Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

communication between PPTP clients

Hi all. I have my pix 515 giving out ip addresses in the range of 192.168.200.0/24.

We use windows pptp configuration. The pc clients connect fine and can communicate to internal servers. The problem is that they cannot communicate with each other. Ping tests fail and don't increment an access list.

Here are my existing access lists that reference the 192.168.200.0 subnet.

access-list nonat line 1 permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0 (hitcnt=780)

access-list nonat line 2 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=936492)

access-list nonat line 3 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=1462)

access-list 80 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list 80 line 2 permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

access-list 200 line 53 permit ip 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 200 line 54 permit tcp 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 200 line 55 permit udp 192.168.200.0 255.255.255.0 any (hitcnt=0)

access-list 90 line 1 permit ip 172.17.0.0 255.255.0.0 192.168.200.0 255.255.255.0 (hitcnt=0)

The nonat access-list is applied on my private ip on the PIX.

2 REPLIES
New Member

Re: communication between PPTP clients

Inbound ICMP through a PIX is denied by default, outbound ICMP is permitted, but the incoming reply is denied by default.

To workaround this (if you really want to) take a look at this article:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic3

New Member

Re: communication between PPTP clients

I can do without the ping. What about allowing the vpn group 192.168.200 to communicate with other subnets?

145
Views
0
Helpful
2
Replies
CreatePlease to create content