Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PPTP Client Cant access other internal Subnets when connecting to PIX (http://www.velocityreviews.com/forums/t35523-pptp-client-cant-access-other-internal-subnets-when-connecting-to-pix.html)

Scott Townsend 09-23-2004 07:02 PM

PPTP Client Cant access other internal Subnets when connecting to PIX
 
I have a PIX setup to accept PPTP and IPSec connections.

The PIX is on 10.1.x.x network.
I have other 10.Y.x.x networks that I would like the PPTP clients to
hacve access to.

I believe my IPSec clients do not have any issues with connecting to
the other remote Subnets...

here are the Relavant (I believe) sections of the config.

Any Help would be appreciated.

Thanks,
Scott<-
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0
255.255.255.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0
255.255.255.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0
255.255.0.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0
255.255.255.0
access-list inside_nat permit ip 10.201.0.0 255.255.0.0 10.201.0.0
255.255.0.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.2.0
255.255.255.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.11.0.0
255.255.255.0
access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.3.0
255.255.255.0
access-list 110 permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0
access-list 110 permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.0.0
access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0

ip local pool ipsecpool 10.200.0.1-10.200.1.254
ip local pool remoteVPN 10.201.0.1-10.201.0.254

nat (inside) 0 access-list inside_nat
nat (inside) 1 10.0.0.0 255.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 204.145.245.15 2
route outside 0.0.0.0 0.0.0.0 204.145.245.2 10
route inside 10.2.0.0 255.255.0.0 10.1.0.1 1
route inside 10.3.0.0 255.255.0.0 10.1.0.1 1
route inside 10.4.0.0 255.255.0.0 10.1.0.1 1
route inside 10.5.0.0 255.255.0.0 10.1.0.1 1
route inside 10.10.0.0 255.255.0.0 10.1.0.3 1
route outside 10.200.0.0 255.255.0.0 204.145.245.15 2
route outside 10.200.0.0 255.255.0.0 204.145.245.2 10
route outside 10.201.0.0 255.255.255.0 204.145.245.15 2
route outside 10.201.0.0 255.255.255.0 204.145.245.2 10
route inside 10.254.0.0 255.255.0.0 10.1.0.1 1

vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local
remoteVPN
vpdn group PPTP-VPDN-GROUP client configuration dns Server-AD3_i
vpdn group PPTP-VPDN-GROUP client configuration wins Server-AD3_i
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local

PES 09-23-2004 07:53 PM

Re: PPTP Client Cant access other internal Subnets when connecting to PIX
 

"Scott Townsend" <scott@serra.com> wrote in message
news:14b27981.0409231102.35b124bb@posting.google.c om...
>I have a PIX setup to accept PPTP and IPSec connections.
>
> The PIX is on 10.1.x.x network.
> I have other 10.Y.x.x networks that I would like the PPTP clients to
> hacve access to.
>

The client may be getting 10.201.x.x with a 255.0.0.0 mask. If so, it may
not realize the need to go through next hop to get to other addresses. I
think there is a newer version of pix os that permits the subnet mask in the
ip pool command and resolves this issue. Also, make sure your pptp client
is set to use default gw on remote network.
> I believe my IPSec clients do not have any issues with connecting to
> the other remote Subnets...
>
> here are the Relavant (I believe) sections of the config.
>
> Any Help would be appreciated.
>
> Thanks,
> Scott<-
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0
> 255.255.255.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0
> 255.255.255.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0
> 255.255.0.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0
> 255.255.255.0
> access-list inside_nat permit ip 10.201.0.0 255.255.0.0 10.201.0.0
> 255.255.0.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.2.0
> 255.255.255.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.11.0.0
> 255.255.255.0
> access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.3.0
> 255.255.255.0
> access-list 110 permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0
> access-list 110 permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.0.0
> access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0
>
> ip local pool ipsecpool 10.200.0.1-10.200.1.254
> ip local pool remoteVPN 10.201.0.1-10.201.0.254
>
> nat (inside) 0 access-list inside_nat
> nat (inside) 1 10.0.0.0 255.0.0.0 0 0
>
> route outside 0.0.0.0 0.0.0.0 204.145.245.15 2
> route outside 0.0.0.0 0.0.0.0 204.145.245.2 10
> route inside 10.2.0.0 255.255.0.0 10.1.0.1 1
> route inside 10.3.0.0 255.255.0.0 10.1.0.1 1
> route inside 10.4.0.0 255.255.0.0 10.1.0.1 1
> route inside 10.5.0.0 255.255.0.0 10.1.0.1 1
> route inside 10.10.0.0 255.255.0.0 10.1.0.3 1
> route outside 10.200.0.0 255.255.0.0 204.145.245.15 2
> route outside 10.200.0.0 255.255.0.0 204.145.245.2 10
> route outside 10.201.0.0 255.255.255.0 204.145.245.15 2
> route outside 10.201.0.0 255.255.255.0 204.145.245.2 10
> route inside 10.254.0.0 255.255.0.0 10.1.0.1 1
>
> vpdn group PPTP-VPDN-GROUP accept dialin pptp
> vpdn group PPTP-VPDN-GROUP ppp authentication mschap
> vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
> vpdn group PPTP-VPDN-GROUP client configuration address local
> remoteVPN
> vpdn group PPTP-VPDN-GROUP client configuration dns Server-AD3_i
> vpdn group PPTP-VPDN-GROUP client configuration wins Server-AD3_i
> vpdn group PPTP-VPDN-GROUP pptp echo 60
> vpdn group PPTP-VPDN-GROUP client authentication local





All times are GMT. The time now is 05:29 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.