Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PPTP endpoint on PIX501

Status
Not open for further replies.
rbelt

rbelt

MIS
May 9, 2003
49
US
uuuuugggh! I've been trying to get this to work for a long time now... I'm out of guesses. I've read a lot of other posts concerning this and have checked many of the suggested solutions but I'm missing something.

(trying) to use W2K/XP clients to VPN to the PIX via PPTP (I'd like to get this running but may also try the cisco client soon). I can connect, get an IP address and everything looks good except that I can't do anything on the remote lan (can't connect to services or even ping known addresses). Local clients get out w/o problems...

Here is the truncated config:

deadfred# sho run
PIX Version 6.2(1)

access-list pptp-pool permit ip any 10.10.20.224 255.255.255.248

ip address outside x.y.z.188 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0

ip local pool vpn-pool 10.10.20.224-10.10.20.231

global (outside) 1 interface
nat (inside) 0 access-list pptp-pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 x.y.z.1 1

vpdn group VPNClients accept dialin pptp
vpdn group VPNClients ppp authentication mschap
vpdn group VPNClients ppp encryption mppe 128
vpdn group VPNClients client configuration address local vpn-pool
vpdn group VPNClients client configuration dns 10.10.10.5
vpdn group VPNClients pptp echo 60
vpdn group VPNClients client authentication local
vpdn username testvpn password *********
vpdn enable outside
deadfred#

Is this a 6.2(1) issue or do I need to start drinking heavily...

thanks for any help!

//RB
 
Sort by date Sort by votes
HI.

> ip address inside 10.10.10.1 255.255.255.0
> ip local pool vpn-pool 10.10.20.224-10.10.20.231

Use a different subnet for the vpn clients, like 192.168.99.X

> VPN to the PIX via PPTP ... may also try the cisco client ...)
I suggest starting with the Cisco client, instead of switching to it later.
There are several advantages for it, but I will focus on what I consider the main problem of the PPTP client:
With MS PPTP client, the users can save the password just like a dialup connection.
An attacker can send send a malicious code in some way (email,url,icq,kazza,etc) and extract the credentials from the client.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
The pool is already part of a separate subnet but I'll try a 192.168.x.y subnet tonight (is this because the PIX doesn't understand classless subnets)?

As for the Cisco VPN client, I agree that it's better but I don't have the funds to purchase these clients (for grins, how much does Cisco charge for their client anyhow).

Thanks much for the feedback

//RB
 
Upvote 0 Downvote
Worked on this for about 2 more hours today... again, truncated config:

*****************************
deadfred# sho run

PIX Version 6.2(1)

access-list permit-vpn-pool permit ip 10.10.10.0 255.255.255.0 192.168.222.0 255.255.255.0

ip address outside x.y.z.188 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0

ip local pool vpn-pool 192.168.222.1-192.168.222.254

global (outside) 1 interface
nat (inside) 0 access-list permit-vpn-pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.y.z.1 1

deadfred#
*****************************

Same story, I get connected and assigned an IP address (192.168.222.1), my workstation shows the default route as going out the vpn connection... but I can't ping anything on the 10.10.10.0 net. Syslog entries just show me 'deny icmp src 192.168.222.1 dst 10.10.10.5...'. I've tried many variations on the access list entry.

Any more suggestions? Is this possibly a pix version issue?

thanks for any help -- I'm at the end of the line w/this device...

//RB
 
Upvote 0 Downvote
HI.

> is this because the PIX doesn't understand classless subnets?
No. The pix always uses classless and calculates the subnet mask.

> how much does Cisco charge for their client anyhow?
You'll be surprised. only 2 digits in green.

> 'deny icmp src 192.168.222.1 dst 10.10.10.5
Try to add this:
sysopt connection permit-pptp

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
THANK YOU!!!

not sure what that did but I will read up on it tomorrow!

again thanks!

//RB
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
773
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
188
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
194
mcisar
mcisar
cbsarge
  • Locked
  • Question
SonicWALL Mobile Connect on Chromebooks
Replies
1
Views
234
jcarmichael1203
jcarmichael1203
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
178
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top