01-02-2006 03:04 AM
I configured a simple VPN using PPTP with my PIX-501.
I'm able to establish the VPN connection with Windows XP PPTP client. After the connection, I'm able to ping inside hosts but I'm not able to establish any TCP/IP connection from PPTP client to them.
After the connection, I'm able to establish any kind of TCP/IP connection from inside hosts to remote PPTP client.
Any suggestions ?
Thanks a lot !
Here my configuration:
Cisco PIX 6.3(4):
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfw
names
ip address outside **DELETED** 255.255.255.248
ip address inside 192.168.33.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 **DELETED** 1
telnet 192.168.33.0 255.255.255.0 inside
global (outside) 1 **DELETED**
nat (inside) 1 192.168.33.0 255.255.255.0 0 0
access-list inbound permit icmp any any
access-group inbound in interface outside
access−list no-nat permit ip 192.168.33.0 255.255.255.128 192.168.33.128 255.255.255.128
nat (inside) 0 access−list no-nat
ip local pool vpn-pool 192.168.33.129−192.168.33.254 mask 255.255.255.128
sysopt connection permit−pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local vpn-pool
vpdn group 1 client authentication local
vpdn username cisco password cisco
vpdn enable outside
01-02-2006 08:41 PM
It could be the routing on th ePIX, seeing as your PPTP pool of addresses is in the same subnet as your inside interface, the PIX may be sending traffic to your PPTP clients back out the inside interface.
Either change the following:
ip address inside 192.168.33.1 255.255.255.128
or add the following:
route outside 192.168.133.128 255.255.255.128
or both.
01-03-2006 08:29 AM
Thank you for your reply.
I tried to create a new vpn-pool for PPTP clients.
Now inside hosts are on network 192.168.33.0/24
PPTP clients are on network 192.168.30.0/24
But it still doesn't work !
Do I need to create any route entry ?
Thank you.
Best regards
My new configuration 6.3(4):
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfw
names
ip address outside **DELETED** 255.255.255.248
ip address inside 192.168.33.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 **DELETED** 1
telnet 192.168.33.0 255.255.255.0 inside
global (outside) 1 interface
nat (inside) 1 192.168.33.0 255.255.255.0 0 0
access-list inbound permit icmp any any
access-group inbound in interface outside
access−list no-nat permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
nat (inside) 0 access−list no-nat
ip local pool vpn-pool 192.168.30.1−192.168.30.254
sysopt connection permit−pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local vpn-pool
vpdn group 1 client authentication local
vpdn username cisco password cisco
vpdn enable outside
01-04-2006 05:43 PM
You shouldn't need the route. What happens when you attempt to connect? Are you sure your settings are correct on your pc? Are you taking the default settings with the included pptp vpn connection in Windows XP/2000?
By the way, using the 192.x.x.x networks for your internal and your pptp pool, causes issues when you start trying to surf the internet while connected to the vpn. If everything is new and not hard to change, I would do an internal network of 10.x.x.x and a pptp pool of 192.x.x.x.
P.S., before someone suggests, using split tunnel, that really doesn't work so well without using the Cisco VPN client and IPSEC.
01-06-2006 10:22 AM
I guess there is no problems if u have both ur inside interface 2 b in d same subnet as d VPN pool. Till date I had a perfectly working config 4 past 4-5 mths. I have recently migrated 2 192.168.x.x n/w 4 VPN & my inside n/w is 172.16.x.x. Also if I am not wrong d concept of split tunneling only works with Cisco VPN client. But inspite of making d IP addressing scheme change in my n/w I face d exact problem as mentioned in this post. Even I have put up a similar post but I have not found any successful replies. If I chk my f/w logs it shows a msg saying tht d traffic on d outside interface is not IPSec. Thus I get correctly authenticated using windows xp inbuilt PPTP VPN but no data xfer happens. But when I connect using d Cisco VPN client it works perfectly (with Split tunneling enabled). Even I wud appreciate sum help on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide