I have a PIX 501 setup to accept incoming VPN connections from windows pptp clients. Clients can connect without a problem, but I am missing something (I'm sure it is simple) in the routing setup. Once the remote clients connect they cannot access the internal network.
I have attached my current config. Hopefully someone can find a minute to point out my problem and the solution.
config looks good. could you have enabled the commands out of order?
no vpdn enable outside
vpdn enable outside
should reinitialize the pix's vpdn config.
you might want to edit out your enable password in that config, as the hashing routing the pix uses is weak
Can you give us an idea on the topology of the network inside the PIX? Do the internal clients use the 501 as the default gateway for this network or is there another L3 device inside the PIX that the internal hosts use as a DG? As the other poster said, config looks fine from first glance.
Unfortunately I am still having difficulties. I can't ping anything on the inside. I can't connect via a remote desktop connection, I can't connect to the exchange server, nothing... Any more suggestions?
i am a ipsec bigot, so i don't have tons of hands on pptp experience. i know the fixup protocol pptp is not a default for the pix. do your users need to make pptp connections from behind your pix to the outside world? if not, try disabling it.
do you have any debug logs from the pix?
Looking into your config, it seems as if you have applied access-list 100 to the wrong interface. Should be
access-group 100 in interface inside.
Let me know how u get on.
Your config and design ar fine from a PIX perspective. No changes need to be made. Let's look at this from the client perspective then. Are you connecting this PPTP client to the PIX from a device that is behind another firewall? Or perhaps a NAT device? Are you blocking GRE traffic? Is the NAT device able to NAT GRE traffic? What is the NAT device (if it exists)? Can you try the PPTP client connection from another host (perhaps a dial-up if you are not already)?
I strongly disagree with you Scott. If access-list goes from source to destination and can only be applied to traffic entering an interface on the PIX. How can below (copied from his config)be right i.e
access-list 100 permit udp host 192.168.2.10 any eq domain
access-list 100 permit tcp host 192.168.2.10 any eq domain
access-group 100 in interface outside
Or am I missing something?? Pls shed some light.
Well, as long as you "strongly" disagree ;)
You are right, these ACE's in the ACL are clearly wrong. However, this should have nothing to do with the problem at hand (PPTP client traffic not transmitting to the network behind the PIX). The command 'sysopt connection permit-pptp' allows the PIX to bypass ACL's and conduits for traffic that was received via a PPTP connection.
Basically, I have no idea why the above 2 ACE's are in the config. But, I cannot really speak to why he has them the way he does.
They are in there to allow DNS traffic to pass back and forth from my internal DNS server. This is only my second PIX I have setup. Am I doing something wrong? It corrected the DNS issues I was having, so I figured it was the correct solution.
Nope, these lines in the ACE should not be doing anything in your PIX config. They are telling the PIX to allow tcp and udp packets sourced from 192.168.2.10 destined to anywhere on port 53. The problem is that you have this ACL applied inbound on your outside interface where you should never see packets with this source address (this source address should always be coming from your inside network).
Have you been able to resolve this issue?
I am experiencing the same issue, I can vpn into the pix 515 but cannot access any resources on the inside network.
Once you have a pptp vpn connection established to the pix do you need to open all needed ports on the outside interface to the vpn clients for access the inside?
Not as long as you have 'sysopt connection permit-pptp' in the config. This command allows the PIX to bypass rules applied to the PIX as long as the traffic came in as PPTP traffic. Hope this helps.
I was able to solve it... not sure exactly how. I opened a case and they had me do two things. clear xlate and management-access inside. That was it and it started working fine. I don't have a clue, and the support guy just said that he has seen this glitch before.
Do you mind attaching ur final PIX config? I am interested in seeing how things work on ur PIX with that access-list applied to the outside interface.