communication between PPTP clients

networking · ‎05-12-2009

Hi all. I have my pix 515 giving out ip addresses in the range of 192.168.200.0/24.

We use windows pptp configuration. The pc clients connect fine and can communicate to internal servers. The problem is that they cannot communicate with each other. Ping tests fail and don't increment an access list.

Here are my existing access lists that reference the 192.168.200.0 subnet.

access-list nonat line 1 permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0 (hitcnt=780)

access-list nonat line 2 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=936492)

access-list nonat line 3 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=1462)

access-list 80 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list 80 line 2 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list 200 line 53 permit ip 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 200 line 54 permit tcp 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 200 line 55 permit udp 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 90 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

The nonat access-list is applied on my private ip on the PIX.

handsy · ‎05-12-2009

Inbound ICMP through a PIX is denied by default, outbound ICMP is permitted, but the incoming reply is denied by default.

To workaround this (if you really want to) take a look at this article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic3

networking · ‎05-14-2009

I can do without the ping. What about allowing the vpn group 192.168.200 to communicate with other subnets?