pix pptp vpn can't ping webserver || h...

grimpy_ms2532469 · ‎03-14-2008

i can set up the pptp vpn tunnel via a pix firewall 6.3

but i can't ping the webserver and can't visit the webpage of the webserver

on port 6512

there are no routers between the pix and webserver on the pix i can ping the webserver

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

hostname PIX-520

domain-name testing.be

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.25.1.12 webserver

access-list 100 permit icmp any any

access-list 100 permit gre any any

access-list 100 permit tcp any host webserver eq 6512

access-list 101 permit icmp any any

access-list 101 permit tcp any 209.89.100.37 255.255.255.240 eq www

access-list inside_outbound_nat0_acl permit ip any 172.17.0.0 255.255.255.192

access-list inside_outbound_nat0_acl permit icmp any any

access-list outside_cryptomap_dyn_20 permit ip any 172.17.0.0 255.255.255.192

access-list outside_cryptomap_dyn_20 permit icmp any any

pager lines 24

logging on

logging timestamp

logging standby

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging facility 21

logging host inside 209.89.100.37

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

ip address outside 209.89.100.37 255.255.255.224

ip address inside 172.25.100.26 255.255.0.0

no ip address intf2

no ip address intf3

ip audit info action alarm

ip audit attack action alarm

ip local pool pocketpool 172.17.0.1-172.17.0.32

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no pdm history enable

rest of the config on the next post

grimpy_ms2532469 · ‎03-14-2008

arp timeout 14400

global (outside) 10 interface

global (outside) 1 209.89.100.37

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 209.89.100.37 6512 webserver 6512 netmask 255.255.25

5.255 0 0

access-group 101 in interface outside

access-group 100 in interface inside

route outside 0.0.0.0 0.0.0.0 209.89.100.62 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 172.25.200.17 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 172.17.0.0 255.255.0.0 outside

telnet 172.25.0.0 255.255.0.0 inside

telnet 172.17.0.0 255.255.0.0 inside

telnet timeout 5

ssh 172.25.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

vpdn group L2TP-VPDN-GROUP accept dialin pptp

vpdn group L2TP-VPDN-GROUP ppp authentication mschap

vpdn group L2TP-VPDN-GROUP ppp encryption mppe 40

vpdn group L2TP-VPDN-GROUP client configuration address local pocketpool

vpdn group L2TP-VPDN-GROUP client configuration dns test-dom 172.25.1.2

vpdn group L2TP-VPDN-GROUP pptp echo 60

vpdn group L2TP-VPDN-GROUP client authentication local

vpdn username testing password *********

vpdn enable outside

username user1 password xxxx encrypted privilege 15

vpnclient server 209.89.100.37

vpnclient mode client-mode

vpnclient vpngroup stijn password ********

terminal width 80

pix pptp vpn can't ping webserver || hosts || internal ip pix

pix pptp vpn can't ping webserver || hosts || internal ip pix

Re: pix pptp vpn can't ping webserver || hosts || internal ip pi

Re: pix pptp vpn can't ping webserver || hosts || internal ip pi