PIX VPN wont route

[chikn]

Below youll find my PIX config. Im a network admin not an engineer so excuse me if this is something blindingly simple I have configured to the best of my knowledge. I can establish the VPN connection using local auth.(going to TACACS once I figure this out but thatll be another post), my VPN adapter gets an IP but I cannot ping anything inside even the PIX itself. Ive tried the nat 0.0.0.0 0.0.0.0 for the interfaces. Id like to away from using a 2K server for remote user access.TIA



nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
no names
access-list outside permit tcp any host xx.xxx.xx.x eq smtp
access-list outside permit tcp any host xx.xxx.xx.x eq pop3
access-list outside permit icmp any any
access-list outside permit tcp any host xx.xxx.xx.x eq www
no pager
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx.xxx.xx.x 255.255.255.0
ip address inside 192.1.1.1 255.255.255.0
ip address intf2 192.168.255.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.1.1.220-192.1.1.250
arp timeout 14400
global (outside) 1 xx.xxx.xx.x
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xx.x 192.1.1.7 netmask 255.255.255.255 0 0
static (inside,intf2) 192.1.1.0 192.1.1.0 netmask 255.255.255.0 0 0
access-group outside in interface outside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 xx.xxx.xx.x 1
route inside 10.1.0.0 255.255.0.0 192.1.1.16 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
isakmp identity address
telnet 192.1.1.0 255.255.255.0 inside
telnet 10.1.0.0 255.255.0.0 inside
telnet xx.xxx.xx.x 255.255.255.255 inside
telnet 192.1.1.0 255.255.255.0 intf2
telnet xx.xxx.xx.x 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication local
vpdn username xxxxx password xxxxxx
vpdn enable outside
terminal width 80

 

[yizhar]

HI.

* You will need to use a different subnet for VPN clients, UNLIKE the way that MS PPTP servers work. Like:
ip local pool pptp-pool 10.0.0.1-10.0.0.50

* You will need a "nat 0" command bound to an access-list, like:
access-list nonat permit ip 192.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
nat 0 access-list nonat

* What about PPTP encryption?
vpdn group 1 ppp encryption mppe 40 required

* Later if you wish to authenticate VPN clients at the W2K server, you can find its RADIUS server from ADD-REMOVE (search for IAS).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[chikn]

That worked thanks!!!! 1 more question

Before using windows 2k I would just uncheck the use the default gateway of server in the VPN connection which allowed me to keep surfing the web using the local connection to the internet. I know this isnt going to be possible now as it needs the PIX to be the default gateway to see the other network 192.1.1.0. What can I add to the PIX to use 192.1.1.16, our T1 router to the internet and default gateway locally, while Im connected.

 

[yizhar]

HI.

If you implement IPSEC VPN instead using the CISCO IPSEC client, you have the option to do that which is called "split-tunnel".

You will need the VPN client software (ask your CISCO dealer), a DES activation key at the pixif you don't have already (use "show version" to verify), a RADIUS server (a W2K can do that), and several hours for configuration and troubleshooting...

Yet another option is to use the W2K RRAS as VPN server and to pass PPTP traffic to it.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kooma]

Yizhar,

Would you be so kind and let me know how to pass the pptp to a W2K RRAS server. I finally got my VPN working and now find my self in the similar situation with wanting local internet access while I am in the VPN tunnel to work.

Thank you your advice and information is indeed valuable.

 

[yizhar]

HI.

You can use "static" and "access-list" to forward TCP port 1723 and ip protocol GRE to the RRAS server.
And of course you will need to enable RRAS on the server itself, configure strong passwords, and only allow specific users to "dial in" which means in that case PPTP access.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[kooma]

I tried,


static (inside,outside) <outside IP> 172.16.32.1
access-list fromoutside permit tcp any host <outside IP> eq 1723
access-group fromoutside in interface outside


I get a response back from windows, &quot;no vaild certificate&quot;?

Do I have the right commands? or did I miss something?

 

[yizhar]

HI

TCP port 1723 and IP protocol GRE are for PPTP connections, which does not use certificate.

If you are trying to use L2TP it's a different story.
I have no experience with L2TP - as far as I know it uses IPSEC (UDP port 500, IP protocols AH+ESP (50 & 51)), and also requires that you use a CA to issue certificates - either W2K own CA server or an external one.

So, first of all better try to use PPTP and not L2TP (check both client and server configuration).

If you still have problems, post a new thread here and in the Win2000 or VPN forum also with more details.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar