PIX 501 not routing VPN clients to outside

admin_2 · ‎03-22-2004

We have a PIX 501 that seems to be working perfectly. Clients on internal network are able to reach internal servers properly, and are able to reach external networks properly as well (via NAT/PAT).

I have set up a PPTP VPN on the PIX via the VPN wizard. That works nearly perfectly. Once connected from an external machine, traffic is routed properly to internal machines (i.e. with VPN up a remote client is able to browse SMB shares, access MS Exchange server, SSH to internal computers, etc.) However, with VPN connected, same client machines are unable to reach networks outside of internal network.

I've included the vpdn config below, please let me know if there is any other information missing, etc. (One question -- should the address pool be OUTSIDE the normal address group, i.e. instead of 192.168.0.x, which is our internal network, should I use 10.0.0.x for VPN clients?)

ip local pool vpnclients 192.168.0.70-192.168.0.79

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local vpnclients

vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.8 192.168.0.9

vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.0.8

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username lsmith password *********

vpdn enable outside

rmorrow · ‎03-22-2004

Since the PIX will not pass traffic out the interface it received it on, you need to enable split tunneling. Split tunneling is enabled by using the following command: vpdn group group_name split-tunnel access_list. The group name is your group name, in this case PPTP-VPDN-GROUP and the access-list identifies the traffic to send down the IPSec tunnel, all other traffic is sent normally. Assuming that the addresses cannot be used on your internal network, using a unique network will help you with troubleshooting and other security measures where you would use a route map or access list.

atdhingr · ‎04-07-2004

VPDN does not support that command, use the following workaround instead:

Here is the procedure you can follow to enable split-tunneling for PPTP clients, the same procedure has to be followed everytime the PPTP client connects as it is a work-around to enable split-tunneling for PPTP clients.

The current configuration is:

ip local pool bigpool 192.168.9.1-192.168.9.254

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

sysopt connection permit-pptp

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local bigpool

vpdn group 1 client authentication local

vpdn username xxx password xxx

vpdn enable outside

Route print on the client system before connecting pptp client:

C:\Documents and Settings\ciscotrg>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x1000003 ...00 0b cd 67 6e 6c ...... Intel 8255x-based Integrated Fast Ethernet

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.130.102.1 10.130.102.34 1

10.130.102.0 255.255.255.0 10.130.102.34 10.130.102.34 1

10.130.102.34 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.10.0 255.255.255.0 10.130.102.252 10.130.102.34 1

224.0.0.0 224.0.0.0 10.130.102.34 10.130.102.34 1

255.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1

Default Gateway: 10.130.102.1

===========================================================================

Persistent Routes:

! ; Networ k Address Netmask Gateway Address Metric

192.168.10.0 255.255.255.0 10.130.102.252 1

Route print on the client system after connecting pptp client:

C:\Documents and Settings\ciscotrg>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x1000003 ...00 0b cd 67 6e 6c ...... Intel 8255x-based Integrated Fast Ethernet

0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.130.102.1 10.130.102.34 2

0.0.0.0 0.0.0.0 192.168.9.1 192.168.9.1 1

10.130.102.0 255.255.255.0 10.130.102.34 10.130.102.34 1

10.130.102.34 255.255.255.255 127.0.0.1 127.0.0.1 1

10.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.9.1 255.255.255.255 127.0.0.1 127.0.0.1 1

192.168.9.255 255.255.255.255 192.168.9.1 192.168.9.1 ! ; 1

& nbsp; 192.168.10.0 255.255.255.0 10.130.102.252 10.130.102.34 1

216.184.96.242 255.255.255.255 10.130.102.1 10.130.102.34 1

224.0.0.0 224.0.0.0 10.130.102.34 10.130.102.34 1

224.0.0.0 224.0.0.0 192.168.9.1 192.168.9.1 1

255.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1

Default Gateway: 192.168.9.1

Persistent Routes:

Network Address Netmask Gateway Address Metric

192.168.10.0 255.255.255.0 10.130.102.252 1

Delete the default route from the client machine, and add the following routes again, where the first route will direct the Internet traffic and the second route will direct the traffic to the local network behind the headend device.

route delete 0.0.0.0

route add 0.0.0.0 mask 0.0.0.0 10.130.102.1 1

route add 192.168.1.0 mask 255.255.255.0 192.168.9.1

Thanks.

Atul.