Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1681
Views
0
Helpful
3
Replies

Authenticated, but can't use remote network!

adrian.h
Level 1
Level 1

‎08-23-2002 03:43 PM - edited ‎02-21-2020 10:03 AM

I have successfully, or so I though, set up my PIX 506 (6.1) to use our WIn2k Radius server to authenticate PPTP sessions. I can authenticate fine, but I don't seem to be able to actually use anything remotely. My suspicion is that when I look at the details of the VPN connection (XP Pro), the remote server address is the outside address of the PIX. I ususally do this sort of set up passing the PPTP traffic through to a win2k radius client, in which case the address is an internal address of that server, not this external address. But, I am not so sure that is even the problem, as my pings go timed out. Any ideas?

TIA

Labels:
0 Helpful
3 Replies 3

paqiu
Level 1
Level 1

‎08-25-2002 04:26 PM

Hi,

Please double check the nat(inside) 0 access-list , see your PPTP ip pool address has been bypassed for the NAT or not.

http://www.cisco.com/warp/customer/110/pptpcrypto3.html

Another thing you should try is to disable the MPPE encryption, see it will be working fine or not. If you encryption type you configed in the W2k Radius server not matching the encryption type you put in the PIX, it wil not be able to pass any traffic.

Best Regards,

Paul Qiu

0 Helpful

adrian.h
Level 1
Level 1
In response to paqiu

‎08-29-2002 06:43 AM

I've got the MPPE set to auto. I see what you are saying about the no nat on the ip pool and have done so. But I am not sure that it is working. I have one access-list for my internal user, which is combined with a group bound to the interface. But i have put in this second access-list which is not grouped with any interface, because it can't. Is this right? I will post the config fo the VPN below. Thanks PS: I don't have a cco login to check out that link

access-list nonat permit ip 10.10.10.0 255.255.255.0 192.168.50.0 255.255.255.0

ip local pool pptp-pool 192.168.50.1-192.168.50.10

global (outside) 1 216.95.169.xxx-216.95.169.xxx

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.10.10.2 xxx timeout 10

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 10.10.10.2 10.10.10.3

vpdn group 1 client authentication aaa RADIUS

vpdn group 1 pptp echo 60

vpdn enable outside

0 Helpful

adrian.h
Level 1
Level 1

‎08-29-2002 06:57 AM

Ignore all that. I got it working. I had to enable the use remote gateway feature in the client in order for the pix to send it the gateway. Is there not way around this??? I'll post a seperate topic on this VPDN command.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents