Can't get VPN-tunnel to work - PIX 501

Discussion in 'Cisco' started by Stefan Johansson, Nov 24, 2004.

  1. Can anybody see whats wrong with this config. I get a tunnel with PPTP but I
    can't reach anything on the inside. What is wrong!


    : Written by enable_15 at 15:04:25.307 UTC Wed Nov 17 2004
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password j95T1heeL3vSd3P1 encrypted
    passwd j95T1heeL3vSd3P1 encrypted
    hostname pixfirewall
    domain-name okab.se
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol icmp error
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group network Forbidden_Surfers
    network-object 172.25.40.90 255.255.255.255
    network-object 172.25.40.91 255.255.255.255
    network-object 172.25.40.92 255.255.255.255
    network-object 172.25.40.93 255.255.255.255
    network-object 172.25.40.94 255.255.255.255
    network-object 172.25.40.95 255.255.255.255
    network-object 172.25.40.96 255.255.255.255
    network-object 172.25.40.97 255.255.255.255
    network-object 172.25.40.98 255.255.255.255
    network-object 172.25.40.99 255.255.255.255
    network-object 172.25.40.100 255.255.255.255
    object-group service VPN tcp
    port-object range 10000 10000
    access-list nat_zero permit ip 172.25.40.0 255.255.255.0 192.168.123.0
    255.255.255.0
    access-list inside_authentication_LOCAL permit tcp object-group
    Forbidden_Surfers any
    pager lines 24
    logging on
    logging trap debugging
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute retry 4
    ip address inside 172.25.40.10 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.123.1-192.168.123.50
    pdm location 172.25.40.45 255.255.255.255 inside
    pdm location 172.25.40.105 255.255.255.255 inside
    pdm location 192.168.123.0 255.255.255.0 outside
    pdm location 172.25.40.90 255.255.255.255 inside
    pdm location 172.25.40.91 255.255.255.255 inside
    pdm location 172.25.40.92 255.255.255.255 inside
    pdm location 172.25.40.93 255.255.255.255 inside
    pdm location 172.25.40.94 255.255.255.255 inside
    pdm location 172.25.40.95 255.255.255.255 inside
    pdm location 172.25.40.96 255.255.255.255 inside
    pdm location 172.25.40.97 255.255.255.255 inside
    pdm location 172.25.40.98 255.255.255.255 inside
    pdm location 172.25.40.99 255.255.255.255 inside
    pdm location 172.25.40.100 255.255.255.255 inside
    pdm location 192.168.123.0 255.255.255.192 outside
    pdm group Forbidden_Surfers inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat_zero
    nat (inside) 1 172.25.40.0 255.255.255.0 0 0
    conduit permit icmp any any
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication match inside_authentication_LOCAL inside LOCAL
    http server enable
    http 172.25.40.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection tcpmss 1500
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    telnet 172.25.40.45 255.255.255.255 inside
    telnet 172.25.40.105 255.255.255.255 inside
    telnet 172.25.40.106 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 60
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username user password ********
    vpdn enable outside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username webb password BhzScFMzI2D7FVZ8 encrypted privilege 5
    terminal width 80
     
    Stefan Johansson, Nov 24, 2004
    #1
    1. Advertisements

  2. Stefan Johansson

    PES Guest

    I didn't see anything immediately wrong in your config. Is your pptp
    client set to use the default gateway of the remote network (this is a
    check box in the pptp configuration)? What does the routing table of
    the pc look like (route print from dos on a windows box). If you are
    using this through a router, is it doing nat? Does it support GRE pass
    through and is this protocol not being blocked? Also, I don't like to
    work with conduits as there use is being phased out and is therefore not
    as thoroughly tested as acls. Also I prefer the vpn client to pptp and
    is more configurable from the Firewall and therefore easier for us to
    troubleshoot from a config. However, I would understand if you have a
    need for pptp.
     
    PES, Nov 25, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.