Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX501 lan-to-lan and PPTP

Reply
Thread Tools

PIX501 lan-to-lan and PPTP

 
 
Remco Bressers
Guest
Posts: n/a
 
      01-22-2004
Help!

I am having problems with LAN-to-LAN and PPTP at the same time on a
PIX501 (6.3).
LAN-to-LAN works perfect with these settings, but with PPTP i am having
a big problem. I can connect with my MS VPN client to the PIX. I receive
an IP address from the PIX, but i cannot do anything on the LAN.

Can anybody put me in the right direction?

Here's some output (only the interesting parts) :

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
192.168.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
192.168.12.0 255.255.255.0
access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
ip address outside 217.21.246.225 255.255.255.252
ip address inside 10.0.0.254 255.255.255.0
ip local pool pptp-pool 10.0.0.220-10.0.0.230
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list pptp 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 217.21.246.226 1
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.21.246.229
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.21.246.229 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128 required
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username test password *********
vpdn enable outside

 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      01-22-2004
On Thu, 22 Jan 2004 04:39:25 -0600, Remco Bressers wrote:

> Help!
>
> I am having problems with LAN-to-LAN and PPTP at the same time on a
> PIX501 (6.3).
> LAN-to-LAN works perfect with these settings, but with PPTP i am having
> a big problem. I can connect with my MS VPN client to the PIX. I receive
> an IP address from the PIX, but i cannot do anything on the LAN.
>
> Can anybody put me in the right direction?
>
> Here's some output (only the interesting parts) :
>
> access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
> 192.168.12.0 255.255.255.0
> access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
> 192.168.12.0 255.255.255.0
> access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
> ip address outside 217.21.246.225 255.255.255.252 ip address inside
> 10.0.0.254 255.255.255.0 ip local pool pptp-pool 10.0.0.220-10.0.0.230
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 2
> access-list pptp 0 0
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
> 255.255.255.255 0 0
> access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0
> 217.21.246.226 1 floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
> outside_map 20 ipsec-isakmp crypto map outside_map 20 match address
> outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.246.229
> crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map
> outside_map interface outside isakmp enable outside isakmp key ********
> address 217.21.246.229 netmask 255.255.255.255 no-xauth no-config-mode
> isakmp identity address
> isakmp policy 20 authentication pre-share isakmp policy 20 encryption
> 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
> vpdn group 1 accept dialin pptp
> vpdn group 1 ppp authentication pap
> vpdn group 1 ppp authentication chap
> vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe
> 128 required vpdn group 1 client configuration address local pptp-pool
> vpdn group 1 pptp echo 60
> vpdn group 1 client authentication local vpdn username test password
> ********* vpdn enable outside



You need to add a line to your nat 0 access-list for the pptp clients
address pool so that the traffic will bypass NAT.

Example:
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0





Rik Bain
 
Reply With Quote
 
 
 
 
Remco Bressers
Guest
Posts: n/a
 
      01-22-2004
Rik Bain wrote:
> On Thu, 22 Jan 2004 04:39:25 -0600, Remco Bressers wrote:
>
>
>>Help!
>>
>>I am having problems with LAN-to-LAN and PPTP at the same time on a
>>PIX501 (6.3).
>>LAN-to-LAN works perfect with these settings, but with PPTP i am having
>>a big problem. I can connect with my MS VPN client to the PIX. I receive
>>an IP address from the PIX, but i cannot do anything on the LAN.
>>
>>Can anybody put me in the right direction?
>>
>>Here's some output (only the interesting parts) :
>>
>>access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
>>192.168.12.0 255.255.255.0
>>access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
>>192.168.12.0 255.255.255.0
>>access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
>>ip address outside 217.21.246.225 255.255.255.252 ip address inside
>>10.0.0.254 255.255.255.0 ip local pool pptp-pool 10.0.0.220-10.0.0.230
>>global (outside) 1 interface
>>nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 2
>>access-list pptp 0 0
>>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>>static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
>>255.255.255.255 0 0
>>static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
>>255.255.255.255 0 0
>>access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0
>>217.21.246.226 1 floodguard enable
>>sysopt connection permit-ipsec
>>sysopt connection permit-pptp
>>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
>>outside_map 20 ipsec-isakmp crypto map outside_map 20 match address
>>outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.246.229
>>crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map
>>outside_map interface outside isakmp enable outside isakmp key ********
>>address 217.21.246.229 netmask 255.255.255.255 no-xauth no-config-mode
>>isakmp identity address
>>isakmp policy 20 authentication pre-share isakmp policy 20 encryption
>>3des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2
>>isakmp policy 20 lifetime 86400
>>vpdn group 1 accept dialin pptp
>>vpdn group 1 ppp authentication pap
>>vpdn group 1 ppp authentication chap
>>vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe
>>128 required vpdn group 1 client configuration address local pptp-pool
>>vpdn group 1 pptp echo 60
>>vpdn group 1 client authentication local vpdn username test password
>>********* vpdn enable outside

>
>
>
> You need to add a line to your nat 0 access-list for the pptp clients
> address pool so that the traffic will bypass NAT.
>
> Example:
> access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0



Oh my oh my,.. i am feeling VERY stupid at the moment ..

Thanks a million!

Remco
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Absurd PPTP problems: PPTP out no longer works. Elia Spadoni Cisco 15 04-01-2008 07:40 AM
mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501 Tom Cisco 4 11-17-2004 02:18 PM
Sitting behind a local pix501 and can't access an external site with Pix501 from Cisco VPN CLient- why? simon Cisco 1 09-21-2004 12:52 PM
Beginner's question about PIX501 and access-lists Jens Meyer Cisco 1 11-13-2003 12:21 AM
PIX501 and Squid ak_father Cisco 1 07-07-2003 04:52 AM



Advertisments