PIX501 VPN 1/2 Working 1

[HelpImStuck]

This Pix has been nothing but a nightmare for me due to my lack of experience with them so please bear with me here.

Office Layout:
- Cisco Router in bridge mode
- Cisco Pix 501 (works great, except vpn)
- 9 machines running Windows 2000
- There is no server version of Windows in the office
- 192.168.1.2-192.168.1.11

What I've done:
- Created a PPTP group with a pool of 5 addresses
192.168.1.20-192.168.1.24
- Using MSCHAP as authenticating against a local database
for usernames

What's happening:
- Client can connect to network
- IP gets assigned from the pool like expected
- Can't ping anything on the network
- Can't access the internet at all

From the couple hundred posts I've read here tonight, I've noticed that the subnet is different on the vpn that it is on the lan. I've noticed that the route table doesn't look right. However I can't figure out how to fix it and I am going bald.

Any and all help here would be really appreciated.

---------------------------------------------------

Computer in the office Config:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920
Physical Address. . . . . . . . . : 00-06-5B-BD-B9-8A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 216.87.64.2
166.90.152.35

Client Config:

PPP adapter Meagher

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.20
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.20

PIX 501 Config:

Result of firewall command: "show config"

: Saved
: Written by enable_15 at 17:40:06.185 UTC Tue Apr 1 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any any eq pcanywhere-data
access-list 100 permit udp any any eq pcanywhere-status
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.1.20-192.168.1.24
pdm location 192.168.1.6 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.6 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.1.6 pcanywhere-status netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 216.38.219.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
vpdn group Mogpi accept dialin pptp
vpdn group Mogpi ppp authentication mschap
vpdn group Mogpi ppp encryption mppe 40
vpdn group Mogpi client configuration address local VPN
vpdn group Mogpi pptp echo 60
vpdn group Mogpi client authentication local
vpdn username ****** password ********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.11 inside
dhcpd dns 216.87.64.2 166.90.152.35
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:fbee7276c38d1c2c6463cc33119d0a59

Route Print:

C:\>route print
============================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 b8 58 31 b8 ...... Intel(R) PRO/100 VE Network Connection - Pac
0x40004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0xf0005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
============================================================
============================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.195.99.85 172.195.99.85 2
0.0.0.0 0.0.0.0 192.168.1.20 192.168.1.20 1
64.12.9.12 255.255.255.255 172.195.99.84 172.195.99.85 1
64.12.96.0 255.255.224.0 172.195.99.84 172.195.99.85 1
64.236.48.0 255.255.240.0 172.195.99.84 172.195.99.85 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
152.163.141.0 255.255.255.128 172.195.99.84 172.195.99.85 1
152.163.192.0 255.255.224.0 172.195.99.84 172.195.99.85 1
152.213.83.171 255.255.255.255 172.195.99.85 172.195.99.85 1
172.195.99.85 255.255.255.255 127.0.0.1 127.0.0.1 50
172.195.255.255 255.255.255.255 172.195.99.85 172.195.99.85 50
192.168.1.20 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.1.255 255.255.255.255 192.168.1.20 192.168.1.20 50
195.93.0.0 255.255.128.0 172.195.99.84 172.195.99.85 1
198.81.0.0 255.255.224.0 172.195.99.84 172.195.99.85 1
202.67.64.0 255.255.224.0 172.195.99.84 172.195.99.85 1
205.188.13.0 255.255.255.0 172.195.99.84 172.195.99.85 1
205.188.32.0 255.255.224.0 172.195.99.84 172.195.99.85 1
205.188.146.144 255.255.255.240 172.195.99.84 172.195.99.85 1
205.188.192.0 255.255.240.0 172.195.99.84 172.195.99.85 1
216.38.219.17 255.255.255.255 172.195.99.85 172.195.99.85 1
224.0.0.0 240.0.0.0 172.195.99.85 172.195.99.85 2
224.0.0.0 240.0.0.0 192.168.1.20 192.168.1.20 1
255.255.255.255 255.255.255.255 192.168.1.20 2 1
Default Gateway: 192.168.1.20
============================================================
Persistent Routes:
None

 

[nanfeldt]

Your traffic is going thourgh the NAT process add this line and i may help you

nat (inside) 0 access-list 100

 

[HelpImStuck]

I added the line above and I get the following:

WARNING: access-list protocol or port will not be used

Then I try and refresh the PDM with the current configuration and I get this:

Acees Control List 100 is applied to interface inside for access control and interface outside for access control. PDM does not support multiple uses of a given Access Control List.

Am I missing something else here?

 

[HelpImStuck]

FIXED!!

After to talking to Cisco they explained that the VPN group should have a pool of address on a different net than the lan so I added the following:

ip local pool Cisco 172.168.1.1-172.168.1.50

Then I have to create a NEW access list and bypass the use of NAT for the VPN pool addresses. Had to add the following:

access-list 101 permit ip 192.168.1.0 255.255.255.0 172.168.1.0 255.255.255.0
nat (inside) 0 access-list 101

Everything works great now except the name resolution because we don't have a server but I am just going to bypass it using the lshosts file for now.

FYI ... I was told that if the internet connection you are using on the machine for the VPN client using PAT or NAT that you can have some strange and unexpected results. So your best bet is to have a real outside address.