PPTP PIX Problem

Discussion in 'Cisco' started by paul tomlinson, Feb 19, 2004.

  1. Hi there have a cisco PIX firewall, all running well just trying to
    create a pptp based VPN connection, the VPN authenticates and i'm
    given an ip address on the 192.168.2.xx network, but i can't ping
    anything on my main network

    Anybody got any ideas?


    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    no names
    access-list out-acl permit icmp any any echo-reply
    access-list out-acl permit icmp any any unreachable
    access-list out-acl permit icmp any any time-exceeded
    access-list out-acl permit icmp any any source-quench
    access-list out-acl permit icmp any any parameter-problem
    access-list out-acl permit tcp any any eq ssh
    access-list out-acl permit tcp any any eq pcanywhere-data
    access-list out-acl permit tcp any any eq 5632
    access-list nonat permit ip ???.???.???.??? 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list wtair-vpn permit ip ???.???.???.??? 255.255.255.0
    192.168.2.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside ???.???.???.??? 255.255.255.248
    ip address inside ???.???.???.??? 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool1 192.168.2.1-192.168.2.50
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group out-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 ???.???.???.??? 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    crypto map corpvpn 2 ipsec-isakmp
    crypto map corpvpn 2 match address wtair-vpn
    crypto map corpvpn 2 set peer ???.???.???.???
    crypto map corpvpn 2 set transform-set 3des-sha
    crypto map corpvpn interface outside
    isakmp enable outside
    isakmp key ******** address ???.???.???.??? netmask 255.255.255.255
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 5 authentication pre-share
    isakmp policy 5 encryption 3des
    isakmp policy 5 hash sha
    isakmp policy 5 group 2
    isakmp policy 5 lifetime 3600
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local pptp-pool1
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username admin password ********
    vpdn enable outside
    terminal width 80
    paul tomlinson, Feb 19, 2004
    #1
    1. Advertising

  2. my guess is problem with NAT/PAT at remote end.
    OR remove the fixup protocol pptp 1723 - this is meant for passthrough
    packets
    ( I assume the ??? in your nonat ACL is = your local LAN)


    HTH
    Martin Bilgrav

    "paul tomlinson" <> wrote in message
    news:...
    > Hi there have a cisco PIX firewall, all running well just trying to
    > create a pptp based VPN connection, the VPN authenticates and i'm
    > given an ip address on the 192.168.2.xx network, but i can't ping
    > anything on my main network
    >
    > Anybody got any ideas?
    >
    >
    > interface ethernet0 auto
    > interface ethernet1 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol pptp 1723
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > no names
    > access-list out-acl permit icmp any any echo-reply
    > access-list out-acl permit icmp any any unreachable
    > access-list out-acl permit icmp any any time-exceeded
    > access-list out-acl permit icmp any any source-quench
    > access-list out-acl permit icmp any any parameter-problem
    > access-list out-acl permit tcp any any eq ssh
    > access-list out-acl permit tcp any any eq pcanywhere-data
    > access-list out-acl permit tcp any any eq 5632
    > access-list nonat permit ip ???.???.???.??? 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list wtair-vpn permit ip ???.???.???.??? 255.255.255.0
    > 192.168.2.0 255.255.255.0
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside ???.???.???.??? 255.255.255.248
    > ip address inside ???.???.???.??? 255.255.255.0
    > ip verify reverse-path interface outside
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool pptp-pool1 192.168.2.1-192.168.2.50
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > access-group out-acl in interface outside
    > route outside 0.0.0.0 0.0.0.0 ???.???.???.??? 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > sysopt connection permit-pptp
    > crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    > crypto map corpvpn 2 ipsec-isakmp
    > crypto map corpvpn 2 match address wtair-vpn
    > crypto map corpvpn 2 set peer ???.???.???.???
    > crypto map corpvpn 2 set transform-set 3des-sha
    > crypto map corpvpn interface outside
    > isakmp enable outside
    > isakmp key ******** address ???.???.???.??? netmask 255.255.255.255
    > isakmp identity address
    > isakmp nat-traversal 20
    > isakmp policy 5 authentication pre-share
    > isakmp policy 5 encryption 3des
    > isakmp policy 5 hash sha
    > isakmp policy 5 group 2
    > isakmp policy 5 lifetime 3600
    > telnet 0.0.0.0 0.0.0.0 inside
    > telnet timeout 5
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 5
    > console timeout 0
    > vpdn group 1 accept dialin pptp
    > vpdn group 1 ppp authentication pap
    > vpdn group 1 ppp authentication chap
    > vpdn group 1 ppp authentication mschap
    > vpdn group 1 ppp encryption mppe auto
    > vpdn group 1 client configuration address local pptp-pool1
    > vpdn group 1 pptp echo 60
    > vpdn group 1 client authentication local
    > vpdn username admin password ********
    > vpdn enable outside
    > terminal width 80
    Martin Bilgrav, Feb 19, 2004
    #2
    1. Advertising

  3. to confirm the ??.??.???.??? is my local network

    i have tried removing the pptp=fixup command but still no joy

    Anyone else see anything obvious?


    "Martin Bilgrav" <> wrote in message news:<LAaZb.93838$>...
    > my guess is problem with NAT/PAT at remote end.
    > OR remove the fixup protocol pptp 1723 - this is meant for passthrough
    > packets
    > ( I assume the ??? in your nonat ACL is = your local LAN)
    >
    >
    > HTH
    > Martin Bilgrav
    >
    > "paul tomlinson" <> wrote in message
    > news:...
    > > Hi there have a cisco PIX firewall, all running well just trying to
    > > create a pptp based VPN connection, the VPN authenticates and i'm
    > > given an ip address on the 192.168.2.xx network, but i can't ping
    > > anything on my main network
    > >
    > > Anybody got any ideas?
    > >
    > >
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol ils 389
    > > fixup protocol pptp 1723
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > no names
    > > access-list out-acl permit icmp any any echo-reply
    > > access-list out-acl permit icmp any any unreachable
    > > access-list out-acl permit icmp any any time-exceeded
    > > access-list out-acl permit icmp any any source-quench
    > > access-list out-acl permit icmp any any parameter-problem
    > > access-list out-acl permit tcp any any eq ssh
    > > access-list out-acl permit tcp any any eq pcanywhere-data
    > > access-list out-acl permit tcp any any eq 5632
    > > access-list nonat permit ip ???.???.???.??? 255.255.255.0 192.168.2.0
    > > 255.255.255.0
    > > access-list wtair-vpn permit ip ???.???.???.??? 255.255.255.0
    > > 192.168.2.0 255.255.255.0
    > > pager lines 24
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside ???.???.???.??? 255.255.255.248
    > > ip address inside ???.???.???.??? 255.255.255.0
    > > ip verify reverse-path interface outside
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool pptp-pool1 192.168.2.1-192.168.2.50
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 0 access-list nonat
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > access-group out-acl in interface outside
    > > route outside 0.0.0.0 0.0.0.0 ???.???.???.??? 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > sysopt connection permit-ipsec
    > > sysopt connection permit-pptp
    > > crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
    > > crypto map corpvpn 2 ipsec-isakmp
    > > crypto map corpvpn 2 match address wtair-vpn
    > > crypto map corpvpn 2 set peer ???.???.???.???
    > > crypto map corpvpn 2 set transform-set 3des-sha
    > > crypto map corpvpn interface outside
    > > isakmp enable outside
    > > isakmp key ******** address ???.???.???.??? netmask 255.255.255.255
    > > isakmp identity address
    > > isakmp nat-traversal 20
    > > isakmp policy 5 authentication pre-share
    > > isakmp policy 5 encryption 3des
    > > isakmp policy 5 hash sha
    > > isakmp policy 5 group 2
    > > isakmp policy 5 lifetime 3600
    > > telnet 0.0.0.0 0.0.0.0 inside
    > > telnet timeout 5
    > > ssh 0.0.0.0 0.0.0.0 outside
    > > ssh timeout 5
    > > console timeout 0
    > > vpdn group 1 accept dialin pptp
    > > vpdn group 1 ppp authentication pap
    > > vpdn group 1 ppp authentication chap
    > > vpdn group 1 ppp authentication mschap
    > > vpdn group 1 ppp encryption mppe auto
    > > vpdn group 1 client configuration address local pptp-pool1
    > > vpdn group 1 pptp echo 60
    > > vpdn group 1 client authentication local
    > > vpdn username admin password ********
    > > vpdn enable outside
    > > terminal width 80
    paul tomlinson, Feb 20, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. usman malik

    PIX PPTP connection problem

    usman malik, Sep 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    527
    Rik Bain
    Sep 15, 2004
  2. Tom
    Replies:
    4
    Views:
    649
  3. oly
    Replies:
    3
    Views:
    5,591
  4. Travis

    Pix 506e, PPTP problem

    Travis, Aug 8, 2005, in forum: Cisco
    Replies:
    11
    Views:
    1,041
    Walter Roberson
    Aug 9, 2005
  5. Elia Spadoni
    Replies:
    15
    Views:
    2,837
Loading...

Share This Page