PIX501 lan-to-lan and PPTP

Discussion in 'Cisco' started by Remco Bressers, Jan 22, 2004.

  1. Help!

    I am having problems with LAN-to-LAN and PPTP at the same time on a
    PIX501 (6.3).
    LAN-to-LAN works perfect with these settings, but with PPTP i am having
    a big problem. I can connect with my MS VPN client to the PIX. I receive
    an IP address from the PIX, but i cannot do anything on the LAN.

    Can anybody put me in the right direction?

    Here's some output (only the interesting parts) :

    access-list inside_outbound_nat0_acl permit ip
    access-list outside_cryptomap_20 permit ip
    access-list pptp permit ip
    ip address outside
    ip address inside
    ip local pool pptp-pool
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 2 access-list pptp 0 0
    nat (inside) 1 0 0
    static (inside,outside) tcp interface smtp smtp netmask 0 0
    static (inside,outside) tcp interface pop3 pop3 netmask 0 0
    access-group inbound in interface outside
    route outside 1
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128 required
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username test password *********
    vpdn enable outside
    Remco Bressers, Jan 22, 2004
    1. Advertisements

  2. Remco Bressers

    Rik Bain Guest

    You need to add a line to your nat 0 access-list for the pptp clients
    address pool so that the traffic will bypass NAT.

    access-list inside_outbound_nat0_acl permit ip

    Rik Bain
    Rik Bain, Jan 22, 2004
    1. Advertisements

  3. Oh my oh my,.. i am feeling VERY stupid at the moment :)..

    Thanks a million!

    Remco Bressers, Jan 22, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.