Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

pptp cannot ping server side

Status
Not open for further replies.
joedigi

joedigi

Technical User
Feb 13, 2006
10
CA
I have a pptp setup from XP to PIX. problem is that XP side after connecting cannot access anything on the pix side. are there additional routes or access lists that need to be applied?

the relevant config I have is as follows:


access-list 80 permit ip 10.10.24.0 255.255.255.0 ip address outside 64.1.2.4 255.255.255.240
ip address inside 10.10.24.3 255.255.255.010.10.25.0 255.255.255.0
ip local pool my-addr-pool 10.10.24.10-10.10.24.20
nat (inside) 0 access-list 80
route outside 0.0.0.0 0.0.0.0 64.1.2.4 1
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local my-addr-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username nathan password *********
vpdn enable outside
 
Sort by date Sort by votes
I wouldnt put your ip pool for you dhcp clients in with your local network.

Make it 10.10.25 or something like that.

ip local pool my-addr-pool 10.10.25.10-10.10.25.20

Than for your no nat rule

access-list 80 permit ip 10.10.24.0 255.255.255.0 10.10.25.0 255.255.255.0
 
Upvote 0 Downvote
yes but the problem is when I set it to 10.10.25.0 or 10.10.24.0 I cannot access anything on the other side of the vpn (Pix side). I try from pix side and from XP side and cannot access either side from either side.
 
Upvote 0 Downvote
Trust me. Set it up and post your config.

access-list nonat permit ip 10.10.24.0 255.255.255.0 10.10.25.0 255.255.255.0

nat (inside) 0 access-list nonat
ip local pool pptp-pool 10.10.25.10-10.10.25.20
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns xxx.xxx.xxx.xxx
vpdn group 1 client configuration wins xxx.xxx.xxx.xxx
vpdn group 1 client authentication local
vpdn group 1 pptp echo 60
vpdn enable outside
 
Upvote 0 Downvote
here is the config. problem is I can connect but cannot ping or access from XP side anything on 10.10.24.x side and vice versa. do I have to add some additional routes to make this work?


access-list nonat permit ip 10.10.24.0 255.255.255.0 10.10.25.0 255.255.255.0
pager lines 24
logging on
logging monitor informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside 66.29.1.2 255.255.255.240
ip address inside 10.10.24.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool my-addr-pool 10.10.25.10-10.10.25.20
pdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 66.29.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local my-addr-pool
vpdn group 1 client configuration dns 34.66.78.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username client1 password *******
vpdn enable outside
terminal width 80
 
Upvote 0 Downvote
Ok. Try this.


On the Pix:
logging buffered informational
debug icmp trace
term mon


Ping an IP address from your internal lan to a connected pptp client.

Watch the telnet session on the Pix. You should see some traffic hitting the FW. Once you see the traffic flow do:

sh log

copy the info you see from the debug and the log to a text file. look st the log to see if there is any obvious reason the traffic isnt flowing.

no debug all
term no mon

Post results here.
 
Upvote 0 Downvote
I can ping the other side.. but cannot telnet to any ports on servers on the other side nor can I ping from the pix side to the XP side.. but I can ping from XP side to pix side

thanks
 
Upvote 0 Downvote
when I do a traffic dump on the XP side I get "Destination unreachable" (fragmentation needed) with etheral this is ping from pix side
 
Upvote 0 Downvote
Nevermind fixed it... if anyone out there needs to know the fix was to change the MTU on the pix side to 1476
 
Upvote 0 Downvote
Thats odd. I have never has this problem before. Usually when the DF bit is set and traffic doesnt go through it is because the MTU is to small and need to be larger or there is a device somewhere that is have bug issues if the MTU is indeed large enough.
 
Upvote 0 Downvote
yes indeed, it was not an easy problem to discover.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
130
Garbear
Garbear
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
161
ISDPCMAN
ISDPCMAN
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
160
DivemasterBill
DivemasterBill
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
147
Russtoleum
Russtoleum
sabin808
  • Locked
  • Question
TZ205 | Unable to ping WAN IP from LOCAL ZONE
Replies
0
Views
104
sabin808
sabin808

Part and Inventory Search

Sponsor

Back
Top