Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
16
Replies

VPN traffic not being routed through PIX

rmeder
Level 1
Level 1

‎03-02-2004 11:42 AM - edited ‎02-21-2020 01:03 PM

I have a PIX 501 setup to accept incoming VPN connections from windows pptp clients. Clients can connect without a problem, but I am missing something (I'm sure it is simple) in the routing setup. Once the remote clients connect they cannot access the internal network.

I have attached my current config. Hopefully someone can find a minute to point out my problem and the solution.

Thank you,

Rick

Labels:
0 Helpful
16 Replies 16

mostiguy
Level 6
Level 6

‎03-02-2004 12:11 PM

config looks good. could you have enabled the commands out of order?

no vpdn enable outside

vpdn enable outside

should reinitialize the pix's vpdn config.

you might want to edit out your enable password in that config, as the hashing routing the pix uses is weak

0 Helpful

rmeder
Level 1
Level 1
In response to mostiguy

‎03-02-2004 01:59 PM

thanks. I edited out the enable password. I also tried to reinitialize the vpdn config and will test the remote access this evening.

Thanks again.

Preview file
4 KB
0 Helpful

scoclayton
Level 7
Level 7

‎03-02-2004 12:22 PM

Rick,

Can you give us an idea on the topology of the network inside the PIX? Do the internal clients use the 501 as the default gateway for this network or is there another L3 device inside the PIX that the internal hosts use as a DG? As the other poster said, config looks fine from first glance.

Scott

0 Helpful

rmeder
Level 1
Level 1
In response to scoclayton

‎03-02-2004 01:51 PM

this is a very simple network. The PIX is acting as the DG. couple servers and several workstations.

0 Helpful

rmeder
Level 1
Level 1

‎03-02-2004 07:12 PM

Unfortunately I am still having difficulties. I can't ping anything on the inside. I can't connect via a remote desktop connection, I can't connect to the exchange server, nothing... Any more suggestions?

0 Helpful

mostiguy
Level 6
Level 6
In response to rmeder

‎03-02-2004 07:40 PM

i am a ipsec bigot, so i don't have tons of hands on pptp experience. i know the fixup protocol pptp is not a default for the pix. do your users need to make pptp connections from behind your pix to the outside world? if not, try disabling it.

do you have any debug logs from the pix?

0 Helpful

laje
Level 1
Level 1
In response to rmeder

‎03-03-2004 04:07 AM

Looking into your config, it seems as if you have applied access-list 100 to the wrong interface. Should be

access-group 100 in interface inside.

Let me know how u get on.

Cheers

0 Helpful

scoclayton
Level 7
Level 7
In response to rmeder

‎03-03-2004 06:26 AM

Your config and design ar fine from a PIX perspective. No changes need to be made. Let's look at this from the client perspective then. Are you connecting this PPTP client to the PIX from a device that is behind another firewall? Or perhaps a NAT device? Are you blocking GRE traffic? Is the NAT device able to NAT GRE traffic? What is the NAT device (if it exists)? Can you try the PPTP client connection from another host (perhaps a dial-up if you are not already)?

Scott

0 Helpful

laje
Level 1
Level 1
In response to scoclayton

‎03-03-2004 08:59 AM

I strongly disagree with you Scott. If access-list goes from source to destination and can only be applied to traffic entering an interface on the PIX. How can below (copied from his config)be right i.e

access-list 100 permit udp host 192.168.2.10 any eq domain

access-list 100 permit tcp host 192.168.2.10 any eq domain

access-group 100 in interface outside

Or am I missing something?? Pls shed some light.

0 Helpful

scoclayton
Level 7
Level 7
In response to laje

‎03-03-2004 10:40 AM

Well, as long as you "strongly" disagree ;)

You are right, these ACE's in the ACL are clearly wrong. However, this should have nothing to do with the problem at hand (PPTP client traffic not transmitting to the network behind the PIX). The command 'sysopt connection permit-pptp' allows the PIX to bypass ACL's and conduits for traffic that was received via a PPTP connection.

Basically, I have no idea why the above 2 ACE's are in the config. But, I cannot really speak to why he has them the way he does.

Clear-er?

Scott

0 Helpful

rmeder
Level 1
Level 1
In response to scoclayton

‎03-03-2004 12:11 PM

They are in there to allow DNS traffic to pass back and forth from my internal DNS server. This is only my second PIX I have setup. Am I doing something wrong? It corrected the DNS issues I was having, so I figured it was the correct solution.

Rick

0 Helpful

scoclayton
Level 7
Level 7
In response to rmeder

‎03-03-2004 05:27 PM

Rick,

Nope, these lines in the ACE should not be doing anything in your PIX config. They are telling the PIX to allow tcp and udp packets sourced from 192.168.2.10 destined to anywhere on port 53. The problem is that you have this ACL applied inbound on your outside interface where you should never see packets with this source address (this source address should always be coming from your inside network).

Scott

0 Helpful

Not applicable
In response to scoclayton

‎03-05-2004 12:20 PM

Have you been able to resolve this issue?

I am experiencing the same issue, I can vpn into the pix 515 but cannot access any resources on the inside network.

Once you have a pptp vpn connection established to the pix do you need to open all needed ports on the outside interface to the vpn clients for access the inside?

0 Helpful

scoclayton
Level 7
Level 7
In response to

‎03-06-2004 10:10 AM

Not as long as you have 'sysopt connection permit-pptp' in the config. This command allows the PIX to bypass rules applied to the PIX as long as the traffic came in as PPTP traffic. Hope this helps.

Scott

0 Helpful
Customers Also Viewed These Support Documents