PPTP VPN client can make connection but can't see network resources

Unanswered Question

I am using a PIX 501 firewall as a PPTP VPN endpoint. There is a Cisco 2611 router behind the PIX on the inside which acts as the default gateway for the end users.

We can establish a good PPTP VPN connection to the PIX but cannot access any of the resources LAN (Behind the router). The router is pretty simple and does NOT perform NAT. I can ping any of the resources from the PIX through the router to the LAN but not with a PPTP VPN connection.


I could really use anyone's help to get this resolved.


Thank you,


Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Thanks for your reply. The configuration below, and the pptp vpn, works great when the inside interface is directly connected to the LAN switch. when it is placed in front of a cisco router (that performs no NAT by the way) users connected via vpn can't see the internal network. The static command does work however.


Thank you for your help.


interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list uvp permit gre any any

access-list uvp permit tcp any host 65.121.35.13 eq 3389

access-list inside_outbound_nat0_acl permit ip any 172.16.1.64 255.255.255.192

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 65.x.x.11 255.255.255.248

ip address inside 172.16.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_DHCP 172.16.1.80-172.16.1.99

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 10.65.24.121 netmask 255.255.255.248

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.121.28.13 172.16.1.10 netmask 255.255.255.255 0 0

access-group uvp in interface outside

route outside 0.0.0.0 0.0.0.0 65.121.28.9 1

route inside 172.16.20.0 255.255.255.0 172.16.1.1 1

route inside 172.16.30.0 255.255.255.0 172.16.1.1 1

route inside 172.16.40.0 255.255.255.0 172.16.1.1 1

route inside 172.16.50.0 255.255.255.0 172.16.1.1 1

route inside 172.16.60.0 255.255.255.0 172.16.1.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http 172.16.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPN_DHCP

vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.1.12

vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.1.12

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn enable outside

Actions

This Discussion