Issue with Ipsec and pptp clients

Discussion in 'Cisco' started by unknown, Apr 10, 2006.

  1. unknown

    unknown Guest

    Folks,
    I have a Pix 515E acting as the IPSec/PPTP end point.I use the CVPN 4.x
    version for IPSec and MS pptp client for PPTP connection

    Issues I face.......

    1) With IPSec,I can establish only 1 vpn connection,meaning if another
    ipsec connection comes in, the existing VPN IPSec connection is kicked
    out.

    2) With PPTP, I can get authenticated,but I am unable to browse or ping
    the internal network.

    I have given my configration below....

    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password dP6LztWI/VQ0Swy0 encrypted
    passwd qESl5f9ayuCTSGcv encrypted
    hostname xxx1
    domain-name xxx
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    fixup protocol domain 53
    no names
    access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq www
    access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq 3389
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq smtp
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq pop3
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq imap4
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq https
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq 8000
    access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq ssh
    access-list acl_out permit icmp any any
    access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq www
    access-list acl_out permit tcp any host xxx.xxx.xxx.37 eq ftp
    access-list acl_out deny ip any any
    access-list acl_dmz permit tcp host 10.0.12.243 any eq smtp
    access-list acl_dmz permit icmp any any echo-reply
    access-list acl_dmz permit udp 10.0.0.0 255.255.0.0 host
    203.166.128.168 eq doma
    in
    access-list acl_dmz permit udp 10.0.0.0 255.255.0.0 host
    203.166.128.188 eq doma
    in
    access-list acl_dmz permit tcp host 10.0.12.242 10.0.11.0 255.255.255.0
    access-list acl_dmz permit tcp host 10.0.12.241 10.0.11.0 255.255.255.0
    access-list acl_dmz deny ip any any
    access-list 200 permit ip 10.0.11.0 255.255.255.0 10.0.99.240
    255.255.255.240
    access-list 200 permit ip 10.0.11.0 255.255.255.0 172.16.9.0
    255.255.255.0
    pager lines 24
    logging on
    logging trap informational
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside xxx.xxx.xxx.37 255.255.255.192
    ip address inside 10.0.11.253 255.255.255.0
    ip address dmz 10.0.12.253 255.255.255.240
    ip audit name outside info action alarm
    ip audit name info1 info action alarm
    ip audit interface outside info1
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool mc3vpn 172.16.9.1-172.16.9.4
    ip local pool vpnppol 10.0.99.241-10.0.99.250
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    failover ip address dmz 0.0.0.0
    pdm history enable
    arp inside 192.168.4.101 0020.7818.362a
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 201
    nat (inside) 1 10.0.11.0 255.255.255.0 0 0
    nat (dmz) 1 10.0.12.243 255.255.255.255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.31 www 10.0.12.243 8000 netmask
    255.255.255
    ..255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.31 smtp 10.0.12.243 smtp netmask
    255.255.25
    5.255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.31 8000 10.0.12.243 www netmask
    255.255.255
    ..255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.31 pop3 10.0.12.243 pop3 netmask
    255.255.25
    5.255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.31 imap4 10.0.12.243 imap4 netmask
    255.255.
    255.255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.30 3389 10.0.12.241 3389 netmask
    255.255.25
    5.255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.30 www 10.0.12.241 www netmask
    255.255.255.
    255 0 0
    static (dmz,outside) tcp xxx.xxx.xxx.30 ssh 10.0.12.242 ssh netmask
    255.255.255.
    255 0 0
    static (inside,outside) tcp interface ftp 10.0.11.191 ftp netmask
    255.255.255.25
    5 0 0
    static (inside,dmz) 10.0.11.0 10.0.11.0 netmask 255.255.255.0 0 0
    access-group acl_out in interface outside
    access-group acl_dmz in interface dmz
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap interface outside
    isakmp enable outside
    isakmp client configuration address-pool local vpnppol outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpngrp address-pool vpnppol
    vpngroup vpngrp idle-time 1800
    vpngroup vpngrp password ********
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 40
    vpdn group 1 client configuration address local mc3vpn
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username cisco password *********
    vpdn enable outside
    terminal width 80
    Cryptochecksum:22652e21edb479617b7c28400427bfe1
    : end
    [OK]

    Any help would be appreciated.Thanks
    unknown, Apr 10, 2006
    #1
    1. Advertising

  2. In article <>,
    unknown <> wrote:
    >I have a Pix 515E acting as the IPSec/PPTP end point.


    >1) With IPSec,I can establish only 1 vpn connection,meaning if another
    >ipsec connection comes in, the existing VPN IPSec connection is kicked
    >out.


    That sounds more like a different issue. When you are making the
    multiple connections, are you starting both from within the same
    network and there is a firewall layer -outside- of the remote IPSec
    endpoint? If so then you could be running into the issue that the
    ESP IP protocol used by your IPSec configuration has no port numbers
    and so many firewalls can only handle one ESP session at a time.

    If that does turn out to be your problem, then the easiest fix is
    to upgrade to 6.3 or later and to then turn on the new feature NAT-T
    (NAT Traversal) by adding "isakmp nat-traversal 20".


    >2) With PPTP, I can get authenticated,but I am unable to browse or ping
    >the internal network.


    >PIX Version 6.2(2)


    There have been many bug fixes since 6.2(2), and several important
    security fixes. As I recall, you are entitled to update to 6.2(4)
    for free even if you do not have a support contract. Unfortunately
    if you do not have a support contract, then upgrading to 6.3(4)
    or 6.3(5) will cost some money (it's often cheaper to buy a
    support contract than to pay for the upgrade by itself.)

    >ip address outside xxx.xxx.xxx.37 255.255.255.192
    >ip address inside 10.0.11.253 255.255.255.0
    >ip address dmz 10.0.12.253 255.255.255.240


    >ip local pool mc3vpn 172.16.9.1-172.16.9.4
    >ip local pool vpnppol 10.0.99.241-10.0.99.250


    Good, I see that your IP pools are "outside" relative to your
    interior interfaces, which is the way they should be.

    >route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1


    >sysopt connection permit-ipsec
    >sysopt connection permit-pptp


    >isakmp client configuration address-pool local vpnppol outside


    >vpngroup vpngrp address-pool vpnppol


    Because you already have vpnppol attached via your isakmp client
    command, this statement is not strictly necessary -- but it does not
    hurt and makes things clearer.

    >vpdn group 1 client configuration address local mc3vpn


    That statement is necessary though.


    I do not immediately see any problems with your pptp configuration.
    I would, though, suggest updating as far as you can for free,
    and I would suggest that you seriously consider going to 6.3 in
    order to gain the NAT Traversal.

    As you have a PIX 515E, you could go to 7.0 or even 7.1 code,
    which has a lot of nice new features and uses a configuration syntax
    much much closer to IOS's. On the other hand, 7.0 and 7.1 require
    much more memory, require a fair bit of re-learning ... and as you
    are obviously not "early adopters", I suspect you might find the
    bugs that -any- major rewrite introduces to be too much of a nuisance
    to deal with.
    Walter Roberson, Apr 10, 2006
    #2
    1. Advertising

  3. unknown

    Guest

    just some thoughts - you're using this pool:

    ip local pool mc3vpn 172.16.9.1-172.16.9.4

    does the pix know what to do with that network?

    and also, on the nat statement:

    nat (inside) 0 access-list 201

    I dont see an access-list 201. I think the acl you use for the nat
    (inside) 0 needs to include the pool of addresses you're handing out
    for VPN access - but i'm not 100% sure.
    , Apr 10, 2006
    #3
  4. unknown

    unknown Guest

    wrote:
    > just some thoughts - you're using this pool:
    >
    > ip local pool mc3vpn 172.16.9.1-172.16.9.4
    >
    > does the pix know what to do with that network?
    >
    > and also, on the nat statement:
    >
    > nat (inside) 0 access-list 201
    >
    > I dont see an access-list 201. I think the acl you use for the nat
    > (inside) 0 needs to include the pool of addresses you're handing out
    > for VPN access - but i'm not 100% sure.


    Guys,
    Thanks for your response.....some for information.....the pptp works
    well from my home(which doesn`t do a NAT I presume)

    David,
    You are right the access-list is 200 not 201

    Cheers
    unknown, Apr 11, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,751
    David
    Jan 7, 2004
  2. Eugene Vekua
    Replies:
    1
    Views:
    607
    Martin Bilgrav
    Mar 2, 2004
  3. ZChuck
    Replies:
    3
    Views:
    2,700
    Walter Roberson
    Jul 11, 2005
  4. NETADMIN
    Replies:
    0
    Views:
    488
    NETADMIN
    Feb 2, 2006
  5. Replies:
    2
    Views:
    942
    Walter Roberson
    Aug 22, 2007
Loading...

Share This Page