Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN traffic not being routed through PIX

I have a PIX 501 setup to accept incoming VPN connections from windows pptp clients. Clients can connect without a problem, but I am missing something (I'm sure it is simple) in the routing setup. Once the remote clients connect they cannot access the internal network.

I have attached my current config. Hopefully someone can find a minute to point out my problem and the solution.

Thank you,

Rick

16 REPLIES
Silver

Re: VPN traffic not being routed through PIX

config looks good. could you have enabled the commands out of order?

no vpdn enable outside

vpdn enable outside

should reinitialize the pix's vpdn config.

you might want to edit out your enable password in that config, as the hashing routing the pix uses is weak

New Member

Re: VPN traffic not being routed through PIX

thanks. I edited out the enable password. I also tried to reinitialize the vpdn config and will test the remote access this evening.

Thanks again.

Re: VPN traffic not being routed through PIX

Rick,

Can you give us an idea on the topology of the network inside the PIX? Do the internal clients use the 501 as the default gateway for this network or is there another L3 device inside the PIX that the internal hosts use as a DG? As the other poster said, config looks fine from first glance.

Scott

New Member

Re: VPN traffic not being routed through PIX

this is a very simple network. The PIX is acting as the DG. couple servers and several workstations.

New Member

Re: VPN traffic not being routed through PIX

Unfortunately I am still having difficulties. I can't ping anything on the inside. I can't connect via a remote desktop connection, I can't connect to the exchange server, nothing... Any more suggestions?

Silver

Re: VPN traffic not being routed through PIX

i am a ipsec bigot, so i don't have tons of hands on pptp experience. i know the fixup protocol pptp is not a default for the pix. do your users need to make pptp connections from behind your pix to the outside world? if not, try disabling it.

do you have any debug logs from the pix?

New Member

Re: VPN traffic not being routed through PIX

Looking into your config, it seems as if you have applied access-list 100 to the wrong interface. Should be

access-group 100 in interface inside.

Let me know how u get on.

Cheers

Re: VPN traffic not being routed through PIX

Your config and design ar fine from a PIX perspective. No changes need to be made. Let's look at this from the client perspective then. Are you connecting this PPTP client to the PIX from a device that is behind another firewall? Or perhaps a NAT device? Are you blocking GRE traffic? Is the NAT device able to NAT GRE traffic? What is the NAT device (if it exists)? Can you try the PPTP client connection from another host (perhaps a dial-up if you are not already)?

Scott

New Member

Re: VPN traffic not being routed through PIX

I strongly disagree with you Scott. If access-list goes from source to destination and can only be applied to traffic entering an interface on the PIX. How can below (copied from his config)be right i.e

access-list 100 permit udp host 192.168.2.10 any eq domain

access-list 100 permit tcp host 192.168.2.10 any eq domain

access-group 100 in interface outside

Or am I missing something?? Pls shed some light.

Re: VPN traffic not being routed through PIX

Well, as long as you "strongly" disagree ;)

You are right, these ACE's in the ACL are clearly wrong. However, this should have nothing to do with the problem at hand (PPTP client traffic not transmitting to the network behind the PIX). The command 'sysopt connection permit-pptp' allows the PIX to bypass ACL's and conduits for traffic that was received via a PPTP connection.

Basically, I have no idea why the above 2 ACE's are in the config. But, I cannot really speak to why he has them the way he does.

Clear-er?

Scott

New Member

Re: VPN traffic not being routed through PIX

They are in there to allow DNS traffic to pass back and forth from my internal DNS server. This is only my second PIX I have setup. Am I doing something wrong? It corrected the DNS issues I was having, so I figured it was the correct solution.

Rick

Re: VPN traffic not being routed through PIX

Rick,

Nope, these lines in the ACE should not be doing anything in your PIX config. They are telling the PIX to allow tcp and udp packets sourced from 192.168.2.10 destined to anywhere on port 53. The problem is that you have this ACL applied inbound on your outside interface where you should never see packets with this source address (this source address should always be coming from your inside network).

Scott

Anonymous
N/A

Re: VPN traffic not being routed through PIX

Have you been able to resolve this issue?

I am experiencing the same issue, I can vpn into the pix 515 but cannot access any resources on the inside network.

Once you have a pptp vpn connection established to the pix do you need to open all needed ports on the outside interface to the vpn clients for access the inside?

Re: VPN traffic not being routed through PIX

Not as long as you have 'sysopt connection permit-pptp' in the config. This command allows the PIX to bypass rules applied to the PIX as long as the traffic came in as PPTP traffic. Hope this helps.

Scott

New Member

Re: VPN traffic not being routed through PIX

I was able to solve it... not sure exactly how. I opened a case and they had me do two things. clear xlate and management-access inside. That was it and it started working fine. I don't have a clue, and the support guy just said that he has seen this glitch before.

New Member

Re: VPN traffic not being routed through PIX

Do you mind attaching ur final PIX config? I am interested in seeing how things work on ur PIX with that access-list applied to the outside interface.

Thanks

155
Views
0
Helpful
16
Replies