Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Client - PIX VPN Question.

Status
Not open for further replies.
mbarrow

mbarrow

MIS
Oct 9, 2001
20
GB
Guys,

I have setup a VPN using PPTP & IPSEC and have a couple of questions: -

Site A - 192.168.5.0 (This is where the PIX is)
VPN IP Pool - 192.168.12.0
Site B - 168.50.1.0

1. When connected to the VPN i can ping anything on Site A network. I added Site B network in the routing table of the PIX, Do i need to add anything to my Cisco 2600 router to allow it to pass traffic from Site A to Site B?

2. In my access-list i have opened TCP port 1723 and IP GRE (47). These are always on hitcnt=0. Do i need them?

Thanks in advance.
 
Sort by date Sort by votes
Which end is your router on? Is this actually a site to site VPN, a soho to site, or client to site?

Jacob
 
Upvote 0 Downvote
Hi joerocket.

There is one router on site A network and another on the end of a circuit which connects site B. The VPN is a client to site A.

Thanks
 
Upvote 0 Downvote
mbarrow,

If you can ping network resources then you know that your routers are passing the traffic ok.

As for the GRE and TCP config settings, it really depends on the hardware and applications being used on your network. I wouldn't think that TCP is necessary to VPN, but I know that some devices require the GRE.

Jacob
 
Upvote 0 Downvote
When connected to the VPN I can't ping anything on the site B network (168.50.1.0)

Marc
 
Upvote 0 Downvote
Hi mbarrow,

I think from the description of your problem the new site router doesnt know how to route back to the VPN pool address.

Either add a default route to the router in the path to site B, this route points to the PIX. If you are already using a default pointing somewhere else then use a specific route to the VPN IP pool subnet pointing to the inside address of the PIX.

As for permitting GRE and port 1723 in the ACL, you dont need them, you enable PPTP using the vpdn commands. From the information you state that these ACL's are hitcount 0, so they are not being used currently.

IPSec uses protocol 50 (for ESP which you should be using) and UDP port 500 for ISAKMP. You probably have a sysopt statement in the pix which allows this traffic through.
sysopt connection permit-ipsec

 
Upvote 0 Downvote
If you are ending the VPN client at the PIX then you will never be able to access site B. The PIX is not able to route packets back on the same interface they arrived, only a router or a VPN 3K are able to do so. If you are ending the VPN client on a router then it should work... just make sure site B is on the crypto ACLs.
 
Upvote 0 Downvote
I've been told that this work work period....something to do with the subnet of the VPN ip pool. Don't know if it's true or not.

Thanks anyway
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
85
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top