Pix 501 and remote PPTP VPN 1

[AM123]

I am new to the PIX as well as VPN, so please bear with me.

What I want to do is this.

I have a 501 which is using PAT for our static IP.

On the internal network we have 3 machines. 2 are Windows 98SE2 and one is Windows 2000.

At a different location (home) I have one machine running Win 2000 that I want to connect to the internal network via VPN.

Using the walkthough on the PIX I set-up a PPTP VPN and am able to connect from the outside with my W2K machine at home, it says we are connected, accepts username and password, registers on network, and give me an IP of 192.168.1.10.

The problem is this, on the Win 2000 machine on the outside I cannot see past the 501 to the internal network. I would like to be able to see the shared drives on each internal machine.

I thought that maybe the inside machines needed to be running VPN and connected to the PIX at the same way for this to work. So, at the same time I also started a VPN with the internal Win 2000 machine to the PIX and it was assigned an IP of 192.168.1.11 and still I could not see the drives from the external machine.

I am sure I am missing something easy (or hard?) on the PIX as well as possibly on the machines. Any help on how I can externally connect to the internal shared drivers would be appreciated..

Thank-you.
AM123

 

[JackyZhang]

Pleaes post your configuration of PIX501 here

 

[yizhar]

HI.

>> ... and give me an IP of 192.168.1.10.
What is the ip range of the local network - if it is also 192.168.1.X (the default of pix 501) then it overlaps and the pix cannot handle it very well. In that case you should change the "ip local pool" and other things related to the ip addresses of VPN clients to a nonexiting and not conflicting ip range such as 10.10.10.X for example.

>> I thought that maybe the inside machines needed to be running VPN ...
Nop.

And as mentioned - post your config here to get more help.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[AM123]

Here is my config:

Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname pixfirewall
domain-name ats-systems.ca
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.3 Desktop-2
name 192.168.1.5 Desktop-1
access-list 101 permit tcp any host 216.126.***.** eq pcanywhere-data
access-list 101 permit tcp any host 216.126.***.** eq 5632
access-list 101 permit tcp any host 216.126.***.** eq 5633
access-list 101 permit tcp any host 216.126.***.** eq 5634
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside Desktop-1
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 216.126.***.** 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit name info1 info action alarm drop
ip audit name attack1 attack action alarm drop reset
ip audit interface outside info1
ip audit interface outside attack1
ip audit info action alarm
ip audit attack action alarm
ip local pool ATSVPN 192.168.1.10-192.168.1.11
pdm location Desktop-2 255.255.255.255 inside
pdm location Desktop-1 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.126.***.** Desktop-2 netmask 255.255.255.255 0 0
static (inside,outside) 216.126.***.** Desktop-1 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 216.126.***.** 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
vpdn group PPTP-VPDN-GROUP client configuration address local ATSVPN
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username ***** password *********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 216.126.***.** 209.47.145.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:******
: end
[OK]


Thanks for all your help!!!

AM123

 

[JackyZhang]

Add following statement:

access-list nonatinside permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonatinside


good luck

 

[AM123]

Thanks a lot JackyZhang..

Worked great!!

Thanks as well Yizhar.

AM123