Re: PPTP VPN Configuration -- Default Gateway shows up as client

shadowsfell · ‎03-03-2006

Hello,

I'm hoping this will be an easy answer. I'm configuring a PIX firewall [PIX 515E, PIX Version 6.2(2)] to act as a VPN access point for my office's lab. I have the PPTP configuration configured as below:

ip local pool vpnpool 192.168.205.3-192.168.205.254

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication mschap

vpdn group 1 client configuration address local vpnpool

vpdn group 1 client configuration dns 192.168.4.98

All outbound traffic is PATed to one global IP. ACLs inbound and outbound are just "permit ip any any".

The inside ip address is 192.168.205.2/24, and is hooked up to a router that has an ip of 192.168.205.1/24.

Anyway, I can connect with my MS VPN client ... but my IP address and default gateway show up as the SAME, and my subnet mask is 255.255.255.255.... I also can't access anything, even though the ACLs are wide open.

What am I missing?

Thanks in advance.

--Troy

thamdani · ‎03-05-2006

Hi Troy,

This is the behaviour we see,both IP and gateway are same.

have you configured this command

sysopt connection permit-pptp

configure this command,then connect to the Pix through vpdn then run the debug icmp trace and see if you get the icmp echo request and reply on the pix

for that host.

If you only see echo request then the return traffic is not there and need to look into that.

Hope this helps.

Tanveer

shadowsfell · ‎03-06-2006

Thanks for the reply. I had run this by some more VPN-savvy people at my work (before I saw your reply) and actually got the same answer ... shows how much I use PPTP.

Turns out that I finally got it working ... not quite sure what did it though. One of the last things I did was add in a "nat (inside) 0 access-list ouside_access_in" ... not sure if that was the key or not. I had ACLs on both inside and outside interfaces permitting all traffic ... would that line mentioned above still be required?

I'm tempted to save the config, blow it away, and rebuild to reproduce the fix.

Thanks again for the reply.

pgalligan · ‎03-06-2006

"One of the last things I did was add in a "nat (inside) 0 access-list ouside_access_in" ... not sure if that was the key or not. I had ACLs on both inside and outside interfaces permitting all traffic"

You should create a separate ACL for the nat0 command, and will need to include any traffic from inside, to the ip range allocated to the PPTP clients.

The sysopt connection permit-pptp command mentioned by shadowsfell tells the firewall to bypass the outside ACL for PPTP traffic, so you will most likely want to use that.

kevburgess · ‎03-15-2006

I have a similar issue as the first post. However, I have IPSec connectivity to the PIX that works fine. If I use the Cisco VPN client, I can authenticate to the PIX and have complete access internally.

If I use PPTP, I can authenticate to the PIX, but I cannot ping anything internally. I did a debug icmp trace and I see the pings coming in, but I get no replies from the internal host.

If I do the debug icmp trace when connected via IPSec, I see both request and reply.

I checked and the sysopt connection pptp is there.

Any suggestions ?

PPTP VPN Configuration -- Default Gateway shows up as client IP