mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501

Discussion in 'Cisco' started by Tom, Nov 16, 2004.

  1. Tom

    Tom Guest

    Hi NG,

    is it basically possible to mix pix-to-pix ipsec vpn and
    pptp-dial-in-vpn?
    i run into some troubles with my config after connecting a branch office.
     
    Tom, Nov 16, 2004
    #1
    1. Advertisements

  2. :is it basically possible to mix pix-to-pix ipsec vpn and
    :pptp-dial-in-vpn?
    :i run into some troubles with my config after connecting a branch office.

    It should be possible. Tell us more about your configuration and the
    problems you are encountering?
     
    Walter Roberson, Nov 16, 2004
    #2
    1. Advertisements

  3. Tom

    Tom Guest

    thank you walter,
    the problem is that the pix dont passes the pakets through the
    pptp-dial-in-tunnel with the message "rec'd paket is not an ipsec
    paket".
    this is clear for me cause:
    *) i can only bind one access-list to the "nat 0" statement
    *) so i have to put the adresses for the dial-in clients and the
    ipsec-tunnel in one access-list
    *) but for the pix this access-list is "linked" to the crypto map so
    the pix handles only ipsec traffic

    i dont know how to handle this.
    here goes my config (ip's cleared out,static's and access-lists
    shrinked):

    pix1(config)# wr te
    Building configuration...
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ZijiPTxiw8a3tA6R encrypted
    passwd 1EgFjE4cZDhur5Yg encrypted
    hostname pix1
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group network sysadmins
    access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq ssh
    access-list inside-in permit tcp 192.168.10.0 255.255.255.0 any eq www
    access-list inside-in permit tcp 192.168.10.0 255.255.255.0 host
    potato eq 3306
    access-list inside-in deny ip any any
    access-list outside-in permit tcp object-group sysadmins host
    XXXXXXXXX eq 3389
    access-list outside-in deny ip any any

    access-list vpn permit ip any 192.168.10.192 255.255.255.224
    access-list vpn permit ip 192.168.10.192 255.255.255.224 any
    --> PPTP Dial in clients
    access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
    255.255.255.0 --> Branch Office

    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.XXX 255.255.255.248
    ip address inside 192.168.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn-pool 192.168.10.201-192.168.10.210
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp XXX.XXX.XXX.XXX smtp mail smtp netmask
    255.255.255.255 0 0
    access-group outside-in in interface outside
    access-group inside-in in interface inside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol radius
    aaa-server partnerauth (inside) host 192.168.10.13 XXXXX timeout 5
    aaa-server PPTP-VPDN-GROUP protocol radius
    aaa-server PPTP-VPDN-GROUP (inside) host 192.168.10.13 XXXX timeout 10
    snmp-server host outside potato poll
    snmp-server contact XXXXXXXXXXXXXxx
    snmp-server community XXXXXXXXXXXXXXXXXX
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set apolloset esp-des esp-sha-hmac
    crypto map apollomap 10 ipsec-isakmp
    crypto map apollomap 10 match address vpn
    crypto map apollomap 10 set XXXXXXXXX
    crypto map apollomap 10 set transform-set apolloset
    crypto map apollomap interface outside
    isakmp enable outside
    isakmp key ******** address XXXXXXXXX netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 2400
    telnet timeout 5
    ssh XXXXXXXXX 255.255.255.255 outside
    ssh XXXXXXXXX 255.255.255.255 outside
    ssh XXXXXXXXX 255.255.255.255 outside
    ssh XXXXXXXXX 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
    vpdn group PPTP-VPDN-GROUP client configuration address local vpn-pool
    vpdn group PPTP-VPDN-GROUP client configuration dns srv1 srv2
    vpdn group PPTP-VPDN-GROUP client authentication aaa PPTP-VPDN-GROUP
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn enable outside
    terminal width 80
    Cryptochecksum:d90625f0b8179140805ed290e6c333db
    : end
    [OK]
    pix1(config)#
     
    Tom, Nov 17, 2004
    #3
  4. Tom

    PES Guest


    The above line is technically unnecessary due to the architecture of the
    pix. Someone may have put it in there just so they could see it, but it
    does make administering the pix more difficult.
    The above line is technically unnecessary due to the architecture of the
    pix. Someone may have put it in there just so they could see it, but it
    does make administering the pix more difficult.
    The above line is bad form. You should not use the keyword any in any
    acl that is used as a crypto acl.
    What is the above line for? It is specified and bound to a crypot acl
    and nonat acl.
    The above line is correct, however, it should be the only line in
    access-list vpn
    You should not use your crypto acl as a nonat acl. In some cases, this
    can cause unexpected results due to the way the asa modifies the acl
    internally.


    Personally, I would do a routed subnet on the pptp. However, sharing
    the range with the inside may work as well.


    Here are my recommendations in how I would do it.

    Clear you current vpn-pool address pool.

    no ip local pool vpn-pool
    ip local pool vpn-pool 192.168.9.1-192.168.9.254

    Clear your crypto acl vpn and recreate it with only the following line.

    no access-list vpn
    access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.1.0
    255.255.255.0

    Create a nonat acl
    access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0
    255.255.255.0
    access0list nonat permit ip 192.168.9.0 255.255.255.0 192.168.1.0
    255.255.255.0

    Bind it to nat 0
    nat (inside) 0 access-list nonat
     
    PES, Nov 17, 2004
    #4
  5. Tom

    Tom Guest

    hello paul,

    your explanation point me to my problem.
    i've read many sample configs from cisco but the nat 0 acl and crypto acl
    was always the same in the samples.

    but you told me to split-off the acl and make one for the nat 0 and one for
    the crypto.
    i just corrected my config and it works now.

    big thanks & regards,
    thomas
     
    Tom, Nov 17, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.