Cisco Support Community
Community Member

PPTP VPN client can make connection but can't see network resources

I am using a PIX 501 firewall as a PPTP VPN endpoint. There is a Cisco 2611 router behind the PIX on the inside which acts as the default gateway for the end users.

We can establish a good PPTP VPN connection to the PIX but cannot access any of the resources LAN (Behind the router). The router is pretty simple and does NOT perform NAT. I can ping any of the resources from the PIX through the router to the LAN but not with a PPTP VPN connection.

I could really use anyone's help to get this resolved.

Thank you,


Community Member

Re: PPTP VPN client can make connection but can't see network re

It sounds like an ACL type issue for the VPN subnet. Its hard to diagnose without your PIX configuration posted.

Community Member

Re: PPTP VPN client can make connection but can't see network re

Thanks for your reply. The configuration below, and the pptp vpn, works great when the inside interface is directly connected to the LAN switch. when it is placed in front of a cisco router (that performs no NAT by the way) users connected via vpn can't see the internal network. The static command does work however.

Thank you for your help.

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list uvp permit gre any any

access-list uvp permit tcp any host eq 3389

access-list inside_outbound_nat0_acl permit ip any

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 65.x.x.11

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_DHCP

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 netmask

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

access-group uvp in interface outside

route outside 1

route inside 1

route inside 1

route inside 1

route inside 1

route inside 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPN_DHCP

vpdn group PPTP-VPDN-GROUP client configuration dns

vpdn group PPTP-VPDN-GROUP client configuration wins

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn enable outside

CreatePlease to create content