat0_acl permit ip interface inside 131.102.2.248 25
5.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 62.150.86.14 255.255.255.0
ip address inside 172.16.30.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool default 131.102.6.1-131.102.6.254
pdm location 172.16.30.2 255.255.255.255 inside
pdm location 172.16.30.3 255.255.255.255 inside
pdm location 172.16.30.4 255.255.255.255 inside
pdm location 131.102.2.248 255.255.255.248 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) interface 172.16.30.2 netmask 255.255.255.255 0 0
static (inside,outside) 62.150.72.122 172.16.30.3 netmask 255.255.255.255 0 0
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ******* encrypted
passwd ****** encrypted
hostname Pix515e
domain-name xxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service MAIL tcp
  port-object eq www
  port-object eq https
  port-object eq pop3
  port-object eq smtp
  port-object eq ftp
  port-object eq 802
  port-object eq 3389
  port-object eq 8128
  port-object eq daytime
  port-object eq pptp
object-group service Citrix tcp
  port-object eq www
  port-object eq 2598
  port-object eq citrix-ica
  port-object range 1023 5000
object-group service FTP tcp
  description f
  port-object eq ftp
  port-object eq ftp-data
  port-object eq 500
  port-object range 50 51
  port-object eq pptp
  port-object eq citrix-ica
access-list inside_access_in permit ip any any
access-list outside_access_in permit tcp any interface outside object-group MAIL

access-list outside_access_in permit tcp any host 62.150.72.122 object-group Cit
rix
access-list outside_access_in permit tcp any host 62.150.72.123 object-group FTP

access-list inside_outbound_nat0_acl permit ip interface inside 131.102.2.248 25
5.255.255.248
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 62.150.86.14 255.255.255.0
ip address inside 172.16.30.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool default 131.102.6.1-131.102.6.254
pdm location 172.16.30.2 255.255.255.255 inside
pdm location 172.16.30.3 255.255.255.255 inside
pdm location 172.16.30.4 255.255.255.255 inside
pdm location 131.102.2.248 255.255.255.248 outside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_outbound_nat0_acl
static (inside,outside) interface 172.16.30.2 netmask 255.255.255.255 0 0
static (inside,outside) 62.150.72.122 172.16.30.3 netmask 255.255.255.255 0 0
static (inside,outside) 62.150.72.123 172.16.30.4 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 62.150.86.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d3145755780583d66b1042fb4cf0b124
: end
```
Now could one of you suggest how we can enable IP protocol 47 (GRE) with our pix device?

regards


----------



## rajthampi (Oct 30, 2004)

Okay we had succeeded by adding the following entries with Pix 515e firewall.
access-list outside permit tcp any host <Public IP> eq 1723
access-list outside permit gre any host <Public IP>

and our VPN server was online and accepting VPN connections.

regards,


----------

