Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
4
Replies

sit-to-site VPN with pppoe connection

slashman26
Level 1
Level 1

‎02-05-2007 06:44 AM - edited ‎02-21-2020 02:51 PM

We have 2 pixes (a 515 and a 506e) doing a vpn between the 2. The tunnel is up but the 506e side can not connect to anything. I do see the tunnel between the two is up.

config of the 515 pix:

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 101 permit ip 172.16.10.0 255.255.255.0 11.1.1.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 11.1.1.1-11.1.1.254

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-cache src_dst 128KB

http server enable

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map mymap 1 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server platt_dc

vpngroup vpn3000 default-domain company.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

vpngroup vpngroup idle-time 1800

ssh Cisco 255.255.255.255 outside

ssh timeout 5

terminal width 80

Config on pix 506e:

PIX Version 6.2(2)

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit tcp 192.168.0.0 255.255.255.0 172.16.10.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.1 255.255.255.255 inside

http 192.168.0.51 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

telnet x.x.x.x 255.255.255.255 outside

telnet 172.16.10.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoegroup request dialout pppoe

vpdn group pppoegroup localname username@domain.com

vpdn group pppoegroup ppp authentication pap

vpdn username users@domain.com password ********

dhcpd address 192.168.0.50-192.168.0.100 inside

dhcpd dns 198.235.216.134 172.16.10.2

dhcpd lease 504000

dhcpd ping_timeout 750

dhcpd domain company.com

dhcpd enable inside

vpnclient vpngroup vpn3000 password ********

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient enable

terminal width 80

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎02-05-2007 06:48 AM

You are missing nat (inside) 0 access-list 101 command in 506.

0 Helpful

slashman26
Level 1
Level 1
In response to acomiskey

‎02-05-2007 06:53 AM

which means i have to turn off the vpnclient inorder to do that correct?

0 Helpful

slashman26
Level 1
Level 1
In response to acomiskey

‎02-05-2007 07:43 AM

Ok cool thanks...

I got the VPN up and working (removed the access-list 101 from the 506) and they can do stuff across the vpn but they have lost their local internet access (ie. web pages can't be displayed). If you see I have their ISP DNS setup on their DHCP settings so not sure what is up or needs to be done to gain that back.

thanks for the help so far!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents