12-18-2005 07:26 AM
I have already a functional Cisco VPM client config. I have newly configured the Remote Access PPTP Client config in PIX. I have used MSCHAP with MPE 40 bit encryption. I have also specified the DNS servers of my Network in my config. I am using the exisiting IP Pool being used by Cisco VPN clients. For AAA authentication I am using RADIUS. I am facing a strange problem. Whenever I configure my Windows XP to connect via the VPN configured in Windows, it gets perfectly connected. After getting connected when I check the routing table using the command ROUTE PRINT, I get a favourable O/P (i.e. for my Company's N/W I see an entry whose default gateway is the IP my PC obtains after connecting via VPN, with a metric 1. Also the IP I get from my ISP is the default gateway with metric 2). But when I run NSLOOKUP to check the response of the DNS Servers I get response timeout for all my DNS Servers, i.e. My Company's DNS Servers as well as my ISP's DNS Servers. Due to this I am neither able to connect to my Office resouces nor browse Internet. But after disconnecting from VPN my ISP's DNS Servers start responding. Can some1 tell me the perfect PIX & Windows config for PPTP/L2TP VPN. Thnx in advance.
12-19-2005 09:17 AM
The below config I have setup in my lab and it work fine for me. Hope it helps you too.
PIX Version 6.3(1)
fixup protocol pptp 1723
access-list pptp permit ip 1.0.x.0 255.255.255.0 192.x.x.0 255.255.255.240
ip local pool pptp_dial_in 192.x.x.1-192.x.x.10
nat (inside) 0 access-list pptp
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local pptp_dial_in
vpdn group PPTP-VPDN-GROUP client configuration dns
vpdn group PPTP-VPDN-GROUP client configuration wins
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username
vpdn enable outside
Jay
12-19-2005 11:44 PM
Thnx 4 ur help. I compared ur config with mine & d only thing I had missed out is "fixup protocol pptp 1723". Also I use RADIUS authentication rather than local database. Another thing which I wanted 2 tell u is tht u dont require 2 define tht access list as u have already specified SYSOPT for PPTP traffic (I guess Im rite).
Currently even after doing fixup for PPTP I c sum error on my PIX syslog. I am attaching the screenshot 4 d same. The IP addresses being half erased r my 2 DNS Server IP's. These r d requests which r getting blocked by my Firewall 4 DNS requests.
12-20-2005 12:52 AM
Sorry 4 d statement "Another thing which I wanted 2 tell u is tht u dont require 2 define tht access list as u have already specified SYSOPT for PPTP traffic (I guess Im rite)". I got confused with something else. I do have a similar access-list & applied to nat(inside) 0. Now infact I have enabled all d authentication protocols (PAP,CHAP,MSCHAP), as 1 of d Cisco docs tells 2 do so. It says d system will negiotiate d best protocol. But still Im getting d same problems mentioned above.
01-01-2006 12:38 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide