Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FW: cisco IOS firewall terminating pptp

from [Mark Lewis] Network Security [Permanent Link]
Subject: FW: cisco IOS firewall terminating pptp
Date: Wed, 24 Nov 2004 22:44:20 -0000 
Andrew,

*From your brief description*, it seems likely that you are running into an
issue with the PPTP data tunnel (PPTP, as you may know consists of a control
channel which uses TCP port  1723, and a data tunnel that uses Enhanced
GRE).

The issue is as follows: the remote access client (say an XP box) and your
IOS box negotiate  PPTP tunnel setup on the control channel (using PPTP
SCCRQ, SCCTP, OCRQ, and OCRP messages).

Because the control channel runs over TCP, NAT/PAT boxes typically don't
have a problem with it. But because the data tunnel (which transports end
user traffic over PPP) runs over GRE (IP  port 47), NAT/*PAT* boxes may have
problems translating data tunnel packets.

The upshot is that the control channel sets up the PPTP tunnel, but then
data tunnel transport fails, and the whole PPTP tunnel goes down.

You can verify if this is happening in your case by using the 'debug vpdn
l2x-packets'/'debug  vpdn l2x-events' and 'debug ppp negotiation' on your
ios box [but check cpu load 1st using 'show proc cpu'!]. If you see the
SCCRQ/SCCRP/OCRQ/OCRP control channel messages, but PPP negotiation fails
then the issue described here is likely the one you are running into. PPP
messages are the first traffic frames sent over the data tunnel, so if you
don't see them (or just one or two), then it's *likely* that there is indeed
a problem translating data tunnel messages (though it could also *possibly*
be a simple PPP  negotiation/ios virtual template issue).

If you are really curious, you can also watch PPP negotiation from the
Microsoft client side by enabling PPP logging (see Microsoft KB article
234014 at www.microsoft.com).


Anyway, Cisco IOS supports 'regular' 1-1 NAT, but support for PAT with PPTP
was only added in IOS 12.1(4)T. So, double check that you have a version of
IOS that supports PPTP & PAT (no explicit command is necessary to enable
support).

See the following website for a Cisco explanation:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_examp
le09186a00800949c0.shtml

Phew! Hope that helps...

Mark

Author: http://www.amazon.com/exec/obidos/tg/detail/-/1587051044/





-- Original Message --
Subject: cisco IOS firewall terminating pptp
Date: Mon, 22 Nov 2004 16:44:08 -0000
From: "Andrew Shore" <andrew.shore@holistecs.com>
To: <firewalls@securityfocus.com>


Guys,

I have a cisco ISO firewall router terminating pptp vpn for remote access.

This works fine for dial-up users and users using adsl modems as the source
address is not natted. However, if the source address is natted the VPN

fails

to connect.

I know that on the PIX there is an IP NAT TRANSLATE command with gets over
this problem but I can not find an equivalent command for IOS.

Any help greatfully received.

Andy



















___________________________________________________________

FREE weekend phone calls! NO monthly fee, NO contract!

http://www.tiscali.co.uk/services/smarttalk/?StartupCode=OL063&srccode=COD_5
63
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: which security hotfixs to implemet ?, Steve Fletcher
Next by Date:  "Secure" Web Hosting?, Mark Spencer
Previous by Thread:  Scanning network web services, kingpang
Next by Thread:  Re: FW: cisco IOS firewall terminating pptp, Jamie Schmidt
Indexes:  [Date] [Thread] [Top] [All Lists]