I'm trying to setup a VPN connection from the net through the PIX to our private network.
These are the steps i followed and commands executed on the PIX 515.
1. First of all - the version i am using : Cisco PIX Firewall Version 6.3(1) and Cisco PIX Device Manager Version 3.0(1)
2. I created a local pool of addresses - ip local pool dialin *.*.*.*-*.*.*.*
3. Created a username: vpdn username ****** password ********
4. Bypassed conduits and access-lists: sysopt connection permit-pptp
5. Created a group and created all the necessary group commands:
vpdn group dialgroup accept dialin pptp
vpdn group dialgroup ppp authentication mschap
vpdn group dialgroup client configuration address local dialin
vpdn group dialgroup client configuration dns *.*.*.*
vpdn group dialgroup client configuration wins *.*.*.*
vpdn group dialgroup pptp echo 60
vpdn group dialgroup client authentication local
6. Enabled vpdn on the outside interface - vpdn enable outside
I'm not using any encryption for the time being and not using a AAA server (local authentication via username). I setup the connection on a Windows 2000/XP box using the VPN wizard.
The connection does work by using the username and password i specified above, BUT i can't see anything on the private network. I can't seem to ping anything. When i look at the ip local pool, it shows that the first ip is in use and that there is a VPN connection from outside.
1. Doesn't the sysopt connection permit-pptp statement remove the need for any access-lists?
2. I currently got 3 access-list running - called ext_in (outside to in), int_out(inside to outside) and dmz (for the dmz interface). This is bound to three
access-groups like follows:
access-group ext_in in interface outside
access-group int_out in interface inside
access-group dmz in interface dmz
As far as i understand, you can only have one access-list/group linked to an interface. So on which access-list should i put your recommend access-list?
Do i then still nat the complete access-list? [nat (inside) 0 access-list name]
3. The local ip pool range, does it need to be internet routable addresses? Or should it be 10.* or 192.168.* addresses? We are using 10.* addresses on the inside LAN but not 192.168. addresses. Will it be better to use the 192.168 range then?
Regarding questions 1and 2, you don't need to apply the access-list to any interface, it's just used to define that traffic going from your local network to users connected using pptp should not be natted.
For question 3, net 192.168 is also private, not internet routeable. So use any of the network numbers assigned for private use:
- 10.0.0.0 to 10.255.255.255 (not in this case because you're already using it)
- 172.16.0.0 to 172.31.255.255
- 192.168.0.0 to 192.168.255.255
Drop me a line to email@example.com (with the subject of this topic) and I'll send you a document with all steps to setup a pptp pix based vpn.
Problems sorted out. I was using firstly the 10.* range for my ip local pool. Because i already nat that in another rule, it didn't work. Also tried the 192.168.* range, but i didn't route that on the router. When i changed my ip local pool to a range thats routed, it worked like a charm!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...