Re: Cisco Pix-501 6.1 VPN trouble
From: Cheeky Monkey (cheeky@monkey.co.uk)Date: 01/24/02
- Previous message: Roy Bishop: "Re: Unable to obtain a lease from a SonicWALL DHCP Server"
- In reply to: Osman Shoukry: "Cisco Pix-501 6.1 VPN trouble"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Cheeky Monkey" <cheeky@monkey.co.uk> Date: Thu, 24 Jan 2002 15:55:46 -0000
access-list local_ip permit ip 10.x.x.0 255.255.255.0 192.168.x.x
255.255.255.0
is wrong,
it should be:
access-list local_ip permit ip 192.168.x.x 255.255.255.0 (LAN) 10.x.x.0
255.255.255.0 (VPN Client pool)
"Osman Shoukry" <oshoukry@onepage.com> wrote in message
news:c3fcd590.0201231559.1896c6d9@posting.google.com...
> Dear All,
> For the past few days now I've been reading and trying to configure
> PPTP server on the pix-501.
> I have been able to get the clients (mobile) to authenticate and
> connect, however the cisco howto document says :
> "The Windows client can Telnet to host 192.168.0.2 through the global
> IP address 209.165.201.2 in the static command statement"
>
> Now I have two questions regarding this:
> 1) How do you have a vpn client connect using PPTP to the cisco pix
> and still be able to browse the whole MS network, without having to
> map it all on the outside.
>
> When I try to ping the inside smtp server all I get is:
> 106011: Deny inbound icmp src outside:10.x.x.1 dst inside:smtp_int
> (type 8, code 0)
>
> 2) How do you have these clients access the outside world too? meaning
> if they get a virtual IP how do you route the incomming PPTP traffic
> after decoding the packets to unencrypted IP back out to the outside?
> (how to NAT vpn users?)
>
> When I try to ping the outside gateway all I get is:
> 106011: Deny inbound (No xlate) icmp src outside:10.x.x.1 dst
> outside:gateway (type 8, code 0)
>
> ---- Config:
>
> PIX Version 6.1(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> hostname pixfirewall
> name 192.168.x.x pix_in
> name x.x.x.106 pix_out
> name x.x.x.105 gateway
> name x.x.x.110 group_pat
> name 192.168.x.x Inside_LAN
> name x.x.x.107 smtp_ext
> name 192.168.x.x smtp_int
> name x.x.x.108 wins_ext
> name 192.168.x.x wins_int
> name x.x.x.12 dns1_ext
> name x.x.x.12 dns2_ext
> access-list local_ip permit ip 10.x.x.0 255.255.255.0 192.168.x.x
> 255.255.255.0
> ip address inside pix_in 255.255.255.0
> ip local pool vpn_tunnels 10.x.x.1-10.x.x.5
> global (outside) 10 interface
> nat 0 access-list local_ip
> nat (inside) 10 Inside_LAN 255.255.255.0 0 0
> static (inside,outside) smtp_ext smtp_inside netmask 255.255.255.255 0
> 0
> static (inside,outside) wins_ext wins_inside netmask 255.255.255.255 0
> 0
> conduit permit tcp any host smtp_ext eq smtp
> route outside 0.0.0.0 0.0.0.0 gateway 1
> sysopt connection permit-pptp
> no sysopt route dnat
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication mschap
> vpdn group 1 ppp encryption mppe 40 required
> vpdn group 1 client configuration address local vpn_tunnels
> vpdn group 1 client configuration dns dns1_ext dns2_ext
> vpdn group 1 client configuration wins wins_ext
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local
> vpdn username myuser password mypass
> vpdn enable outside
- Next message: Fritz: "deny user(s) access for time period(s) using winroute"
- Previous message: Roy Bishop: "Re: Unable to obtain a lease from a SonicWALL DHCP Server"
- In reply to: Osman Shoukry: "Cisco Pix-501 6.1 VPN trouble"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
