PPTP Client Cant access other internal Subnets when connecting to PIX

Discussion in 'Cisco' started by Scott Townsend, Sep 23, 2004.

  1. I have a PIX setup to accept PPTP and IPSec connections.

    The PIX is on 10.1.x.x network.
    I have other 10.Y.x.x networks that I would like the PPTP clients to
    hacve access to.

    I believe my IPSec clients do not have any issues with connecting to
    the other remote Subnets...

    here are the Relavant (I believe) sections of the config.

    Any Help would be appreciated.

    Thanks,
    Scott<-
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0
    255.255.0.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.201.0.0 255.255.0.0 10.201.0.0
    255.255.0.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.11.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    255.255.255.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0

    ip local pool ipsecpool 10.200.0.1-10.200.1.254
    ip local pool remoteVPN 10.201.0.1-10.201.0.254

    nat (inside) 0 access-list inside_nat
    nat (inside) 1 10.0.0.0 255.0.0.0 0 0

    route outside 0.0.0.0 0.0.0.0 204.145.245.15 2
    route outside 0.0.0.0 0.0.0.0 204.145.245.2 10
    route inside 10.2.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.3.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.4.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.5.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.10.0.0 255.255.0.0 10.1.0.3 1
    route outside 10.200.0.0 255.255.0.0 204.145.245.15 2
    route outside 10.200.0.0 255.255.0.0 204.145.245.2 10
    route outside 10.201.0.0 255.255.255.0 204.145.245.15 2
    route outside 10.201.0.0 255.255.255.0 204.145.245.2 10
    route inside 10.254.0.0 255.255.0.0 10.1.0.1 1

    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
    vpdn group PPTP-VPDN-GROUP client configuration address local
    remoteVPN
    vpdn group PPTP-VPDN-GROUP client configuration dns Server-AD3_i
    vpdn group PPTP-VPDN-GROUP client configuration wins Server-AD3_i
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    Scott Townsend, Sep 23, 2004
    #1
    1. Advertising

  2. Scott Townsend

    PES Guest

    "Scott Townsend" <> wrote in message
    news:...
    >I have a PIX setup to accept PPTP and IPSec connections.
    >
    > The PIX is on 10.1.x.x network.
    > I have other 10.Y.x.x networks that I would like the PPTP clients to
    > hacve access to.
    >

    The client may be getting 10.201.x.x with a 255.0.0.0 mask. If so, it may
    not realize the need to go through next hop to get to other addresses. I
    think there is a newer version of pix os that permits the subnet mask in the
    ip pool command and resolves this issue. Also, make sure your pptp client
    is set to use default gw on remote network.
    > I believe my IPSec clients do not have any issues with connecting to
    > the other remote Subnets...
    >
    > here are the Relavant (I believe) sections of the config.
    >
    > Any Help would be appreciated.
    >
    > Thanks,
    > Scott<-
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0
    > 255.255.255.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    > 255.255.255.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0
    > 255.255.0.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0
    > 255.255.255.0
    > access-list inside_nat permit ip 10.201.0.0 255.255.0.0 10.201.0.0
    > 255.255.0.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    > 255.255.255.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.11.0.0
    > 255.255.255.0
    > access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    > 255.255.255.0
    > access-list 110 permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0
    > access-list 110 permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.0.0
    > access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0
    >
    > ip local pool ipsecpool 10.200.0.1-10.200.1.254
    > ip local pool remoteVPN 10.201.0.1-10.201.0.254
    >
    > nat (inside) 0 access-list inside_nat
    > nat (inside) 1 10.0.0.0 255.0.0.0 0 0
    >
    > route outside 0.0.0.0 0.0.0.0 204.145.245.15 2
    > route outside 0.0.0.0 0.0.0.0 204.145.245.2 10
    > route inside 10.2.0.0 255.255.0.0 10.1.0.1 1
    > route inside 10.3.0.0 255.255.0.0 10.1.0.1 1
    > route inside 10.4.0.0 255.255.0.0 10.1.0.1 1
    > route inside 10.5.0.0 255.255.0.0 10.1.0.1 1
    > route inside 10.10.0.0 255.255.0.0 10.1.0.3 1
    > route outside 10.200.0.0 255.255.0.0 204.145.245.15 2
    > route outside 10.200.0.0 255.255.0.0 204.145.245.2 10
    > route outside 10.201.0.0 255.255.255.0 204.145.245.15 2
    > route outside 10.201.0.0 255.255.255.0 204.145.245.2 10
    > route inside 10.254.0.0 255.255.0.0 10.1.0.1 1
    >
    > vpdn group PPTP-VPDN-GROUP accept dialin pptp
    > vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    > vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
    > vpdn group PPTP-VPDN-GROUP client configuration address local
    > remoteVPN
    > vpdn group PPTP-VPDN-GROUP client configuration dns Server-AD3_i
    > vpdn group PPTP-VPDN-GROUP client configuration wins Server-AD3_i
    > vpdn group PPTP-VPDN-GROUP pptp echo 60
    > vpdn group PPTP-VPDN-GROUP client authentication local
    PES, Sep 23, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oliver
    Replies:
    2
    Views:
    1,548
    Oliver
    Nov 13, 2003
  2. GeekMarine1972
    Replies:
    1
    Views:
    1,228
    Walter Roberson
    Jan 15, 2005
  3. Replies:
    0
    Views:
    404
  4. masterbullfrog
    Replies:
    2
    Views:
    518
  5. Replies:
    4
    Views:
    1,401
    Trendkill
    Aug 29, 2008
Loading...

Share This Page