Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
7
Replies

PPTP on PIX501.

johnleeee
Level 1
Level 1

‎03-15-2007 01:48 AM - edited ‎03-09-2019 05:36 PM

Hi all,

could someone help me where problem could be?

I did configuration like this:

sysopt connection permit-pptp

ip local pool mypool

10.10.10.1-10.10.10.10

vpdn username test password test2

vpdn group 1 accept dialin pptp

vpdn group 1 client configuration address local mypool

vpdn group 1 ppp authentication mschap

vpdn group 1 client authentication local

vpdn group 1 ppp encryption mppe 128 required

vpdn enable outside

After that I did connection to our PIX 501 and I successfully connected and obtained IP address. I didnt configure ACL. We have one server translated with static. But problem is that I cannot connect to this server throught VPN.

After that I have configured explicit ACL but output is the same.

Any suggestion?

BR

jl

Labels:
0 Helpful
7 Replies 7

Kamal Malhotra
Cisco Employee
Cisco Employee

‎03-15-2007 08:22 AM

Hi JL,

Did you configure nat0? Something like :

access-list nonat permit ip 10.10.10.0 255.255.255.240

nat (inside) 0 access-list nonat

We need to make sure that the retunr traffic is not getting nated.

HTH,

Please rate if it helps,

Regards,

Kamal

0 Helpful

johnleeee
Level 1
Level 1
In response to Kamal Malhotra

‎03-15-2007 02:33 PM

Hi Karnal,

sorry I didnt write. Iv configured nat0.

Regards,

jl

0 Helpful

Tshi M
Level 5
Level 5
In response to johnleeee

‎03-16-2007 12:35 PM

Do you mind posting your ACL or your entire config? Take out your password and public IP addresses.

Regards,

0 Helpful

johnleeee
Level 1
Level 1
In response to Tshi M

‎03-18-2007 07:44 AM

Hi,

here is attached config which I a little bit

changed related to IP add and pass.

Any suggestions?

BR

jl

Preview file
3 KB
0 Helpful

Tshi M
Level 5
Level 5
In response to johnleeee

‎03-18-2007 09:23 AM

few things that I noticed in your config are:

I don't see any crypto and isakmp commands

1. you don't need "access-list Inter_net deny ip any any " since this is implied by the ACL rules.

2. This ACL "access-list Inter_LAN deny ip any any log 4" on your inside interface preventing all other traffic to be blocked.

3. I will change the ACL no_nat to:

access-list no_nat extended permit ip host 192.168.2.150 255.255.255.255 192.168.10.0 255.255.255.0

4. change the pool to 192.168.10.1-192.168.10.10 mask 255.255.255.0

0 Helpful

johnleeee
Level 1
Level 1
In response to Tshi M

‎03-22-2007 12:35 AM

Hi,

last line in ACL Inter_net is only for logging.

It is not related to my problem.

I read examples of configuration PPTP on Cisco web site but crypto commands were not there.

Only if someone want to use ISAKMP with PPTP.

Other thing is that pool I use I think can be

arbitrary. But I can change it ...no problem and test it. So I will change no_nat too.

Any other suggestions?

BR

jl

0 Helpful

alexandre.paradis
Level 1
Level 1
In response to johnleeee

‎03-22-2007 05:30 AM

What is the default gateway on your server?

Perhaps the traffic is getting to your server, but your server is not sending it back.

You might want to do some network sniffing to see where the traffic actually stops.

One other thing you can try; do a "show access-list" on your pix, and look at the hitcount of your nat0 access-list. If it doesn't increment, it is most likely that the traffic never gets out of your network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents