Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


Basically I want to be able to allow remote users to access our Internal LAN once they have successfully made a pptp connection.

The connection works fine, (From a win2k box), with the remote user assigned a 192.168.2.x address, but they cannot ping/access any 192.168.1.x address...

ping from remote client (192.168.2.x->192.168.1.x) produces nothing in the PIX's logs.

Trying to telnet to port 25 (there is a mail server running on that box), fails, but the PIX logs the connection ->

302001: Built inbound TCP connection 2 for faddr gaddr laddr

I'm pretty sure it has something to do with my acls.....

Any suggestions/comments are greatly appreciated.



Current Conf->

dfx-pix(config)# show conf

: Saved


PIX Version 5.2(3)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

nameif ethernet3 intf3 security15

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

hostname dfx-pix


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060


access-list acl_grp permit icmp any any

access-list acl_grp permit tcp any eq pop3

access-list acl_grp permit tcp any eq ftp

access-list acl_grp permit tcp any eq www

access-list acl_grp permit tcp any eq domain

access-list acl_grp permit tcp any eq smtp

access-list 101 permit ip

pager lines 24

logging on

logging timestamp

no logging standby

no logging console

no logging monitor

logging buffered debugging

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside

ip address inside

ip address intf2

ip address intf3

ip address intf4

ip address intf5

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

failover ip address intf2

failover ip address intf3

failover ip address intf4

failover ip address intf5

arp timeout 14400

global (outside) 1

nat (inside) 0 access-list 101

nat (inside) 1 0 0

access-group acl_grp in interface outside

access-group acl_grp in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community teen

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp identity hostname

telnet inside

telnet intf2

telnet intf3

telnet intf4

telnet intf5

telnet timeout 15

ssh outside

ssh timeout 60

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local bigpool

vpdn group 1 client authentication local

vpdn username xxxxxx password xxxxxx

vpdn enable outside

terminal width 80


Re: PIX515+vpdn..

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content