Cisco PIX 501 - PPTP VPN

Discussion in 'Cisco' started by Dennis Pedersen, Dec 17, 2004.

  1. Hello,
    I have a problem with med Cisco PIX 501.
    I am trying to set up PPTP VPN on the box but its bugging me.
    Connecting to the VPN is just fine and i am assigned a 172.x IP adresss.
    But i cannot access the LAN (192.168.16.0) - anyone have i idea?

    After googling a bit i came acoress 'sysopt connection permit-pptp' - that
    should make the router bypass PPTP from the access lists. But still the
    same.

    The prolem on : http://tinyurl.com/6z4e4 - is pretty much the same but the
    solution does not work.

    no access-list pptp_ip permit ip 192.168.16.0 255.255.255.0 172.123.11.0
    255.255.255.0
    no access-group pptp_ip in interface outside



    Anyone got an idea?


    Regards,
    Dennis

    config:
    pixfirewall(config)# sh run
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password XXXX
    passwd XXXX
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any 172.123.11.0
    255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any 172.123.11.0
    255.255.255.224
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    www
    access-list inside_access_in permit udp 192.168.16.0 255.255.255.0 any eq
    domain
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    pop3
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    smtp
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    https
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 eq 3389
    any
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    3390
    access-list inside_access_in permit tcp 192.168.16.0 255.255.255.0 any eq
    telnet
    access-list outside_in permit tcp any interface outside eq smtp
    access-list wts permit tcp host XXXXX any eq 3389
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.2 255.255.255.0
    ip address inside 192.168.16.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool 172.123.11.1-172.123.11.20
    pdm location 172.123.11.0 255.255.255.224 outside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 192.168.16.111 255.255.255.255 inside
    pdm location 192.168.16.168 255.255.255.255 inside
    pdm location XXXXX 255.255.255.255 outside
    pdm location XXXXX 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 192.168.16.168 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 192.168.16.168 3389 netmask
    255.255.255.255 0 0
    access-group wts in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http XXXXX 255.255.255.255 outside
    http XXXXX 255.255.255.255 outside
    http 192.168.16.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.16.111 255.255.255.255 inside
    telnet 192.168.16.168 255.255.255.255 inside
    telnet timeout 5
    ssh XXXXX 255.255.255.255 outside
    ssh XXXXX 255.255.255.255 outside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
    vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool
    vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.16.168
    212.54.64.170
    vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.16.168
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username zzzz password xxxxx
    vpdn enable outside
    dhcpd address 192.168.16.200-192.168.16.250 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    username XXXXXXXX
    terminal width 80
    Cryptochecksum:XXXX
    : end
     
    Dennis Pedersen, Dec 17, 2004
    #1
    1. Advertising

  2. Dennis Pedersen

    veloxdj

    Joined:
    Nov 6, 2007
    Messages:
    1
    1) Create an access list

    access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.100.0 255.255.255.0

    - the first IP and mask are your internal one, the second one is your pool for the VPN.
    You shall make the same for any other vpn range that you have, even a site to site ipsec, or you can choose open the mask for a number that include all the VPNs in it (255.0.0.0).




    2) Make a NAT for it.

    nat (inside) 0 access-list 101

    - Can you see the list? That's why you need to put your other VPNs in the access list. Otherwise will not work anymore.





    3) Permit a pptp.

    sysopt connection permit-pptp





    4) Configure a VPN pool:

    ip local pool pptp-pool 10.0.100.1-10.0.100.50



    5) Create a PPTP VPN:

    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client authentication local
    vpdn username cisco password cisco
    vpdn enable outside

    That's it... I solved my problem this way.

    Best regards,

    Cristiano Azeredo.
     
    veloxdj, Nov 6, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex
    Replies:
    3
    Views:
    880
    Guest
    May 12, 2004
  2. Kai
    Replies:
    1
    Views:
    875
    Walter Roberson
    May 14, 2004
  3. Tom
    Replies:
    4
    Views:
    691
  4. oly
    Replies:
    3
    Views:
    5,661
  5. mmark751969

    Pix 501 and pptp vpn

    mmark751969, Aug 6, 2008, in forum: Cisco
    Replies:
    1
    Views:
    489
    desperado618
    Aug 7, 2008
Loading...

Share This Page