PPTP

[anerikkehvadderskals]

Hi, there,

Have asked once before, but did'nt get the answer I was looking for. I'm trying to access my Lan throug a pix 501 using Windows XP and the Windows VPN Client. I get an ip address from my pool but can only ping my self (10.0.0.1) cannot ping my pix (192.168.1.100) or anything else on my lan. How do I permit my Vpn client to ping/access 192.168.1.0 ?? (yes, it is not very secure or safe to let the vpn client access the entire lan but i'm just trying to make it work.)

Any suggestions ??

TIA /thanks for you help

 

[sunyasee]

Can you post your config here so we can see what you have done so far....? ----

Sunyasee

 

[anerikkehvadderskals]

Sure Thing, should have done that,

PIX Version 6.1(3)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
access-list acl_out permit tcp any host 212.x.x.89 eq smtp
access-list acl_out permit tcp any host 212.x.x.89 eq pop3
access-list acl_out permit tcp any host 212.x.x.89 eq www
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 212.x.x.94 255.255.255.248
ip address inside 192.168.1.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpdnpool 10.0.0.1-10.0.0.50
pdm location 192.168.1.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 212.x.x.89 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h32
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt route dnat
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group vpdngroup accept dialin pptp
vpdn group vpdngroup ppp authentication mschap
vpdn group vpdngroup ppp encryption mppe 40 required
vpdn group vpdngroup client configuration address local vpdnpool
vpdn group vpdngroup pptp echo 60
vpdn group vpdngroup client authentication local
vpdn username cisco password cisco
vpdn enable outside
terminal width 80
Cryptochecksum:0a0d250c2998c594a0ca5d14e74a02fe
: end

 

[yizhar]

HI.

You need a "nat 0" configuration:

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (inside) 0 access-list nonat

You should also use syslog messages - you will get valuable troubleshooting info from them.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[anerikkehvadderskals]

Thank you for your answer,

Tryed the No nat lines but it is still not working. You write something about using Syslog. I know very little about cisco can you tell me a little bit about it ???

Tia

LC

 

[anerikkehvadderskals]

Hi,

One thing more,

When I connect with my Windows XP to my Pix 501 I get this ip/subnet/gw 10.0.0.1 255.255.255.255 10.0.0.1,

That is not correct is it ??? Seems to that I should have the mask 255.255.255.0 and the pix as gateway ?????

Tia

 

[yizhar]

HI.

Here is the "logging" command reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#xtocid15

Try first logging to buffer:

logging on
logging buffer 4
clear log
[.. Now try to connect from VPN ..]
show log

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[anerikkehvadderskals]

Hi,Yizhar (and others reading this

This is what the Pix tell's me after i connect with my VPN client and try to ping the internal Network. What is the command to get the pix to "tell" me more than this ???

pix(config)# sh log
Syslog logging: enabled
Timestamp logging: disabled
Standby logging: disabled
Console logging: level debugging, 17 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level warnings, 0 messages logged
Trap logging: level debugging, facility 20, 17 messages logged
Logging to inside 192.168.1.100
History logging: level debugging, facility 20, 17 messages logged
pix(config)#

LC

 

[yizhar]

HI.

Try this for the test, but then reduce un-needed debugging to reduce load on the pix:

logging buffer 7

Did you get anything related to the ip addresses on the syslog server 192.168.1.100?

Instead of PING or in addition to it, try to test with TCP - Telnet, Http, Ftp etc...


At the client, you must have the "Use Default Gateway" CHECKED for it to forward packets to the pix.

Please post here your ipconfig, and "route print" output from the client workstation, when connected and when not connected.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[anerikkehvadderskals]

Hi again,

getting closer to a solution (i hope

Now i have updated ios to 6.22 and the PDM to 2.11.

I still cannot ping,telnet,http any host's on the inside lan. This is however what the pix is telling me from the log

111009: User 'enable_15' executed cmd: show logging
106011: Deny inbound (No xlate) udp src outside:10.0.0.1/1029 dst outside:212.x
.x.2/53
106011: Deny inbound (No xlate) udp src outside:10.0.0.1/1029 dst outside:212.x
.x.3/53
302010: 0 in use, 0 most used
609001: Built local-host inside:192.168.1.1
302013: Built inbound TCP connection 0 for outside:10.0.0.1/3023 (10.0.0.1/3023)
to inside:192.168.1.1/80 (192.168.1.1/80)
302013: Built inbound TCP connection 1 for outside:10.0.0.1/3024 (10.0.0.1/3024)
to inside:192.168.1.1/80 (192.168.1.1/80)
302013: Built inbound TCP connection 2 for outside:10.0.0.1/3025 (10.0.0.1/3025)
to inside:192.168.1.100/23 (192.168.1.100/23)
302014: Teardown TCP connection 0 for outside:10.0.0.1/3023 to inside:192.168.1.
1/80 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 1 for outside:10.0.0.1/3024 to inside:192.168.1.
1/80 duration 0:02:01 bytes 0 SYN Timeout
302014: Teardown TCP connection 2 for outside:10.0.0.1/3025 to inside:192.168.1.
100/23 duration 0:02:01 bytes 0 SYN Timeout
611103: User logged out: Uname: enable_15
307002: Permitted Telnet login session from 192.168.1.73
502103: User priv level changed: Uname: enable_1 From: 1 To: 15
111008: User 'enable_1' executed the 'enable' command.
111007: Begin configuration: 192.168.1.73 reading from terminal
111008: User 'enable_15' executed the 'configure t' command.
pix(config)#

Seems to me that I have to allow trafic from 10.0.0.0 to 192.168.1.0 ????

Any suggestions ???

LC

 

[yizhar]

HI.

> 302013: Built inbound TCP connection 0 for outside:10.0.0.1/3023
> 302014: Teardown TCP connection 0 for outside:10.0.0.1/3023 to inside:192.168.1.
1/80 duration 0:02:01 bytes 0 SYN Timeout

So the pix isn't blocking the traffic, but there is no answer from the server.

Check the server configuration -
What is the default gateway of the server???
Can you browse the Internet from the server?
Is the server filtering traffic itself (IIS configuration)?
Is port 80 open on the server?

Can you post here you're current pix configuration?

> 302013: Built inbound TCP connection 2 for outside:10.0.0.1/3025 (10.0.0.1/3025)
to inside:192.168.1.100/23 (192.168.1.100/23)
Don't try to access the pix own internal interface from a VPN client. It won't work.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mchhipa]

Hello anerikkehvadderskals,

Has this issue been resolved? if not I can suggest you something on this.

Mehboob