TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • November 8, 2007 at 7:53 am #2239501

    PIX PPTP VPN

    Locked

    by roppong · about 16 years, 5 months ago

    Hi

    I have configured pptp on a PIX 506E ver 6.2(2)
    The PPTP terminates ok on the PIX but vpn clients can’t access any resources on the LAN (no icmp ping reply either).

    I have remove use default-gateway on remote from PPTP client and still doesn’t work

    Any ideas?
    Here is the config.
    Building configuration…
    : Saved
    :
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password YD7NyVLKuQML8Hv/ encrypted
    passwd YD7NyVLKuQML8Hv/ encrypted
    hostname DolphinPix
    domain-name Dolphin.local
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list outside_in permit tcp any host X.X.X.X eq smtp
    access-list outside_in permit tcp any host X.X.X.X eq pop3
    access-list outside_in permit tcp 81.179.36.0 255.255.255.0 host X.X.X.X eq
    3389
    access-list outside_in permit tcp any host X.X.X.X eq www
    access-list outside_in permit tcp any host X.X.X.X eq https
    access-list outside_in permit tcp host 82.133.108.5 host X.X.X.X eq pcanywhe
    re-data
    access-list outside_in permit tcp host 82.133.108.5 host X.X.X.X eq 5632
    access-list outside_in permit tcp host 82.229.45.121 host X.X.X.X eq pcanywh
    ere-data
    access-list outside_in permit tcp host 82.229.45.121 host X.X.X.X eq 5632
    access-list inside_in permit ip any any
    access-list inside_in permit tcp any 192.168.1.0 255.255.255.0

    no pager
    interface ethernet0 10full
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside 62.49.X.X 255.255.255.248
    ip address inside 192.168.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 192.168.1.1-192.168.1.30
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 62.X.X.X 192.168.0.240 netmask 255.255.255.255 0 0
    static (inside,outside) 62.X.X.X 192.168.0.125 netmask 255.255.255.255 0 0
    access-group outside_in in interface outside
    access-group inside_in in interface inside
    route outside 0.0.0.0 0.0.0.0 62.49.X.X 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.240 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-pptp
    no sysopt route dnat
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 15
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 10
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local vpnpool
    vpdn group 1 client configuration dns 192.168.0.240
    vpdn group 1 client configuration wins 192.168.0.240
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username DIRECT password *********

    vpdn enable outside
    terminal width 80
    Cryptochecksum:3c430c0a8cc69c4dcabab9a604823bb4
    : end
    [OK]

    Thanks

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • November 8, 2007 at 7:53 am #2474835

      Clarifications

      by roppong · about 16 years, 5 months ago

      In reply to PIX PPTP VPN

      Clarifications

    • November 8, 2007 at 8:14 am #2474822

      hmm

      by thevirtualone · about 16 years, 5 months ago

      In reply to PIX PPTP VPN

      “its always easier than you think”
      please explain the entire tunnel not the pix config. What is authenticating the vpn? the pix or a server?

      • November 9, 2007 at 2:23 pm #2466834

        PIX PPTP VPN

        by roppong · about 16 years, 5 months ago

        In reply to hmm

        The Pix is authenticating the vpn.From the config, the VPN is been authenticated locally

        • November 9, 2007 at 9:01 pm #2474364

          pix 2 pix?

          by thevirtualone · about 16 years, 5 months ago

          In reply to PIX PPTP VPN

          this may help http://www.cisco.com/warp/public/110/38.html

          if not, tell me about what you are using to connect to the pix.

        • November 14, 2007 at 5:56 am #2481030

          PIX PPTP VPN

          by roppong · about 16 years, 5 months ago

          In reply to pix 2 pix?

          It’s not a PIX 2 PIX Configuration.It’s a PPTP connection using Microsoft VPN Client to connect.

        • November 14, 2007 at 7:59 am #2480938

          it’ll never work

          by thevirtualone · about 16 years, 5 months ago

          In reply to PIX PPTP VPN

          you need to download the Cisco VPN Client.

        • November 14, 2007 at 8:04 am #2480934

          i was wrong…

          by thevirtualone · about 16 years, 5 months ago

          In reply to it’ll never work

          try this…

          To setup VPN for MS VPN clients on Cisco PIX, you need to add the following lines.

          access-list 101 permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0
          ip local pool bigpool 192.168.1.1-192.168.1.254
          nat (inside) 0 access-list 101
          vpdn group 1 accept dialin pptp
          vpdn group 1 ppp authentication pap
          vpdn group 1 ppp authentication chap
          vpdn group 1 ppp authentication mschap
          vpdn group 1 ppp encryption mppe 128
          vpdn group 1 client configuration address local bigpool
          vpdn group 1 client configuration dns yourdns
          vpdn group 1 client configuration wins yourwins
          vpdn group 1 pptp echo 60
          vpdn group 1 client authentication local
          vpdn username username password *********
          vpdn enable outside

        • November 29, 2007 at 8:56 am #2480309

          Read the Question – Answer the Question

          by csr-tech · about 16 years, 4 months ago

          In reply to i was wrong…

          You really need the read the question before trying to answer with questions that have answers in the original question, or flipantly saying it can’t be done (when it obviously can), or cut-and-pasting a “solution” which contains 95% of what he has already done.

          Why is your solution different from what he has done and why does this difference solve his issue?

          FYI, I have the exact same problem, but I am not going to add access-lists, pools, or nat statement without understanding how/why they are going to fix the issue.

  • Author
    Replies
Viewing 1 reply thread