Couple of quick checks should hopefully fix the issue.
1. Since the PPTP Clients are getting an IP Address assigned from the IP Pool 192.168.101.0 Does your internal networks 172.16.0.0 255.255.0.0 know where to route the packets destined for 192.168.101.0.
2. Also, did you do a "Clear Xlate" after configuring the Pix as a PPTP Server. The reason is, if there is already an existing translation in the Pix for the IP Address that you are trying to access, then the traffic will not hit the NAT(inside)0 ACL and bypass translation for traffic destined to the PPTP Users.
The following PPTP configuration works very well for me:
access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.255.128
ip local pool pptp_dial_in 172.16.100.1-172.16.100.10
nat (inside) 0 access-list nonat
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local pptp_dial_in
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.11
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username pptp_user password
vpdn enable outside
I am assuming that you don't have a router on your internal LAN? If you do have a internal router on the inside LAN then you'll need to tell the PIX how to route the specified subnet with 'route inside' command.
Hope the above helps and please rate post if it does!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :