PIX 501 VPN change from PPPOE

Answered Question
Mar 15th, 2007

We have a PIX 501 connected to DSL using PPPOE with outside to inside VPN setup and functioning using the EasyVPN client and a preshared key. We replace the DSL modem with a small router that is now doing the PPOE negociation instead of the nPIX. I have removed the VPDN references to PPPOE:

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname [email protected]

vpdn group pppoe_group ppp authentication pap

vpdn username [email protected] password *********

vpdn username [email protected] password ********* store-local

vpdn username scott password *********

vpdn username barry password *********

And left in the vpngroup lines:

vpngroup TQA_VPN address-pool CVPN_DHCP

vpngroup TQA_VPN dns-server 10.1.1.99

vpngroup TQA_VPN wins-server 10.1.1.99

vpngroup TQA_VPN default-domain tqa-inc.com

vpngroup TQA_VPN split-tunnel inside_outbound_nat0_acl

vpngroup TQA_VPN idle-time 1800

vpngroup TQA_VPN password ********

What do I need to add/chage to allow VPN access again?

I tried this to no avail:

vpdn group TQA_VPN accept dialin l2tp

vpdn group TQA_VPN l2tp tunnel hello 60

vpdn enable

Barry

I have this problem too.
0 votes
Correct Answer by kaachary about 9 years 8 months ago

Hi,

please enter the following commands on the PIX :

no crypto map outside_dyn_map 20

no vpngroup TQA_VPN1 address-pool vpnpool1

ip local pool vpnpool 192.168.1.1-192.168.1.20

access-list nonat permit ip any 192.168.1.0 255.255.255.0

access-list split permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

vpngroup TQA_VPN1 address-pool vpnpool

vpngroup TQA_VPN1 split-tunnel split

That should do it.

*Please rate if helped.

-Kanishka

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kaachary Sun, 03/18/2007 - 09:29

Hi,

Could you please post the full config.What is the issue you are facing ?

What message you are getting on the client.

-Kanishka

barryhill Mon, 03/19/2007 - 10:01

I am now connecting with the VPN client but cannot access any resources. I have attached client log (everything appears O.K.) and the PIX configuration. Note that in the PIX configuration there is an "Incomplete" coment but I don't know why. Also assistance with a split tunnelling statement would be greatly appreciated.

Thanks,

Barry

Attachment: 
Correct Answer
kaachary Mon, 03/19/2007 - 12:10

Hi,

please enter the following commands on the PIX :

no crypto map outside_dyn_map 20

no vpngroup TQA_VPN1 address-pool vpnpool1

ip local pool vpnpool 192.168.1.1-192.168.1.20

access-list nonat permit ip any 192.168.1.0 255.255.255.0

access-list split permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

vpngroup TQA_VPN1 address-pool vpnpool

vpngroup TQA_VPN1 split-tunnel split

That should do it.

*Please rate if helped.

-Kanishka

barryhill Tue, 03/20/2007 - 07:28

I won't be able to try this until Sunday night. Thanks for your help. I'll let you know the results then.

Barry

Actions

This Discussion