cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
371
Views
0
Helpful
5
Replies

VPN via PPTP on PIX515E

connie
Level 1
Level 1

I'm trying to setup a VPN connection from the net through the PIX to our private network.

These are the steps i followed and commands executed on the PIX 515.

1. First of all - the version i am using : Cisco PIX Firewall Version 6.3(1) and Cisco PIX Device Manager Version 3.0(1)

2. I created a local pool of addresses - ip local pool dialin *.*.*.*-*.*.*.*

3. Created a username: vpdn username ****** password ********

4. Bypassed conduits and access-lists: sysopt connection permit-pptp

5. Created a group and created all the necessary group commands:

vpdn group dialgroup accept dialin pptp

vpdn group dialgroup ppp authentication mschap

vpdn group dialgroup client configuration address local dialin

vpdn group dialgroup client configuration dns *.*.*.*

vpdn group dialgroup client configuration wins *.*.*.*

vpdn group dialgroup pptp echo 60

vpdn group dialgroup client authentication local

6. Enabled vpdn on the outside interface - vpdn enable outside

I'm not using any encryption for the time being and not using a AAA server (local authentication via username). I setup the connection on a Windows 2000/XP box using the VPN wizard.

The connection does work by using the username and password i specified above, BUT i can't see anything on the private network. I can't seem to ping anything. When i look at the ip local pool, it shows that the first ip is in use and that there is a VPN connection from outside.

Any ideas as to what i am doing wrong??

Thanks

5 Replies 5

l.cabral
Level 1
Level 1

I've a similar working config so I think I can help.

You should add an access-list to allow traffic incoming from the subnet you declared in the pool, and then use nat 0 to disable natting from your local LAN to remote users.

Something like this:

access-list 101 permit ip 192.168.20.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list 101

Assuming 192.168.20/24 to be your local network and 172.16/16 to be the network defined in the local pool.

You should also add the line:

vpdn group 1 ppp encryption mppe auto

To allow encryption if the client request it.

Let me know if this helps you.

Luck.

Thanks for the response ....

Few questions i have.

1. Doesn't the sysopt connection permit-pptp statement remove the need for any access-lists?

2. I currently got 3 access-list running - called ext_in (outside to in), int_out(inside to outside) and dmz (for the dmz interface). This is bound to three

access-groups like follows:

access-group ext_in in interface outside

access-group int_out in interface inside

access-group dmz in interface dmz

As far as i understand, you can only have one access-list/group linked to an interface. So on which access-list should i put your recommend access-list?

Do i then still nat the complete access-list? [nat (inside) 0 access-list name]

3. The local ip pool range, does it need to be internet routable addresses? Or should it be 10.* or 192.168.* addresses? We are using 10.* addresses on the inside LAN but not 192.168. addresses. Will it be better to use the 192.168 range then?

Thanks again

Regarding questions 1and 2, you don't need to apply the access-list to any interface, it's just used to define that traffic going from your local network to users connected using pptp should not be natted.

For question 3, net 192.168 is also private, not internet routeable. So use any of the network numbers assigned for private use:

- 10.0.0.0 to 10.255.255.255 (not in this case because you're already using it)

- 172.16.0.0 to 172.31.255.255

- 192.168.0.0 to 192.168.255.255

Drop me a line to chabral@hotmail.com (with the subject of this topic) and I'll send you a document with all steps to setup a pptp pix based vpn.

Regards,

Leonardo

rjwalani
Cisco Employee
Cisco Employee

Hi,

This sample config should help you

http://www.cisco.com/warp/customer/110/pptppix.html

Thanks

Ranjana

Thanks for all your help.

Problems sorted out. I was using firstly the 10.* range for my ip local pool. Because i already nat that in another rule, it didn't work. Also tried the 192.168.* range, but i didn't route that on the router. When i changed my ip local pool to a range thats routed, it worked like a charm!

thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: