Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX515+vpdn..

Basically I want to be able to allow remote users to access our Internal LAN once they have successfully made a pptp connection.

The connection works fine, (From a win2k box), with the remote user assigned a 192.168.2.x address, but they cannot ping/access any 192.168.1.x address...

ping from remote client (192.168.2.x->192.168.1.x) produces nothing in the PIX's logs.

Trying to telnet to 192.168.1.2 port 25 (there is a mail server running on that box), fails, but the PIX logs the connection ->

302001: Built inbound TCP connection 2 for faddr 192.168.2.1/2069 gaddr 192.168.1.2/25 laddr 192.168.1.2/25

I'm pretty sure it has something to do with my acls.....

Any suggestions/comments are greatly appreciated.

Regards

MB

Current Conf->

dfx-pix(config)# show conf

: Saved

:

PIX Version 5.2(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname dfx-pix

domain-name datafx.com.au

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

names

access-list acl_grp permit icmp any any

access-list acl_grp permit tcp 192.168.1.0 255.255.255.0 any eq pop3

access-list acl_grp permit tcp 192.168.1.0 255.255.255.0 any eq ftp

access-list acl_grp permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list acl_grp permit tcp 192.168.1.0 255.255.255.0 any eq domain

access-list acl_grp permit tcp 192.168.1.0 255.255.255.0 any eq smtp

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip address intf3 127.0.0.1 255.255.255.255

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.2.1-192.168.2.254

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

failover ip address intf3 0.0.0.0

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

arp timeout 14400

global (outside) 1 xxx.xxx.xxx.xxx

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl_grp in interface outside

access-group acl_grp in interface inside

route outside 0.0.0.0 0.0.0.0 203.149.69.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community teen

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp identity hostname

telnet 192.168.1.3 255.255.255.255 inside

telnet 192.168.1.3 255.255.255.255 intf2

telnet 192.168.1.3 255.255.255.255 intf3

telnet 192.168.1.3 255.255.255.255 intf4

telnet 192.168.1.3 255.255.255.255 intf5

telnet timeout 15

ssh xxx.xxx.xxx.xxx 255.255.255.255 outside

ssh timeout 60

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local bigpool

vpdn group 1 client authentication local

vpdn username xxxxxx password xxxxxx

vpdn enable outside

terminal width 80

1 REPLY

Re: PIX515+vpdn..

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

166
Views
0
Helpful
1
Replies
CreatePlease to create content