We have a PIX 501 that seems to be working perfectly. Clients on internal network are able to reach internal servers properly, and are able to reach external networks properly as well (via NAT/PAT).
I have set up a PPTP VPN on the PIX via the VPN wizard. That works nearly perfectly. Once connected from an external machine, traffic is routed properly to internal machines (i.e. with VPN up a remote client is able to browse SMB shares, access MS Exchange server, SSH to internal computers, etc.) However, with VPN connected, same client machines are unable to reach networks outside of internal network.
I've included the vpdn config below, please let me know if there is any other information missing, etc. (One question -- should the address pool be OUTSIDE the normal address group, i.e. instead of 192.168.0.x, which is our internal network, should I use 10.0.0.x for VPN clients?)
ip local pool vpnclients 192.168.0.70-192.168.0.79
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local vpnclients
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.8 192.168.0.9
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.0.8
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
Since the PIX will not pass traffic out the interface it received it on, you need to enable split tunneling. Split tunneling is enabled by using the following command: vpdn group group_name split-tunnel access_list. The group name is your group name, in this case PPTP-VPDN-GROUP and the access-list identifies the traffic to send down the IPSec tunnel, all other traffic is sent normally. Assuming that the addresses cannot be used on your internal network, using a unique network will help you with troubleshooting and other security measures where you would use a route map or access list.
VPDN does not support that command, use the following workaround instead:
Here is the procedure you can follow to enable split-tunneling for PPTP clients, the same procedure has to be followed everytime the PPTP client connects as it is a work-around to enable split-tunneling for PPTP clients.
The current configuration is:
ip local pool bigpool 192.168.9.1-192.168.9.254
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 client authentication local
vpdn username xxx password xxx
vpdn enable outside
Route print on the client system before connecting pptp client:
Delete the default route from the client machine, and add the following routes again, where the first route will direct the Internet traffic and the second route will direct the traffic to the local network behind the headend device.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...