Hello all,
I have a PIX 506e, version 6.3(5).
I'm new to PIX firewalling.
I configured the PIX to connect my local LAN to a remote network via an IPSEC Site-toSite VPN. It works fine, but at this point remote PPTP users cannot access the LAN.
My problem is that I cannot activate more than one "nat (inside) 0" statement. This is my conf:
PIX Version 6.3(5)
[...]
access-list sitetosite permit ip 192.168.21.0 255.255.255.0 10.155.200.0 255.255.248.0
access-list pptptraffic permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0
[...]
ip address outside 100.100.100.100 255.255.255.248
ip address inside 192.168.1.1 255.255.0.0
[...]
ip local pool pptpusers 1.1.1.1-1.1.1.100 mask 255.255.255.0
[...]
global (outside) 1 interface
nat (inside) 0 access-list pptptraffic
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
route outside 0.0.0.0 0.0.0.0 94.95.36.65 1
[...]
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set sitetositeset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map sitetositemap 10 ipsec-isakmp
crypto map sitetositemap 10 match address sitetosite
crypto map sitetositemap 10 set peer 151.13.18.245
crypto map sitetositemap 10 set transform-set sitetositeset
crypto map sitetositemap interface outside
isakmp enable outside
isakmp key ******** address 151.13.18.245 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
[...]
vpdn group pptpgroup accept dialin pptp
vpdn group pptpgroup ppp authentication mschap
vpdn group pptpgroup ppp encryption mppe 128 required
vpdn group pptpgroup client configuration address local pptpusers
vpdn group pptpgroup pptp echo 60
vpdn group pptpgroup client authentication local
vpdn username user1 password ********
vpdn username user2 password ********
vpdn enable outside
To get the Site-to-Site VPN working, I have write in configuration mode
nat (inside) 0 access-list sitetosite
At this point the line "nat (inside) 0 access-list pptpusers" disappears, and incoming PPTP connections stop working.
I googled a lot, but I cannot figure out the solution.
Any suggestion or links is very appreciated
I have a PIX 506e, version 6.3(5).
I'm new to PIX firewalling.
I configured the PIX to connect my local LAN to a remote network via an IPSEC Site-toSite VPN. It works fine, but at this point remote PPTP users cannot access the LAN.
My problem is that I cannot activate more than one "nat (inside) 0" statement. This is my conf:
PIX Version 6.3(5)
[...]
access-list sitetosite permit ip 192.168.21.0 255.255.255.0 10.155.200.0 255.255.248.0
access-list pptptraffic permit ip 192.168.0.0 255.255.0.0 1.1.1.0 255.255.255.0
[...]
ip address outside 100.100.100.100 255.255.255.248
ip address inside 192.168.1.1 255.255.0.0
[...]
ip local pool pptpusers 1.1.1.1-1.1.1.100 mask 255.255.255.0
[...]
global (outside) 1 interface
nat (inside) 0 access-list pptptraffic
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
route outside 0.0.0.0 0.0.0.0 94.95.36.65 1
[...]
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set sitetositeset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map sitetositemap 10 ipsec-isakmp
crypto map sitetositemap 10 match address sitetosite
crypto map sitetositemap 10 set peer 151.13.18.245
crypto map sitetositemap 10 set transform-set sitetositeset
crypto map sitetositemap interface outside
isakmp enable outside
isakmp key ******** address 151.13.18.245 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
[...]
vpdn group pptpgroup accept dialin pptp
vpdn group pptpgroup ppp authentication mschap
vpdn group pptpgroup ppp encryption mppe 128 required
vpdn group pptpgroup client configuration address local pptpusers
vpdn group pptpgroup pptp echo 60
vpdn group pptpgroup client authentication local
vpdn username user1 password ********
vpdn username user2 password ********
vpdn enable outside
To get the Site-to-Site VPN working, I have write in configuration mode
nat (inside) 0 access-list sitetosite
At this point the line "nat (inside) 0 access-list pptpusers" disappears, and incoming PPTP connections stop working.
I googled a lot, but I cannot figure out the solution.
Any suggestion or links is very appreciated