pptp VPN Pix 501 Internal network access

Unanswered Question
Mar 20th, 2007

Hi Glen

I have configured VPN on pix 501 ver 6.3(5) for windows using pptp. Users logon successfully but cannot access any of the internal network IP. below is my config.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pix01

domain-name **************

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list outside_access_in permit tcp any any

access-list outside_access_in permit udp any any

access-list outside_access_in permit gre any any

access-list inside_access_in permit ip any any

access-list nonat permit ip

access-list nonat permit icmp any any

no pager

logging on

logging console debugging

mtu outside 1500

mtu inside 1500

ip address outside **********

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool dealer

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside ********** 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

crypto ipsec transform-set basic esp-des esp-md5-hmac

crypto dynamic-map cisco 4 set transform-set basic

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map client configuration address respond

isakmp key ******** address netmask

isakmp identity address

isakmp nat-traversal 30

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

telnet timeout 5

ssh outside

ssh inside

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local dealer

vpdn group 1 client configuration dns

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username ahmed password *********

vpdn username chris password *********

vpdn enable outside

dhcpd auto_config outside

terminal width 80


: end

I ll be waiting for response.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Tue, 03/20/2007 - 02:17

Hi Ahmed,

The config looks fine.Can you try the following :

1: On the client machine, Check the option "Use Default Gateway on remote network" .

2: Also, check if there's a L3 device between PIX inside interface and the inside hosts.

3: Check the default gateway of the inside hosts, does it point to PIX inside interface ?

Hope this helps.

*Please rate if it does.


tektrix11 Tue, 03/20/2007 - 02:40

Thanks for reply Kanishka,

I cant even ping the ip of inside interface of pix from vpn.

Yes i have checked the Default gateway option but no luck.



kaachary Tue, 03/20/2007 - 03:16

With PPTP connection, you would not be able to ping the inside interface. That is the default behavior.

Have you tried with the "Use default gateway on remote network" option checked ?

You can find this option in "Local Area Connection" Properties for tis PPTP connetion.



This Discussion