Re: Windows 2000 PPTP-PIX 501 "no xlate" error

pierrelemieux · ‎02-06-2002

Hi all, I am new to PIX and VPN...

Everything seems to be working when connecting to the PIX 501 using a Windows 2000 remote access laptop however, the syslog gets full of errors like this one:

Local4.Error 192.168.0.1 %PIX-3-106011: Deny inbound (No xlate) tcp src outside:10.0.0.1/1174 dst outside:64.4.13.170/80

The laptop dials through a phone line and an ISP and uses the PPTP VPN using MS-CHAP and MPPE to the PIX.

The errors only occur when the laptop has this specific active VPN connection.

Here are the relevant entries in my config:

access-list 101 permit ip 192.168.0.0 255.255.255.0 host 10.0.0.1

ip local pool vpnpool 10.0.0.1-10.0.0.5

nat (inside) 0 access-list 101

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40 required

vpdn group 1 client configuration address local vpnpool

vpdn group 1 client configuration dns 192.168.0.40

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn username xxxx password xxxx

vpdn enable outside

What am I doing wrong?

Thanks very much!

pierrelemieux · ‎02-08-2002

Also,

The "VPN TUNNEL" light does not turn on... why?

pierrelemieux · ‎02-10-2002

Does my VPN pool of private addresses have to contain addresses in the same network ID as my internal LAN, or do I have to use a completely different range? Maybe I am not understanding how the routing takes place between the outside and indide interface during a VPN connection. Can someone explain?

I can not seem to find the answer anywhere.

Thanks!