Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PPTP VPN clients cant access inside network

Status
Not open for further replies.
PoorNTGuy

PoorNTGuy

MIS
Apr 11, 2003
17
0
0
US
Hi!

Im pulling my hair out trying to resolve this. We just bought a pix 525 and my nat stuff works ok. The Problem is i cant get my VPN clients, once they VPN in, to ping or access any resources on my lan after they VPN in.

Here is my config:

:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password GYrKhAbgDwtrBwyF encrypted
passwd G2uIML5wFJWPddSE encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_outbound_nat0_acl permit ip any 10.3.1.0 255.255.255.0
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 161.x.x.250 255.255.255.0
ip address inside 10.1.1.100 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 10.3.1.1-10.3.1.10
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.1.0 255.255.255.192 inside
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.251 netmask 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 161.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local testpool
vpdn group 1 client configuration dns 10.1.1.2 161.x.x.200
vpdn group 1 client configuration wins 10.1.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username testguy password *********
vpdn enable outside
terminal width 80
Cryptochecksum:20fc2b6683f6aa1e0ff25de0d6b1c197
: end

Thanks

NTguy
 
Sort by date Sort by votes
HI.

Use syslog messages to get more info from the pix:

Is the pix inside interface configured as default gateway for internal hosts? Can the internal hosts get out to the Internet via the pix?

Did you enable (it's enabled by default) the "use default gateway on remote network" option at the PPTP client?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar! Thanks for the quick reply.

Yes. "Use Default gateway on the remote Client" is checked and enabled.
 
Upvote 0 Downvote
Ok I Disabled Use remotegateway and could get out to the internet once i VPN in... but still cant acess my local LAN.
 
Upvote 0 Downvote
HI.

> Ok I Disabled Use remotegateway ...
You should re-enable it.

Why don't you try the Cisco IPSec VPN client - it can be configure with stronger autentication and some other benefits?

Did you try syslog messages? What did you get?

> The Problem is i cant get my VPN clients, once they VPN in, to ping or access any resources on my lan ..
What were the exact tests and results?

Also, take a look at the output of the following commands, both at client and server:
ipconfig /all
route print

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar

Once I am Vpn'd in I get the following IPconfig

PPP adapter PIX:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.3.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.3.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.2



My question is this - What command in my pix config above (in my firstthread) tells my machine that is vpn'd in, i.e 10.3.1.1 to access local dns server 10.1.1.2?

what command lets 10.3.1.0 acess 10.1.1.0?


 
Upvote 0 Downvote
HI.

> What command in my pix config above (in my firstthread) tells my machine that is vpn'd in, i.e 10.3.1.1 to access local dns server 10.1.1.2?
Its simple, this one:
vpdn group 1 client configuration dns 10.1.1.2 161.x.x.200
This is optional - there are other alternate solutions for name resolution.

> what command lets 10.3.1.0 acess 10.1.1.0?
ip address inside 10.1.1.100 255.255.0.0
Once the remote client tunnels all traffic (the VPN connection becomes default gateway), then the pix knows how to route the packets to 10.1.1.0.

However, I've just noticed that in the config you posted initially, you have two different "vpdn group". Why is this so?


Yizhar Hurwitz
 
Upvote 0 Downvote
yizhar

First of all thanks for replying to my posts. I realy do appreciate it!

I did fix the 2 different "vpdn group" issue on my config.

Im not realy concerned anout dns/wins address resolution issues. I know all the ip's on my internal net. My problem seems to be this: once i vpn in and get an address from the vpn address pool, i cannot seem to be pinging any machines on my lan. My lan consists of ip's from 10.1.1.1-10.1.1.80.

Also can you explain theese two lines:
access-list nonat permit ip any 10.3.1.0 255.255.255.0
nat (inside) 0 access-list nonat

Any other commands i may be forgeting to make network 10.3.1.0 and 10.1.1.0 talk?

--------------------------------------------------------------


here is my current conf:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password GYrKhAbgDwtrBwyF encrypted
passwd G2uIML5wFJWPddSE encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list nonat permit ip any 10.3.1.0 255.255.255.0
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 161.x.x.250 255.255.255.0
ip address inside 10.1.1.100 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 10.3.1.1-10.3.1.10
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.1.0 255.255.255.192 inside
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.251 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 161.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local testpool
vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.2 161.x.x.200
vpdn group PPTP-VPDN-GROUP client configuration wins 10.1.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username testguy password *********
vpdn enable outside
terminal width 80
Cryptochecksum:20fc2b6683f6aa1e0ff25de0d6b1c197
: end

----------------------------------------------------------------------------------------------


 
Upvote 0 Downvote
Hi yizhar

i got it to work !!

All I did was change the vpn pool to be on the same network as my internal lan and it seems to work. Would prefer the vpnpool not be on the samenetwork though. If you could look at this one and tell me what i did wrong on the first one...


here is my changed config:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password GYrKhAbgDwtrBwyF encrypted
passwd G2uIML5wFJWPddSE encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 161.x.x.250 255.255.255.0
ip address inside 10.1.1.100 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.1.1.200-10.1.1.210
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 10.3.1.0 255.255.255.240 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 161.x.x.251 netmask 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 161.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 50
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40 required
vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool
vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username testguy password *********
vpdn enable outside
terminal width 80
Cryptochecksum:20fc2b6683f6aa1e0ff25de0d6b1c197


 
Upvote 0 Downvote
HI.

Something is wrong here.
The VPN pool should use different subnet then the existing one.
You should go back to the previous configuration (using 10.3.1.x ) and maybe change the nat 0 access-list to something like this:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0

Do not keep your last configuration - it can cause you other strange connectivity problems because of the overlapping subnets.
Switching to Cisco IPSec VPN can eliminate some of the problems you have.

How is the remote client connecting to the internet?
Try with dial-up connection.
Try with a remote client directly connected (Ethernet) to the outside interface of the pix.
Does it change anything?

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
tried it both drom my cable modem connection at home and traight from ethernet justoutside the outside nic.
 
Upvote 0 Downvote
he's right. You need an access-list. Something like :

StillwaterVPNS = 10.0.10.0 for me
the VPN local pool sets up computers on 10.0.10.1-254

access-list inside_nat0_outbound permit ip any StillwaterVpns 255.255.255.0

with a nat command like this
nat (inside) 0 access-list inside_nat0_outbound

the other thing to check is to make sure your subnet masks are correct on both sides.

As a point in fact, your ip address commands has a problem.

ip address inside 10.1.1.100 255.255.0.0

this means that everything 10.1.X.X will be expected to be on the local wire on the inside of the pix.

However, you assigned your VPN addresses to in that same subnet. See?:
ip local pool vpnpool 10.1.1.200-10.1.1.210

You need to change the vpnpool to something like
ip local pool vpnpool 10.2.0.1-10.2.0.254

and set up an access-list
access-list vpn_access permit ip any 10.2.0.0 255.255.255.0

with a nat command like this
nat (inside) 0 access-list vpn_access


Finally, why not just use the VPN wizard in the PDM to set it up? It works very well.
 
Upvote 0 Downvote

Yizhar

Finaly took your advice and used the Cisco vpn client and things are going much smoother!Also changed my vpn pool the way its supposed to be. Below is my final config for now. Please take a minuite to look at it and make sure things look right.
And again thanks for your help. This is a great help site, one of the best ive found on the web!





PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 vl20 security20
nameif ethernet3 vl30 security30
nameif ethernet4 vl40 security40
nameif ethernet5 vl50 security50
enable password GYrKhAbgDwtrBwyF encrypted
passwd G2uIML5wFJWPddSE encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 102 permit ip 172.20.1.0 255.255.255.0 172.20.2.0 255.255.255.0
access-list 104 permit ip 172.40.1.0 255.255.255.0 172.40.2.0 255.255.255.0
access-list 103 permit ip 172.30.1.0 255.255.255.0 172.30.2.0 255.255.255.0
access-list 105 permit ip 172.50.1.0 255.255.255.0 172.50.2.0 255.255.255.0
pager lines 24
logging on
logging history notifications
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 100full
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu vl20 1500
mtu vl30 1500
mtu vl40 1500
mtu vl50 1500
ip address outside 161.x.x.250 255.255.255.0
ip address inside 10.1.1.100 255.255.0.0
ip address vl20 172.20.1.1 255.255.255.0
ip address vl30 172.30.1.1 255.255.255.0
ip address vl40 172.40.1.1 255.255.255.0
ip address vl50 172.50.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vl16pool 10.1.2.1-10.1.2.254
ip local pool vl20pool 172.20.2.1-172.20.2.254
ip local pool vl30pool 172.30.2.1-172.30.2.254
ip local pool vl40pool 172.40.2.1-172.40.2.254
ip local pool vl50pool 172.50.2.1-172.50.2.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address vl20 0.0.0.0
failover ip address vl30 0.0.0.0
failover ip address vl40 0.0.0.0
failover ip address vl50 0.0.0.0
pdm location 10.1.1.5 255.255.255.255 inside
pdm location 172.30.1.192 255.255.255.192 vl30
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (vl20) 0 access-list 102
nat (vl20) 1 0.0.0.0 0.0.0.0 0 0
nat (vl30) 0 access-list 103
nat (vl30) 1 0.0.0.0 0.0.0.0 0 0
nat (vl40) 0 access-list 104
nat (vl40) 1 0.0.0.0 0.0.0.0 0 0
nat (vl50) 0 access-list 105
nat (vl50) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 161.x.x1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.0.0 255.255.0.0 inside
snmp-server host inside 10.1.1.5
snmp-server location Houston Solutions Center
snmp-server contact Jerry Barron
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
auth-prompt prompt Hello, enter userid and password.
auth-prompt accept Connected
auth-prompt reject Try again.
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vl16 address-pool vl16pool
vpngroup vl16 dns-server 10.1.1.2
vpngroup vl16 wins-server 10.1.1.2
vpngroup vl16 default-domain hsc.com
vpngroup vl16 idle-time 1800
vpngroup vl16 password ********
vpngroup vl30 address-pool vl30pool
vpngroup vl30 dns-server 172.30.1.2
vpngroup vl30 default-domain vl30.com
vpngroup vl30 idle-time 1800
vpngroup vl30 password ********
vpngroup vl20 address-pool vl20pool
vpngroup vl20 dns-server 172.30.1.2
vpngroup vl20 default-domain vl20.com
vpngroup vl20 idle-time 1800
vpngroup vl20 password ********
vpngroup vl40 address-pool vl40pool
vpngroup vl40 dns-server 172.40.1.2
vpngroup vl40 default-domain vl40.com
vpngroup vl40 idle-time 1800
vpngroup vl40 password ********
vpngroup vl50 address-pool vl40pool
vpngroup vl50 dns-server 172.50.1.2
vpngroup vl50 default-domain vl50.com
vpngroup vl50 idle-time 1800
vpngroup vl50 password ********
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 50
ssh timeout 5
vpdn enable outside
terminal width 80
----------------------
 
Upvote 0 Downvote
HI.

This is realy a complex VLAN configuration.
It is dificult to comment because we don't see the whole picture.

But I do have some comments:

* Regarding security levels:
> nameif ethernet2 vl20 security20
> nameif ethernet3 vl30 security30
> nameif ethernet4 vl40 security40
> nameif ethernet5 vl50 security50
I would give all those interface the same security level, for example sec50.
This will help you manage traffic between those interfaces if/when needed.

* DNS:
> vpngroup vl20 dns-server 172.30.1.2
Is there a typo in the above line? did you plan to write 172.20.1.2 instead.
Anyway, those DNS servers mentioned should be up and accessible by the clients. Otherwise they should not be configured.
Same for the "default-domain vl50.com" etc. If you configure this option, then your DNS server should have a zone named vl50.com, otherwise it will look for it on the Internet.

* XAUTH:
Once VPN is up and running for your satisfaction, you should also configure XAUTH to a RADIUS server.
This adds an important level of security because:
A. It adds a secondary authentication - an attacker will need to know/guess much more info to get in.
B. The vpngroup and password are saved in the VPN dialer configuration - so a stolen or hacked computer can be used to gain access to your network, unless you have another authentication.





Yizhar Hurwitz
 
Upvote 0 Downvote
I had the same problem even with using the "use default gateway on remote computer option" in the TCP/IP properties of the MSFT PPTP connection properties.

After you connect via PPTP to your PIX, if you go to a CMD prompt and type "route print" I'll bet there is no route to the remote network. Add a persistent route to the network you want to access and see if you can access hosts on the remote network. Use "route add ?" for help at the CMD prompt. I say ACCESS a host and NOT PING. Dont expect PINGing a remote host to tell you whether you have a connection or not because your PIX may not pass the echo-reply back to your PPTP client due to an ACL or even some firewall (XP SP2 etc.) on your client. Instead, open a browser and point it to a web server on the remote network OR even do a "net use" command to connect to the remote resource.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
174
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
149
intel233
intel233
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
98
hairlessupportmonkey
hairlessupportmonkey
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
71
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top