Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPDN and Static IP Addresses

Status
Not open for further replies.
APlant

APlant

Technical User
Aug 2, 2001
45
GB
Hello,
I've configured a PIX 515e to allow for VPN access via the Cisco Secure Client and VPDN access via Windows 2000 VPN client (PPTP). All this works OK. The problem I have is that one or two people also want to access the Internet whilst connected to the private Network. I have followed an MS Technote and can achieve this but it means putting in a static route on the PC using the gateway as the IP address of the PC (i.e. the one assigned by the pool on the PIX). Although this works I cannot offer this option to a user, imagine having to get them to find the IP address dynamically assigned to them and then getting them to add a route !!! I can achieve this though if I use a static IP address rather than dynanmically assigned. I cannot however see a way of configuring the PIX to allow for Static IP addresses to be used when users connect. Please can anyone clarify this or am I missing something??

Many thanks
 
Sort by date Sort by votes
HI.

With the pix as PPTP server, it cannot be done (or at least I don't know of a working work-around).

With the pix as IPSec VPN server and Cisco IPSec VPN software client, it's easy. Just add the split-tunnel option.
So my warmest suggestion is to stop using the PPTP option on the pix and use only Cisco VPN. The latest Cisco VPN software supports all current MS windows versions so there is no reason not to use it on all clients.

Another option is to implement an MS PPTP VPN server on your inside network, and configure the pix to allow GRE and PPTP traffic to it.
That way you can remove the "use default gateway" at the PPTP clients connection properties.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Many thanks for this information. The customer does not want to use the Cisco Secure client because they cannot use Internet Connection sharing when they use the Cisco Secure Client. Therefore they have decided to use the Windows VPN client. I had thought about implementing MS PPTP inside the firewall but I think this would be overkill and may lead to 'other' issues. Please could you confirm that Internet Connection sharing must be disabled when using the Cisco Secure client, I have searched for this answer on Cisco's Web site and consulted with a colleague and we both believe this is not possible. I know you have to disable it when installing the client but must it always be disabled when you are using the Secure client
 
Upvote 0 Downvote
HI.

Yes, ICS has a built in "engine" to handle PPTP clients behind it, but does not handle IPSec.
So -
PPTP shouold work.
Cisco VPN client behind ICS to pix will not work.
Cisco VPN client to Cisco VPN concentrator will probably work if you wish to buy it, because it supports IPSec over TCP/UDP - but I guess that you would prefer a PPTP server if you don't need to purchase it.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
713
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
544
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
658
intel233
intel233
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
607
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
537
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top