Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
5
Replies

PIX 501 VPN change from PPPOE

Go to solution
barryhill
Level 1
Level 1

‎03-15-2007 09:30 PM

We have a PIX 501 connected to DSL using PPPOE with outside to inside VPN setup and functioning using the EasyVPN client and a preshared key. We replace the DSL modem with a small router that is now doing the PPOE negociation instead of the nPIX. I have removed the VPDN references to PPPOE:

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname xxx@sbcglobal.net

vpdn group pppoe_group ppp authentication pap

vpdn username xxx@sbcglobal.net password *********

vpdn username xxx@sbcglobal.net password ********* store-local

vpdn username scott password *********

vpdn username barry password *********

And left in the vpngroup lines:

vpngroup TQA_VPN address-pool CVPN_DHCP

vpngroup TQA_VPN dns-server 10.1.1.99

vpngroup TQA_VPN wins-server 10.1.1.99

vpngroup TQA_VPN default-domain tqa-inc.com

vpngroup TQA_VPN split-tunnel inside_outbound_nat0_acl

vpngroup TQA_VPN idle-time 1800

vpngroup TQA_VPN password ********

What do I need to add/chage to allow VPN access again?

I tried this to no avail:

vpdn group TQA_VPN accept dialin l2tp

vpdn group TQA_VPN l2tp tunnel hello 60

vpdn enable

Barry

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to barryhill

‎03-19-2007 12:10 PM

Hi,

please enter the following commands on the PIX :

no crypto map outside_dyn_map 20

no vpngroup TQA_VPN1 address-pool vpnpool1

ip local pool vpnpool 192.168.1.1-192.168.1.20

access-list nonat permit ip any 192.168.1.0 255.255.255.0

access-list split permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

vpngroup TQA_VPN1 address-pool vpnpool

vpngroup TQA_VPN1 split-tunnel split

That should do it.

*Please rate if helped.

-Kanishka

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kaachary
Cisco Employee
Cisco Employee

‎03-18-2007 09:29 AM

Hi,

Could you please post the full config.What is the issue you are facing ?

What message you are getting on the client.

-Kanishka

0 Helpful

Go to solution
barryhill
Level 1
Level 1
In response to kaachary

‎03-19-2007 10:01 AM

I am now connecting with the VPN client but cannot access any resources. I have attached client log (everything appears O.K.) and the PIX configuration. Note that in the PIX configuration there is an "Incomplete" coment but I don't know why. Also assistance with a split tunnelling statement would be greatly appreciated.

Thanks,

Barry

Preview file
4 KB
0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to barryhill

‎03-19-2007 12:10 PM

Hi,

please enter the following commands on the PIX :

no crypto map outside_dyn_map 20

no vpngroup TQA_VPN1 address-pool vpnpool1

ip local pool vpnpool 192.168.1.1-192.168.1.20

access-list nonat permit ip any 192.168.1.0 255.255.255.0

access-list split permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

vpngroup TQA_VPN1 address-pool vpnpool

vpngroup TQA_VPN1 split-tunnel split

That should do it.

*Please rate if helped.

-Kanishka

0 Helpful

Go to solution
barryhill
Level 1
Level 1
In response to kaachary

‎03-20-2007 07:28 AM

I won't be able to try this until Sunday night. Thanks for your help. I'll let you know the results then.

Barry

0 Helpful

Go to solution
barryhill
Level 1
Level 1
In response to kaachary

‎03-27-2007 09:14 AM

That fixed the Remote Access. Thanks.

0 Helpful
Customers Also Viewed These Support Documents