Hello all and Happy New Year.
I have configured my PIX 501 running 6.3(4) to accept PPTP clients. I have set up a small range of DHCP addresses and successfully connected to the PIX with an XP Pro client using PPTP with a static NATed (no PAT) IP address.
Although I connect successfully and get a proper DHCP-assigned address, I can not use any internal hosts unless I manually do a "route add" command on the XP client. This is not a practical solution of course because the DHCP address you get changes at times and then you have to use the DHCP-assigned IP address as your gateway to the network in your "route add" statement. The network that I am connecting to is a single flat network 192.168.100.0 /24 . The DHCP addresses I am using is 192.168.1.1 - 192.168.1.5 /24 .
I have tried changing the "use default gateway on remote network" setting in the advanced settings of the TCP/IP properties used to make the connection in the Microsoft PPTP VPN connection. Either way I set it, I still have to use a "route add" command to reach hosts on the remote network. If I check the box, then I can not surf the internet at the same time as use the PPTP connection so I have left it unchecked. This behavior I am used to when I used to connect to a Cisco 3000 VPN concentrator.
Is there a statement to put in the PIX that will give the PPTP client the proper gateway to reach the inside network? I thought it would be a "route inside" command but it existed already although it does not show up in the config file. When you try to add it, it shows you it is already there.
Here is the relevent snippets from the PIX running config so as to do away with the unnecessary clutter to look through. Any help I can get would be great. I am a bit rusty on the PIX.
What is strange is how can I use hosts on the internal network after the "route add" command? Is it because I do not have a "access-group inside_nat0_outbound in interface outside" or "access-group inside_nat0_outbound in interface inside" statement in the PIX???
Thanks in advance!
Chuck
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
fixup protocol pptp 1723
names
name 192.168.100.100 Server1
name 192.168.100.0 sellers
access-list outside_access_in permit tcp any host 67.118.XXX.115 eq smtp
access-list outside_access_in permit tcp any host 67.118.XXX.115 eq www
access-list inside_access_out permit icmp any any
access-list inside_access_out permit ip any any
access-list inside_nat0_outbound permit ip sellers 255.255.255.0 10.110.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip sellers 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_Main 255.255.255.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_DMZ 255.255.0.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_Vendor 255.255.0.0
access-list outside_cryptomap_30 permit ip sellers 255.255.255.0 BOYD 255.255.255.0
mtu outside 1500
mtu inside 1500
ip address outside 67.118.XXX.114 255.255.255.248
ip address inside 192.168.100.254 255.255.255.0
ip local pool smallvpnpool 192.168.1.1-192.168.1.5
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.118.XXX.115 Server1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 67.118.XXX.113 1
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 30
isakmp client configuration address-pool local smallvpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup vpn-all address-pool smallvpnpool
vpngroup vpn-all dns-server Server1
vpngroup vpn-all default-domain DOMAIN
vpngroup vpn-all idle-time 1800
vpngroup vpn-all password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local smallvpnpool
vpdn group 1 client configuration dns Server1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
I have configured my PIX 501 running 6.3(4) to accept PPTP clients. I have set up a small range of DHCP addresses and successfully connected to the PIX with an XP Pro client using PPTP with a static NATed (no PAT) IP address.
Although I connect successfully and get a proper DHCP-assigned address, I can not use any internal hosts unless I manually do a "route add" command on the XP client. This is not a practical solution of course because the DHCP address you get changes at times and then you have to use the DHCP-assigned IP address as your gateway to the network in your "route add" statement. The network that I am connecting to is a single flat network 192.168.100.0 /24 . The DHCP addresses I am using is 192.168.1.1 - 192.168.1.5 /24 .
I have tried changing the "use default gateway on remote network" setting in the advanced settings of the TCP/IP properties used to make the connection in the Microsoft PPTP VPN connection. Either way I set it, I still have to use a "route add" command to reach hosts on the remote network. If I check the box, then I can not surf the internet at the same time as use the PPTP connection so I have left it unchecked. This behavior I am used to when I used to connect to a Cisco 3000 VPN concentrator.
Is there a statement to put in the PIX that will give the PPTP client the proper gateway to reach the inside network? I thought it would be a "route inside" command but it existed already although it does not show up in the config file. When you try to add it, it shows you it is already there.
Here is the relevent snippets from the PIX running config so as to do away with the unnecessary clutter to look through. Any help I can get would be great. I am a bit rusty on the PIX.
What is strange is how can I use hosts on the internal network after the "route add" command? Is it because I do not have a "access-group inside_nat0_outbound in interface outside" or "access-group inside_nat0_outbound in interface inside" statement in the PIX???
Thanks in advance!
Chuck
hostname pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
fixup protocol pptp 1723
names
name 192.168.100.100 Server1
name 192.168.100.0 sellers
access-list outside_access_in permit tcp any host 67.118.XXX.115 eq smtp
access-list outside_access_in permit tcp any host 67.118.XXX.115 eq www
access-list inside_access_out permit icmp any any
access-list inside_access_out permit ip any any
access-list inside_nat0_outbound permit ip sellers 255.255.255.0 10.110.0.0 255.255.0.0
access-list inside_nat0_outbound permit ip sellers 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_Main 255.255.255.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_DMZ 255.255.0.0
access-list outside_cryptomap_20 permit ip sellers 255.255.255.0 Conifer_Vendor 255.255.0.0
access-list outside_cryptomap_30 permit ip sellers 255.255.255.0 BOYD 255.255.255.0
mtu outside 1500
mtu inside 1500
ip address outside 67.118.XXX.114 255.255.255.248
ip address inside 192.168.100.254 255.255.255.0
ip local pool smallvpnpool 192.168.1.1-192.168.1.5
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.118.XXX.115 Server1 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 67.118.XXX.113 1
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap client configuration address initiate
crypto map vpnmap client configuration address respond
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 30
isakmp client configuration address-pool local smallvpnpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup vpn-all address-pool smallvpnpool
vpngroup vpn-all dns-server Server1
vpngroup vpn-all default-domain DOMAIN
vpngroup vpn-all idle-time 1800
vpngroup vpn-all password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local smallvpnpool
vpdn group 1 client configuration dns Server1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
