Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticated, but can't use remote network!

I have successfully, or so I though, set up my PIX 506 (6.1) to use our WIn2k Radius server to authenticate PPTP sessions. I can authenticate fine, but I don't seem to be able to actually use anything remotely. My suspicion is that when I look at the details of the VPN connection (XP Pro), the remote server address is the outside address of the PIX. I ususally do this sort of set up passing the PPTP traffic through to a win2k radius client, in which case the address is an internal address of that server, not this external address. But, I am not so sure that is even the problem, as my pings go timed out. Any ideas?


New Member

Re: Authenticated, but can't use remote network!


Please double check the nat(inside) 0 access-list , see your PPTP ip pool address has been bypassed for the NAT or not.

Another thing you should try is to disable the MPPE encryption, see it will be working fine or not. If you encryption type you configed in the W2k Radius server not matching the encryption type you put in the PIX, it wil not be able to pass any traffic.

Best Regards,

Paul Qiu

New Member

Re: Authenticated, but can't use remote network!

I've got the MPPE set to auto. I see what you are saying about the no nat on the ip pool and have done so. But I am not sure that it is working. I have one access-list for my internal user, which is combined with a group bound to the interface. But i have put in this second access-list which is not grouped with any interface, because it can't. Is this right? I will post the config fo the VPN below. Thanks PS: I don't have a cco login to check out that link

access-list nonat permit ip

ip local pool pptp-pool

global (outside) 1

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host xxx timeout 10

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns

vpdn group 1 client authentication aaa RADIUS

vpdn group 1 pptp echo 60

vpdn enable outside

New Member

Re: Authenticated, but can't use remote network!

Ignore all that. I got it working. I had to enable the use remote gateway feature in the client in order for the pix to send it the gateway. Is there not way around this??? I'll post a seperate topic on this VPDN command.


CreatePlease login to create content