cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1161
Views
0
Helpful
16
Replies

PPTP users over IPsec

pramod
Level 1
Level 1

Dear Experts,
Please refer the attached scenario.

I have formed an IP sec Tunnel and advertised the LAN subnets & its working fine.
But i have another requirement
External users are connected to site A pix using pptp vpn and once they connected they will get ip range of 192.168.5.1-5.100.My requirement is these subnets 192.168.5.x has to access site B's LAN subnets (10.2.2.0/24) Is this possible, If so what configurations i have to do on PIX. Please help me!
Thanks,
Pramod

16 Replies 16

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try the following:

-- Add a nonat rule for traffic from 192.168.5.x subnet to 10.2.2.x subnet

-- Add the crypto access-list for traffic from 192.168.5.x subnet to

10.2.2.x subnet

-- Add a nonat rule for traffic from 10.2.2.x subnet to 192.168.5.x subnet

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a00804675ac.shtml

Hope this helps.

Regards,

NT

you will need to do u turning too

since u have a pix can you plz mention the version u r running, as on pix on certain versions u turning is not supported

The version currently running is "Cisco PIX Firewall Version 6.3(4)"

in that case you will not be able to do u turning or hair pinning

so i guess we will have to figure out a way around

will version upgrade of 7.3 will fix ?

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 464 MHz !!!

i would suggest that you go the latest code for PIX here is the doc which will help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

by the way the latest and the max you can go for PIX is 8.04

Note PPTP users are connected to

Site A using PIX outside interface from the internet cloud!!!

yes i understand so u have pptp and site site terminating on the same interface right

yes, u r right !!!

yup so you cant do it with the current version of PIX

Hello,

Code version above 7.2(4) will work and you will be able to do the U-turn.

Hope this helps.

Regards,

NT

Ok, think if i replace the pptp with site to reamote access vpn for site A,(users connecting from outside
{internet} )... then if i need to access LAN subnets in site B, still we need u turning ? or any other mechanism to work ?

you will still need it... in any case i would still recommend you upgrade because 6.3 is a ancient code which is soon going into the books and you dont want to play catching up ...

u turning is just one small feature that you get in newer code, one of the most important tool that i personally find the most useful as tac engg is packet tracer,

as such the structure of the code is new and diff compared to 6.3

..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: