- Posts: 301
- Thank you received: 3
Windows 2003 SBS Server VPN Server
19 years 5 days ago #11010
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Windows 2003 SBS Server VPN Server
IT WORKED! Thanks a bunch I spent too long on that one. Hehe protocol NOT tcp or udp port. Was confusing becuase the reading was saying it was protocol 47 uggg. One thing tho my sonicwall TZ-170 I dont think I can't allow or disallow this. When making a firewall all I can do is UDP and TCP at least im pretty sure.
The Bublitz
Systems Admin
Hospice of the Red River Valley
19 years 5 days ago #11023
by DaLight
Replied by DaLight on topic Re: Windows 2003 SBS Server VPN Server
Glad to hear it worked. Regarding your sonicwall TZ-170, you can setup access to an internal VPN PPTP server using the Public Server Wizard on the Web Admin GUI of your SonicWall.
19 years 4 days ago #11042
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Windows 2003 SBS Server VPN Server
oops it works but with a side effect.
access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5 eq 1723
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
This adress im using to do VPN server happens to be the address people go out on for internet. (only 1 static ip they have right now.) SO this statement basicly shuts down all outgoing traffic cept for the server. Goes out a PC come into server ALL traffic.
I havent found a combination that allows me to specify ONLY vpn traffic to be sent to server not ALL traffic.
static (inside,outside) (you can only put udp|tcp) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
So for this to work it looks like they need another static IP (which would be better anyways). Just curious is they a way to route ONLY the gre traffic with the last part?
Also da light you are helping with ssh on this pix on another thread. This is why when I tested ssh last night it didnt work. The request was getting send to the server hehe. Live and learn hehe I should have looked closer. I love cisco routers but these pix are being a pain in the but hehe.
access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5 eq 1723
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
static (inside,outside) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
This adress im using to do VPN server happens to be the address people go out on for internet. (only 1 static ip they have right now.) SO this statement basicly shuts down all outgoing traffic cept for the server. Goes out a PC come into server ALL traffic.
I havent found a combination that allows me to specify ONLY vpn traffic to be sent to server not ALL traffic.
static (inside,outside) (you can only put udp|tcp) 209.165.201.5 10.48.66.106 netmask 255.255.255.255 0 0
So for this to work it looks like they need another static IP (which would be better anyways). Just curious is they a way to route ONLY the gre traffic with the last part?
Also da light you are helping with ssh on this pix on another thread. This is why when I tested ssh last night it didnt work. The request was getting send to the server hehe. Live and learn hehe I should have looked closer. I love cisco routers but these pix are being a pain in the but hehe.
The Bublitz
Systems Admin
Hospice of the Red River Valley
19 years 4 days ago #11049
by DaLight
Replied by DaLight on topic Re: Windows 2003 SBS Server VPN Server
Yeah I see what you mean about all incoming traffic being routed to the server. Actually with this setup only PPTP traffic will go the the server and all other traffic will be blocked, so you wouldn't be able to surf the web from the server unless you added an appropriate ACL for port 80. (not that you would want to surf the web from your server :shock: ) As I mentioned earlier, I'm not a PIX expert, but from my limited knowledge on the subject it appears that a dedicated public IP may be needed. I also agree that if it was a simple port forwarding issue as opposed to a different protocol (gre) there would be no problem.
Maybe someone more versed in the arcane arts of the PIX (come on tGc!) may be able to unearth something.
Glad to hear that your ssh problem's been solved as well.
Maybe someone more versed in the arcane arts of the PIX (come on tGc!) may be able to unearth something.
Glad to hear that your ssh problem's been solved as well.
Time to create page: 0.136 seconds