i had a problem like that today with a PPTP based VPN
I had
LAN ---> Router ----> PIX --->Internet <---PPTP Clients
if you have a router in between the PIX make sure
that you are not NAT'ing the VPN traffic that is retruning to the VPN clients
(i.e., web page access)
VPN Client src 10.1.38.6 port 1044 syn -->
InternalWWW dst 10.1.1.10 port 80
VPN Client establishes session to the PIX outside interface/tunnel endpoint
VPN Client request for a web page gets to the Web Server sucessfully BUT the firewall tries to NAT the return traffic as soon as it hits the inside interface.
the return traffic ends up with:
InternalWWW src IP-OF-OUTSIDE-INTERFACE port 80 syn-ACK --> 10.1.38.6
(since the ACK bit is set the PIX looks for an active NAT translation slot - in which there is none so it won't work)
i fixed it like this :
ip local pool VPNUSERS 10.1.38.6-10.1.38.10
access-list 123 permit ip any host 10.1.38.6
access-list 123 permit ip any host 10.1.38.7
access-list 123 permit ip any host 10.1.38.8
access-list 123 permit ip any host 10.1.38.9
access-list 123 permit ip any host 10.1.38.10
nat (inside) 0 access-group 123
nat (inside) 1 0 0
global (outside) 1 interface
interface inside address 10.1.38.1 255.255.255.0
(the router is 10.1.38.2/24)
sysopt connection permit-pptp
i checked syslog and it was barking about no active nat translation slots........
what was happening was traffic was coming into the VPn tunnel and going to the destinations but the return traffic could not go back because of there were no active NAT translation slots for the session (that were INITATED by the internal clients). so i had to make sure that traffic returning to the VPN clients requests were not getting NAT'd on the way back.
hope this helps
p.s. object grouping may help, this was tedious
Don Garnett
Network Support Specialist
