PIX501 lan-to-lan and PPTP

Discussion in 'Cisco' started by Remco Bressers, Jan 22, 2004.

  1. Help!

    I am having problems with LAN-to-LAN and PPTP at the same time on a
    PIX501 (6.3).
    LAN-to-LAN works perfect with these settings, but with PPTP i am having
    a big problem. I can connect with my MS VPN client to the PIX. I receive
    an IP address from the PIX, but i cannot do anything on the LAN.

    Can anybody put me in the right direction?

    Here's some output (only the interesting parts) :

    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    ip address outside 217.21.246.225 255.255.255.252
    ip address inside 10.0.0.254 255.255.255.0
    ip local pool pptp-pool 10.0.0.220-10.0.0.230
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 access-list pptp 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 217.21.246.226 1
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 217.21.246.229
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 217.21.246.229 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username test password *********
    vpdn enable outside
    Remco Bressers, Jan 22, 2004
    #1
    1. Advertising

  2. Remco Bressers

    Rik Bain Guest

    On Thu, 22 Jan 2004 04:39:25 -0600, Remco Bressers wrote:

    > Help!
    >
    > I am having problems with LAN-to-LAN and PPTP at the same time on a
    > PIX501 (6.3).
    > LAN-to-LAN works perfect with these settings, but with PPTP i am having
    > a big problem. I can connect with my MS VPN client to the PIX. I receive
    > an IP address from the PIX, but i cannot do anything on the LAN.
    >
    > Can anybody put me in the right direction?
    >
    > Here's some output (only the interesting parts) :
    >
    > access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    > 192.168.12.0 255.255.255.0
    > access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
    > 192.168.12.0 255.255.255.0
    > access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    > ip address outside 217.21.246.225 255.255.255.252 ip address inside
    > 10.0.0.254 255.255.255.0 ip local pool pptp-pool 10.0.0.220-10.0.0.230
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 2
    > access-list pptp 0 0
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    > 255.255.255.255 0 0
    > access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0
    > 217.21.246.226 1 floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
    > outside_map 20 ipsec-isakmp crypto map outside_map 20 match address
    > outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.246.229
    > crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map
    > outside_map interface outside isakmp enable outside isakmp key ********
    > address 217.21.246.229 netmask 255.255.255.255 no-xauth no-config-mode
    > isakmp identity address
    > isakmp policy 20 authentication pre-share isakmp policy 20 encryption
    > 3des
    > isakmp policy 20 hash md5
    > isakmp policy 20 group 2
    > isakmp policy 20 lifetime 86400
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe
    > 128 required vpdn group 1 client configuration address local pptp-pool
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local vpdn username test password
    > ********* vpdn enable outside



    You need to add a line to your nat 0 access-list for the pptp clients
    address pool so that the traffic will bypass NAT.

    Example:
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0





    Rik Bain
    Rik Bain, Jan 22, 2004
    #2
    1. Advertising

  3. Rik Bain wrote:
    > On Thu, 22 Jan 2004 04:39:25 -0600, Remco Bressers wrote:
    >
    >
    >>Help!
    >>
    >>I am having problems with LAN-to-LAN and PPTP at the same time on a
    >>PIX501 (6.3).
    >>LAN-to-LAN works perfect with these settings, but with PPTP i am having
    >>a big problem. I can connect with my MS VPN client to the PIX. I receive
    >>an IP address from the PIX, but i cannot do anything on the LAN.
    >>
    >>Can anybody put me in the right direction?
    >>
    >>Here's some output (only the interesting parts) :
    >>
    >>access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    >>192.168.12.0 255.255.255.0
    >>access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
    >>192.168.12.0 255.255.255.0
    >>access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    >>ip address outside 217.21.246.225 255.255.255.252 ip address inside
    >>10.0.0.254 255.255.255.0 ip local pool pptp-pool 10.0.0.220-10.0.0.230
    >>global (outside) 1 interface
    >>nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 2
    >>access-list pptp 0 0
    >>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >>static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    >>255.255.255.255 0 0
    >>static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    >>255.255.255.255 0 0
    >>access-group inbound in interface outside route outside 0.0.0.0 0.0.0.0
    >>217.21.246.226 1 floodguard enable
    >>sysopt connection permit-ipsec
    >>sysopt connection permit-pptp
    >>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
    >>outside_map 20 ipsec-isakmp crypto map outside_map 20 match address
    >>outside_cryptomap_20 crypto map outside_map 20 set peer 217.21.246.229
    >>crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map
    >>outside_map interface outside isakmp enable outside isakmp key ********
    >>address 217.21.246.229 netmask 255.255.255.255 no-xauth no-config-mode
    >>isakmp identity address
    >>isakmp policy 20 authentication pre-share isakmp policy 20 encryption
    >>3des
    >>isakmp policy 20 hash md5
    >>isakmp policy 20 group 2
    >>isakmp policy 20 lifetime 86400
    >>vpdn group 1 accept dialin pptp
    >>vpdn group 1 ppp authentication pap
    >>vpdn group 1 ppp authentication chap
    >>vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe
    >>128 required vpdn group 1 client configuration address local pptp-pool
    >>vpdn group 1 pptp echo 60
    >>vpdn group 1 client authentication local vpdn username test password
    >>********* vpdn enable outside

    >
    >
    >
    > You need to add a line to your nat 0 access-list for the pptp clients
    > address pool so that the traffic will bypass NAT.
    >
    > Example:
    > access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0



    Oh my oh my,.. i am feeling VERY stupid at the moment :)..

    Thanks a million!

    Remco
    Remco Bressers, Jan 22, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ak_father

    PIX501 and Squid

    ak_father, Jul 7, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,488
    Walter Roberson
    Jul 7, 2003
  2. Tom
    Replies:
    4
    Views:
    650
  3. chackamakka

    Pix PPTP - access to LAN and DMZ

    chackamakka, Dec 6, 2006, in forum: Cisco
    Replies:
    1
    Views:
    510
    rdymek
    Dec 6, 2006
  4. Elia Spadoni
    Replies:
    15
    Views:
    2,839
  5. Martin_DK
    Replies:
    1
    Views:
    517
    rlewisii
    Oct 22, 2009
Loading...

Share This Page