Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 501: VPN user can't access the private network

Status
Not open for further replies.
colema19

colema19

Programmer
Apr 9, 2009
2
US
Hello everyone, I'm trying to get my VPN user(that is, me) to be able to access my home network when I connect. Right now I can't ping or otherwise reach any machines in the private network.

I'm only using PPTP, and I've got that working(I can connect, I get an IP in the space I expect).

I add a route entry to the client machine when I dial in, but I can't seem to get a response from any of the hosts in the local network. I suspect I'm missing something in the acl, but I'm sure what.

More specifically:
Dialup is assigned 192.168.100.x address. Can't seem to access any of the machines on the 192.168.0.x network.

The route entry I add to the client is typically:
route add 192.168.0.0 mask 255.255.255.0 192.168.100.1

Thanks!

This is my config:
Code: 
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pixfirewall
domain-name halo.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.203 media-pc
name 192.168.0.69 xb360
access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.0
access-list inside_allowed permit tcp any interface outside eq 3074
access-list inside_allowed permit udp any interface outside eq 3074
access-list inside_allowed permit udp any interface outside eq 88
access-list inside_allowed permit tcp any interface outside eq 3389
access-list inside_allowed permit tcp any interface outside eq 3390
access-list 101 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit tcp any host 192.168.100.1
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.100.1-192.168.100.50
pdm location 192.168.0.117 255.255.255.255 inside
pdm location 192.168.0.192 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 88 xb360 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 media-pc 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3074 xb360 3074 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 3074 xb360 3074 netmask 255.255.255.255 0 0
access-group inside_allowed in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp log 10
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 10
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp-pool
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username colemanjc password ********
vpdn username coleman password ********
vpdn enable outside
dhcpd address 192.168.0.200-192.168.0.220 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain fubar.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:5fd0d3d0943371a7caaca5dedebad798
 
Sort by date Sort by votes
change this:
Code: 
access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.0
to this:
Code: 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.192
I noticed your local pool was only using .1 - .50 so you see the subnet mask in the nat0_acl as .192 accounting for 62 hosts. You can change it to a full /24 if you need.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Ah thanks, that got it. So I needed to specify an access rule to let traffic flow back to the dial up user? But I don't need one to specify traffic can go in? Either that or my idea of what the sip and dip are backwards from what the pix treats them as.
 
Upvote 0 Downvote
that's right. the return traffic from the inside was being NATed. when you added the sysopt connection permit-pptp to your config you bypassed the need for any ACL's for traffic destined inbound from the PPTP group.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
724
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
586
intel233
intel233
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
232
hairlessupportmonkey
hairlessupportmonkey
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
207
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top