03-02-2004 11:42 AM - edited 02-21-2020 01:03 PM
I have a PIX 501 setup to accept incoming VPN connections from windows pptp clients. Clients can connect without a problem, but I am missing something (I'm sure it is simple) in the routing setup. Once the remote clients connect they cannot access the internal network.
I have attached my current config. Hopefully someone can find a minute to point out my problem and the solution.
Thank you,
Rick
03-02-2004 12:11 PM
config looks good. could you have enabled the commands out of order?
no vpdn enable outside
vpdn enable outside
should reinitialize the pix's vpdn config.
you might want to edit out your enable password in that config, as the hashing routing the pix uses is weak
03-02-2004 01:59 PM
03-02-2004 12:22 PM
Rick,
Can you give us an idea on the topology of the network inside the PIX? Do the internal clients use the 501 as the default gateway for this network or is there another L3 device inside the PIX that the internal hosts use as a DG? As the other poster said, config looks fine from first glance.
Scott
03-02-2004 01:51 PM
this is a very simple network. The PIX is acting as the DG. couple servers and several workstations.
03-02-2004 07:12 PM
Unfortunately I am still having difficulties. I can't ping anything on the inside. I can't connect via a remote desktop connection, I can't connect to the exchange server, nothing... Any more suggestions?
03-02-2004 07:40 PM
i am a ipsec bigot, so i don't have tons of hands on pptp experience. i know the fixup protocol pptp is not a default for the pix. do your users need to make pptp connections from behind your pix to the outside world? if not, try disabling it.
do you have any debug logs from the pix?
03-03-2004 04:07 AM
Looking into your config, it seems as if you have applied access-list 100 to the wrong interface. Should be
access-group 100 in interface inside.
Let me know how u get on.
Cheers
03-03-2004 06:26 AM
Your config and design ar fine from a PIX perspective. No changes need to be made. Let's look at this from the client perspective then. Are you connecting this PPTP client to the PIX from a device that is behind another firewall? Or perhaps a NAT device? Are you blocking GRE traffic? Is the NAT device able to NAT GRE traffic? What is the NAT device (if it exists)? Can you try the PPTP client connection from another host (perhaps a dial-up if you are not already)?
Scott
03-03-2004 08:59 AM
I strongly disagree with you Scott. If access-list goes from source to destination and can only be applied to traffic entering an interface on the PIX. How can below (copied from his config)be right i.e
access-list 100 permit udp host 192.168.2.10 any eq domain
access-list 100 permit tcp host 192.168.2.10 any eq domain
access-group 100 in interface outside
Or am I missing something?? Pls shed some light.
03-03-2004 10:40 AM
Well, as long as you "strongly" disagree ;)
You are right, these ACE's in the ACL are clearly wrong. However, this should have nothing to do with the problem at hand (PPTP client traffic not transmitting to the network behind the PIX). The command 'sysopt connection permit-pptp' allows the PIX to bypass ACL's and conduits for traffic that was received via a PPTP connection.
Basically, I have no idea why the above 2 ACE's are in the config. But, I cannot really speak to why he has them the way he does.
Clear-er?
Scott
03-03-2004 12:11 PM
They are in there to allow DNS traffic to pass back and forth from my internal DNS server. This is only my second PIX I have setup. Am I doing something wrong? It corrected the DNS issues I was having, so I figured it was the correct solution.
Rick
03-03-2004 05:27 PM
Rick,
Nope, these lines in the ACE should not be doing anything in your PIX config. They are telling the PIX to allow tcp and udp packets sourced from 192.168.2.10 destined to anywhere on port 53. The problem is that you have this ACL applied inbound on your outside interface where you should never see packets with this source address (this source address should always be coming from your inside network).
Scott
03-05-2004 12:20 PM
Have you been able to resolve this issue?
I am experiencing the same issue, I can vpn into the pix 515 but cannot access any resources on the inside network.
Once you have a pptp vpn connection established to the pix do you need to open all needed ports on the outside interface to the vpn clients for access the inside?
03-06-2004 10:10 AM
Not as long as you have 'sysopt connection permit-pptp' in the config. This command allows the PIX to bypass rules applied to the PIX as long as the traffic came in as PPTP traffic. Hope this helps.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide