pix 506 pptp, no internet access

[karmic]

Have a 506 and linking in remotely via pptp. Links up ok, can access network just fine but can't surf the web.

internal primary dns and wins servers are the same and i've got the secondary dns server as per primary ISP DNS server.
On any other router, this would work fine but I still can't surf the web via the pptp tunnel...

Any ideas? thanx

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[lgarner]

This is normal. You can enable split-tunneling on the Pix to get around this.

You can also disable "use default gateway on remote network" to get around this. You then need static routes pointing to your internal network via your PPTP address, which changes. The first option is simpler.

 

[karmic]

It's no wonder why I don't recommend cisco to anyone... Other routers are cheaper, easier to set up and just as hack proof (if not better)...

Read up a little on cisco's site and couldn't find anything on split-tunneling on pptp. There's lots on the ipsec tho.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[dayron]

I see a lot of info talking about split tunneling with the Cisco VPN client and even how to config that in the PDM. HOwever, I'm stuill not clear onhow to enable split-tunneling for PPTP on the Pix (if thats even possible).

Here is my PPTP config info:
vpdn group PPTP-128 accept dialin pptp
vpdn group PPTP-128 ppp authentication mschap
vpdn group PPTP-128 ppp encryption mppe 128 required
vpdn group PPTP-128 client configuration address local PPTP-128
vpdn group PPTP-128 client configuration dns 192.168.11.3 192.168.11.4
vpdn group PPTP-128 pptp echo 60
vpdn group PPTP-128 client authentication local

My LAN subnety is 192.168.11.x. I want people VPNing in from theoutside to be able to surf the web. Someone mentioned static routing on thePPTP client. How would I go about doing thaT?
My PPTP IP pool is only 5 IPs (192.168.254.1-5) so I can walk set that up pretty easily if thats the only way. Help!

 

[lgarner]

Sorry, I think you're right. I set up pptp briefly for testing, but use IPSec in production. I don't think pptp supports split-tunnelling.

Typically you would deselect the checkbox for "use default gateway on remote network" in the Windows connection properties. Then add static routes for your office network via the vpn gateway.

 

[dayron]

THanks for the info! Please forgive my ignorance, but I am a bit new to the WAN/VPN side of things. Could you give me an example of how to add a static route in Windows XP?

The local subnet for our remote user is going to be 192.168.1.x. The IP assigned by the PIX (PPTP) is going to be 192.168.254.1. THe default gateway for the remote host would be 192.168.1.1.

Any ideas? THanks again.

 

[lgarner]

I think the gateway for the VPN user should be it's assigned address. The next hop might work, but that's always an address on the same LAN (192.168.254.x). If the gateway was 192.168.1.1, the PC wouldn't know how to get to that address.

Adding a route is basically:
route add <network> mask <mask> <gateway>

So, if the PC gets assigned 192.168.254.77, you could enter "route add 192.168.1.0 mask 255.255.255.0 192.168.254.77" and that should get you through.