Routing Issues with Client PPTP into PIX-PIX VPN Infrastructure

nickpelfort · ‎08-30-2006

Here is the PIX setup with internal addresses:

(MAIN PIX 501) <--vpn--> (REMOTE PIX 501)

192.168.0.254/24 192.168.2.254/24

Using Windows VPN Client, connect to MAIN PIX via PPTP. Need to have access to web services on REMOTE PIX network, but connectivity fails. Connectivity to MAIN PIX network is OK.

I believe it is a routing issue, but the solution escapes me. What is required to accomplish this? Ideas? Relavent config sections are attached.

thomas.chen · ‎09-05-2006

What is the version of os you are using in the PIX firewall ?

amohabir1 · ‎09-05-2006

Are you trying to get to the remote site pix after establishing your pptp connection to the main site pix? If so then I do not see an access list that allows the network 10.77.1.x to the remote site. I believe you will need to add that to the other pix firewall as well.

nickpelfort · ‎09-07-2006

Using PIX 6.3(1).

Do you mean something like:

MAIN-PIX:

access-list outside-in permit ip PPTP_LAN 255.255.255.0 REMOTE_LAN 255.255.255.0

REMOTE-PIX:

access-list outside-in permit ip PPTP_LAN 255.255.255.0 INSIDE_LAN 255.255.255.0

Should I also add an access-list entry in crypto_MAIN for PPTP_LAN/24 to REMOTE_LAN/24?

Any other considerations I have missed? I do not currently have remote access to try this solution, but will make an attempt soon.

Thanks for the help.

nickpelfort · ‎09-13-2006

Testing resulted with no luck. I am not seeing any hits on the access-list entries on the MAIN PIX. Not even with a blanket deny entry as a last filter to see if the packets "fall-through" the access-list.

I thought it may be a routing issue in my client PC, so I locally added a route in Windows XP to forward the destination PPTP_LAN/24 network to the PPTP gateway found in the route table, but again to no avail. Still no hits on the access-list entries.

Can anyone else provide me some advice? Thanks.