Cisco Support Community
Community Member

VPN access beyond PIX515e 6.3 nas...


I am trying to get a remote access pptp vpn setup from remote windows clients through a pix515e using radius to authenticate to a windows 2000 domain. I am able to establish the vpn connection ok and the radius is authenticating the right domain users to allow the vpn but I am then unable to access any domain resources beyond the outside interface of the pix.

Any ideas?!?!??!


Cisco Employee

Re: VPN access beyond PIX515e 6.3 nas...

Difficult to say without seeing your config, but make sure you have it configured like this:

Specifically, if you're getting connected OK then your vpdn config is probably OK. If you can't pass traffic check your "nat 0" and "access-list" commands, you have to tell the PIX not to NAT any of the traffic that is to go over a PPTP tunnel, so you need something like this:

access-list 101 permit ip

nat (inside) 0 access-list 101

Check you have the "sysopt" command also.

Community Member

Re: VPN access beyond PIX515e 6.3 nas...


I'm so glad to finally receive any suggestions! I will try to implement your ideas and will reply as soon as I have more info. Here is our current pix config in the attachment. All identifying names or ip addresses have been x'ed out but you will get the idea...

Again thank you!

Community Member

Re: VPN access beyond PIX515e 6.3 nas...

It looks like the suggestions that you mentioned were already in the pix config that I am having trouble with. I did go in and try to work with the nat0 and matching acl but to no avail. I still get a good vpn connection to the pix which authenticates my user/password with radius to a w2k server but then can not access anything on the network.

I did notice that the IP address that I receive for my vpn client is from the ip local pool ok, but I get a netmask and am wondering if that is the problem since everything on our inside network is on different subnets. I can not find a way to make sure the vpn client receives an address from the ip local pool AND a subnet mask...

CreatePlease to create content