Cisco Pix-501 6.1 VPN trouble

From: Osman Shoukry (oshoukry@onepage.com)
Date: 01/24/02 

From: oshoukry@onepage.com (Osman Shoukry)
Date: 23 Jan 2002 15:59:21 -0800

Dear All,
For the past few days now I've been reading and trying to configure
PPTP server on the pix-501.
I have been able to get the clients (mobile) to authenticate and
connect, however the cisco howto document says :
 "The Windows client can Telnet to host 192.168.0.2 through the global
IP address 209.165.201.2 in the static command statement"

Now I have two questions regarding this:
1) How do you have a vpn client connect using PPTP to the cisco pix
and still be able to browse the whole MS network, without having to
map it all on the outside.

When I try to ping the inside smtp server all I get is:
106011: Deny inbound icmp src outside:10.x.x.1 dst inside:smtp_int
(type 8, code 0)

2) How do you have these clients access the outside world too? meaning
if they get a virtual IP how do you route the incomming PPTP traffic
after decoding the packets to unencrypted IP back out to the outside?
(how to NAT vpn users?)

When I try to ping the outside gateway all I get is:
106011: Deny inbound (No xlate) icmp src outside:10.x.x.1 dst
outside:gateway (type 8, code 0)

---- Config:

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
name 192.168.x.x pix_in
name x.x.x.106 pix_out
name x.x.x.105 gateway
name x.x.x.110 group_pat
name 192.168.x.x Inside_LAN
name x.x.x.107 smtp_ext
name 192.168.x.x smtp_int
name x.x.x.108 wins_ext
name 192.168.x.x wins_int
name x.x.x.12 dns1_ext
name x.x.x.12 dns2_ext
access-list local_ip permit ip 10.x.x.0 255.255.255.0 192.168.x.x
255.255.255.0
ip address inside pix_in 255.255.255.0
ip local pool vpn_tunnels 10.x.x.1-10.x.x.5
global (outside) 10 interface
nat 0 access-list local_ip
nat (inside) 10 Inside_LAN 255.255.255.0 0 0
static (inside,outside) smtp_ext smtp_inside netmask 255.255.255.255 0
0
static (inside,outside) wins_ext wins_inside netmask 255.255.255.255 0
0
conduit permit tcp any host smtp_ext eq smtp
route outside 0.0.0.0 0.0.0.0 gateway 1
sysopt connection permit-pptp
no sysopt route dnat
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40 required
vpdn group 1 client configuration address local vpn_tunnels
vpdn group 1 client configuration dns dns1_ext dns2_ext
vpdn group 1 client configuration wins wins_ext
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username myuser password mypass
vpdn enable outside

Relevant Pages

  • Re: additional routes for pptp vpn
    ... > Windows XP client to add this route? ... is there a way to configure the Windows 2003 PPTP server to force ... > the Windows PPTP client obtains the netmask from the IP address the PPTP ...
    (microsoft.public.windows.server.networking)
  • Re: Cisco Pix-501 6.1 VPN trouble
    ... > PPTP server on the pix-501. ... > "The Windows client can Telnet to host 192.168.0.2 through the global ... > 1) How do you have a vpn client connect using PPTP to the cisco pix ... > vpdn group 1 ppp authentication mschap ...
    (comp.security.firewalls)
  • Re: PPTP VPN using MPD behind NAT help needed
    ... but what has me concerned is that fact that one client can ... > Do you mean you used Windows 2003 Server as a PPTP server or a PPTP ... > other PPTP clients simultaneously through that DLink router? ...
    (freebsd-net)
  • default gateways for vpn
    ... the vpn clients are not able to access any networks other than my ... vpdn group 1 ppp authentication pap ... vpdn group 1 ppp authentication chap ... vpdn group 1 client configuration address local vpnpool ...
    (comp.dcom.sys.cisco)
  • vpn clients cannot access internet
    ... Here are the commands I used to set up the pix for vpn connections: ... vpdn group 1 ppp authentication pap ... vpdn group 1 ppp authentication chap ... vpdn group 1 client configuration address local vpnpool ...
    (comp.dcom.sys.cisco)