Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN

Unanswered Question
Feb 19th, 2007

Hi,

I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):

ip local pool mypool 10.0.0.101-10.0.0.105

vpdn group mygroup accept dialin pptp

vpdn group mygroup ppp authentication mschap

vpdn group mygroup ppp encryption mppe 128 required

vpdn group mygroup client configuration address local mypool

vpdn group mygroup client configuration dns 10.0.0.15

vpdn group mygroup pptp echo 60

vpdn group mygroup client authentication local

vpdn username xxxx password *********

vpdn enable outside

I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:

PPP adapter Office:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.0.0.101

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . :

Default GW is missing too, but I think this is not the main problem.

Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?

Any input will be greatly appreciated!

George

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mrmozaffari Mon, 02/19/2007 - 23:13

Hi

When you connect to pix through vpn the assigns an ip address , a subnet mask and Default Gateway the 255.255.255.255 mask is normal like when you connect through your modem to an async line but here there is no Default Gateway and may be it is cause of your problem.

Can you send your pix configuration ?

Best Regards B.Mozaffari

concordia1999 Tue, 02/20/2007 - 05:12

Thanks for the prompt reply.

Here it does:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname OSTBERG-PIX

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq pptp

access-list inbound permit gre any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 66.189.xxx.xxx 255.255.252.0

ip address inside 10.0.0.23 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool mypool 10.0.0.101-10.0.0.105

pdm location 10.0.0.0 255.255.255.0 inside

pdm location 10.0.0.15 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

telnet 10.0.0.23 255.255.255.255 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group mygroup accept dialin pptp

vpdn group mygroup ppp authentication mschap

vpdn group mygroup ppp encryption mppe 128 required

vpdn group mygroup client configuration address local mypool

vpdn group mygroup client configuration dns 10.0.0.15

vpdn group mygroup pptp echo 60

vpdn group mygroup client authentication local

vpdn username ********* password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxx

: end

There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.

PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.

I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!

Thanks again!

George

Actions

This Discussion