Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PPTP users over IPsec

Dear Experts,
Please refer the attached scenario.

I have formed an IP sec Tunnel and advertised the LAN subnets & its working fine.
But i have another requirement
External users are connected to site A pix using pptp vpn and once they connected they will get ip range of 192.168.5.1-5.100.My requirement is these subnets 192.168.5.x has to access site B's LAN subnets (10.2.2.0/24) Is this possible, If so what configurations i have to do on PIX. Please help me!
Thanks,
Pramod

16 REPLIES
Cisco Employee

Re: PPTP users over IPsec

Hello,

Please try the following:

-- Add a nonat rule for traffic from 192.168.5.x subnet to 10.2.2.x subnet

-- Add the crypto access-list for traffic from 192.168.5.x subnet to

10.2.2.x subnet

-- Add a nonat rule for traffic from 10.2.2.x subnet to 192.168.5.x subnet

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a00804675ac.shtml

Hope this helps.

Regards,

NT

Cisco Employee

Re: PPTP users over IPsec

you will need to do u turning too

since u have a pix can you plz mention the version u r running, as on pix on certain versions u turning is not supported

New Member

Re: PPTP users over IPsec

The version currently running is "Cisco PIX Firewall Version 6.3(4)"

Cisco Employee

Re: PPTP users over IPsec

in that case you will not be able to do u turning or hair pinning

so i guess we will have to figure out a way around

New Member

Re: PPTP users over IPsec

will version upgrade of 7.3 will fix ?

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 464 MHz !!!

Cisco Employee

Re: PPTP users over IPsec

i would suggest that you go the latest code for PIX here is the doc which will help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

Cisco Employee

Re: PPTP users over IPsec

by the way the latest and the max you can go for PIX is 8.04

New Member

Re: PPTP users over IPsec

Note PPTP users are connected to

Site A using PIX outside interface from the internet cloud!!!

Cisco Employee

Re: PPTP users over IPsec

yes i understand so u have pptp and site site terminating on the same interface right

New Member

Re: PPTP users over IPsec

yes, u r right !!!

Cisco Employee

Re: PPTP users over IPsec

yup so you cant do it with the current version of PIX

Cisco Employee

Re: PPTP users over IPsec

Hello,

Code version above 7.2(4) will work and you will be able to do the U-turn.

Hope this helps.

Regards,

NT

New Member

Re: PPTP users over IPsec

Ok, think if i replace the pptp with site to reamote access vpn for site A,(users connecting from outside
{internet} )... then if i need to access LAN subnets in site B, still we need u turning ? or any other mechanism to work ?

Cisco Employee

Re: PPTP users over IPsec

you will still need it... in any case i would still recommend you upgrade because 6.3 is a ancient code which is soon going into the books and you dont want to play catching up ...

u turning is just one small feature that you get in newer code, one of the most important tool that i personally find the most useful as tac engg is packet tracer,

as such the structure of the code is new and diff compared to 6.3

..

New Member

Re: PPTP users over IPsec

Ok hey i can see the below wording in this link

"Ensure the PIX does not terminate Point to Point Tunneling Protocol (PPTP) connections. PIX 7.1 and later does not currently support PPTP termination"

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

can you comment what exactly ?

Cisco Employee

Re: PPTP users over IPsec

Yes asa does not support pptp termination it supports pptp pass through

Thanks and Regards,

Jitendriya Athavale

Cisco Systems Inc. - Security

Asia Pacific Technical Assistance Centre

Email : jathaval@cisco.com

Phone : +1 408 434 3210

Working hours:

Sunday - Thursday, 8pm - 2am US EDT

Tuesday - Saturday, 10am - 4pm Australia EST

TAC Worldwide contacts: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

415
Views
0
Helpful
16
Replies