Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing Issues with Client PPTP into PIX-PIX VPN Infrastructure

Here is the PIX setup with internal addresses:

(MAIN PIX 501) <--vpn--> (REMOTE PIX 501)

192.168.0.254/24 192.168.2.254/24

Using Windows VPN Client, connect to MAIN PIX via PPTP. Need to have access to web services on REMOTE PIX network, but connectivity fails. Connectivity to MAIN PIX network is OK.

I believe it is a routing issue, but the solution escapes me. What is required to accomplish this? Ideas? Relavent config sections are attached.

4 REPLIES
Silver

Re: Routing Issues with Client PPTP into PIX-PIX VPN Infrastruct

What is the version of os you are using in the PIX firewall ?

New Member

Re: Routing Issues with Client PPTP into PIX-PIX VPN Infrastruct

Are you trying to get to the remote site pix after establishing your pptp connection to the main site pix? If so then I do not see an access list that allows the network 10.77.1.x to the remote site. I believe you will need to add that to the other pix firewall as well.

New Member

Re: Routing Issues with Client PPTP into PIX-PIX VPN Infrastruct

Using PIX 6.3(1).

Do you mean something like:

MAIN-PIX:

access-list outside-in permit ip PPTP_LAN 255.255.255.0 REMOTE_LAN 255.255.255.0

REMOTE-PIX:

access-list outside-in permit ip PPTP_LAN 255.255.255.0 INSIDE_LAN 255.255.255.0

Should I also add an access-list entry in crypto_MAIN for PPTP_LAN/24 to REMOTE_LAN/24?

Any other considerations I have missed? I do not currently have remote access to try this solution, but will make an attempt soon.

Thanks for the help.

New Member

Re: Routing Issues with Client PPTP into PIX-PIX VPN Infrastruct

Testing resulted with no luck. I am not seeing any hits on the access-list entries on the MAIN PIX. Not even with a blanket deny entry as a last filter to see if the packets "fall-through" the access-list.

I thought it may be a routing issue in my client PC, so I locally added a route in Windows XP to forward the destination PPTP_LAN/24 network to the PPTP gateway found in the route table, but again to no avail. Still no hits on the access-list entries.

Can anyone else provide me some advice? Thanks.

150
Views
3
Helpful
4
Replies
CreatePlease login to create content