PIX501 lan-to-lan and PPTP

Discussion in 'Cisco' started by Remco Bressers, Jan 22, 2004.

  1. Help!

    I am having problems with LAN-to-LAN and PPTP at the same time on a
    PIX501 (6.3).
    LAN-to-LAN works perfect with these settings, but with PPTP i am having
    a big problem. I can connect with my MS VPN client to the PIX. I receive
    an IP address from the PIX, but i cannot do anything on the LAN.

    Can anybody put me in the right direction?

    Here's some output (only the interesting parts) :

    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    ip address outside 217.21.246.225 255.255.255.252
    ip address inside 10.0.0.254 255.255.255.0
    ip local pool pptp-pool 10.0.0.220-10.0.0.230
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 access-list pptp 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 217.21.246.226 1
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 217.21.246.229
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 217.21.246.229 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username test password *********
    vpdn enable outside
     
    Remco Bressers, Jan 22, 2004
    #1
    1. Advertisements

  2. Remco Bressers

    Rik Bain Guest


    You need to add a line to your nat 0 access-list for the pptp clients
    address pool so that the traffic will bypass NAT.

    Example:
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0





    Rik Bain
     
    Rik Bain, Jan 22, 2004
    #2
    1. Advertisements


  3. Oh my oh my,.. i am feeling VERY stupid at the moment :)..

    Thanks a million!

    Remco
     
    Remco Bressers, Jan 22, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.