PIX501 lan-to-lan and PPTP

Discussion in 'Cisco' started by Remco Bressers, Jan 22, 2004.

  1. Remco Bressers

    Remco Bressers Guest

    Help!

    I am having problems with LAN-to-LAN and PPTP at the same time on a
    PIX501 (6.3).
    LAN-to-LAN works perfect with these settings, but with PPTP i am having
    a big problem. I can connect with my MS VPN client to the PIX. I receive
    an IP address from the PIX, but i cannot do anything on the LAN.

    Can anybody put me in the right direction?

    Here's some output (only the interesting parts) :

    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0
    192.168.12.0 255.255.255.0
    access-list pptp permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    ip address outside 217.21.246.225 255.255.255.252
    ip address inside 10.0.0.254 255.255.255.0
    ip local pool pptp-pool 10.0.0.220-10.0.0.230
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 access-list pptp 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    255.255.255.255 0 0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 217.21.246.226 1
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 217.21.246.229
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 217.21.246.229 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username test password *********
    vpdn enable outside
     
    Remco Bressers, Jan 22, 2004
    #1

    1. Advertisements

  2. Remco Bressers

    Rik Bain Guest


    You need to add a line to your nat 0 access-list for the pptp clients
    address pool so that the traffic will bypass NAT.

    Example:
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0





    Rik Bain
     
    Rik Bain, Jan 22, 2004
    #2

    1. Advertisements

  3. Remco Bressers

    Remco Bressers Guest


    Oh my oh my,.. i am feeling VERY stupid at the moment :)..

    Thanks a million!

    Remco
     
    Remco Bressers, Jan 22, 2004
    #3

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. PIX501 and Squid

  2. Beginner's question about PIX501 and access-lists

  3. PIX501 and static

  4. PIX501 and VPN Client 4.0 config problem

  5. mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501

  6. Pix PPTP - access to LAN and DMZ

  7. Absurd PPTP problems: PPTP out no longer works.

  8. Strange Lan to Lan problem(pix501/vpn3000)

Loading...