Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 501 PPTP VPN

At my office I have a PIX 515 that is configured for a PPTP VPN. I am able to create a VPN tunnel from home to my office using the Microsoft VPN client. I recently purchased a PIX 501 for my home. When I try to create a VPN from my office to my home, the tunnel gets created, however, it hangs at authentication. I am using local authentication on the PIX 501. I have the config on my 501 the same as I configured the 515 at my office (except for the local ip pool). The network (lan) ip scheme at my office and home are different (office 192.168.1.0, home 192.168.20.0). Here is the config of the 501:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx

passwd xxxxxx

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list vpnlist permit ip 192.168.20.0 255.255.255.0 192.168.15.0 255.255.255.0

pager lines 24

logging on

logging trap debugging

logging facility 23

logging host inside 192.168.20.100

icmp deny any outside

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.20.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ppto-pool 192.168.15.2-192.168.15.4

pdm location 192.168.20.100 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group vpnlist in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.20.100 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 128 required

vpdn group 1 client configuration address local ppto-pool

vpdn group 1 pptp echo 60

vpdn group 1 client authentication local

vpdn enable outside

dhcpd address 192.168.20.2-192.168.20.5 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

pixfirewall#

Interesting thing, it does not show the username being sent or the mppe key strength in the syslog:

2004-03-15 19:11:53 Local7.Debug 192.168.20.1 %PIX-7-710001: TCP access requested from 65.163.x.x/11484 to 65.96.x.x/pptp

2004-03-15 19:11:53 Local7.Debug 192.168.20.1 %PIX-7-710002: TCP access permitted from 65.163.x.x/11484 to outside:65.96.x.x/pptp

2004-03-15 19:12:34 Local7.Info 192.168.20.1 %PIX-6-603104: PPTP Tunnel created, tunnel_id is 8, remote_peer_ip is 65.163.x.x, ppp_virtual_interface_id is 1, client_dynamic_ip is 192.168.15.2, username is , MPPE_key_strength is None

Jim

5 REPLIES
Gold

Re: Pix 501 PPTP VPN

Jim,

If you have a 501 at home and a 515 at the office, why don't you just setup a site-to-site VPN connection? Here is a good document on the subject using IPSec:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Hope this helps.

Jay

New Member

Re: Pix 501 PPTP VPN

Jay,

Thanks for the reply. I was reading up on site-to-site this morning. I think that is what I will do.

Jim

New Member

Re: Pix 501 PPTP VPN

Just to answer your question...It's the FIXUP for the PPTP protocol on the PIX at the house...

enable it with the correct Port and your PPTP will Pass throught the 501 fine

New Member

Re: Pix 501 PPTP VPN

Add the following on PIX 501:

nat (inside) 0 access-list vpnlist

Thanks

New Member

Re: Pix 501 PPTP VPN

Also, make sure if you have 6.3 add the following on both PIX, This will enable PPTP pass through on PIX

sysopt connection permit-pptp

Thanks

217
Views
0
Helpful
5
Replies
CreatePlease to create content