Re: PPTP VPN Client Config Query for PIX 515E

baudhayan · ‎12-18-2005

I have already a functional Cisco VPM client config. I have newly configured the Remote Access PPTP Client config in PIX. I have used MSCHAP with MPE 40 bit encryption. I have also specified the DNS servers of my Network in my config. I am using the exisiting IP Pool being used by Cisco VPN clients. For AAA authentication I am using RADIUS. I am facing a strange problem. Whenever I configure my Windows XP to connect via the VPN configured in Windows, it gets perfectly connected. After getting connected when I check the routing table using the command ROUTE PRINT, I get a favourable O/P (i.e. for my Company's N/W I see an entry whose default gateway is the IP my PC obtains after connecting via VPN, with a metric 1. Also the IP I get from my ISP is the default gateway with metric 2). But when I run NSLOOKUP to check the response of the DNS Servers I get response timeout for all my DNS Servers, i.e. My Company's DNS Servers as well as my ISP's DNS Servers. Due to this I am neither able to connect to my Office resouces nor browse Internet. But after disconnecting from VPN my ISP's DNS Servers start responding. Can some1 tell me the perfect PIX & Windows config for PPTP/L2TP VPN. Thnx in advance.

jmia · ‎12-19-2005

The below config I have setup in my lab and it work fine for me. Hope it helps you too.

PIX Version 6.3(1)

fixup protocol pptp 1723

access-list pptp permit ip 1.0.x.0 255.255.255.0 192.x.x.0 255.255.255.240

ip local pool pptp_dial_in 192.x.x.1-192.x.x.10

nat (inside) 0 access-list pptp

sysopt connection permit-pptp

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto

vpdn group PPTP-VPDN-GROUP client configuration address local pptp_dial_in

vpdn group PPTP-VPDN-GROUP client configuration dns

vpdn group PPTP-VPDN-GROUP client configuration wins

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username password

vpdn enable outside

Jay

baudhayan · ‎12-19-2005

Thnx 4 ur help. I compared ur config with mine & d only thing I had missed out is "fixup protocol pptp 1723". Also I use RADIUS authentication rather than local database. Another thing which I wanted 2 tell u is tht u dont require 2 define tht access list as u have already specified SYSOPT for PPTP traffic (I guess Im rite).

Currently even after doing fixup for PPTP I c sum error on my PIX syslog. I am attaching the screenshot 4 d same. The IP addresses being half erased r my 2 DNS Server IP's. These r d requests which r getting blocked by my Firewall 4 DNS requests.

baudhayan · ‎12-20-2005

Sorry 4 d statement "Another thing which I wanted 2 tell u is tht u dont require 2 define tht access list as u have already specified SYSOPT for PPTP traffic (I guess Im rite)". I got confused with something else. I do have a similar access-list & applied to nat(inside) 0. Now infact I have enabled all d authentication protocols (PAP,CHAP,MSCHAP), as 1 of d Cisco docs tells 2 do so. It says d system will negiotiate d best protocol. But still Im getting d same problems mentioned above.

baudhayan · ‎01-01-2006

My issue is still not resolved. Plz find attached my config 4 reference. Tell me where I'm wrong.