PPTP Client Cant access other internal Subnets when connecting to PIX

Discussion in 'Cisco' started by Scott Townsend, Sep 23, 2004.

  1. I have a PIX setup to accept PPTP and IPSec connections.

    The PIX is on 10.1.x.x network.
    I have other 10.Y.x.x networks that I would like the PPTP clients to
    hacve access to.

    I believe my IPSec clients do not have any issues with connecting to
    the other remote Subnets...

    here are the Relavant (I believe) sections of the config.

    Any Help would be appreciated.

    Thanks,
    Scott<-
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 172.16.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.200.0.0
    255.255.0.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.201.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.201.0.0 255.255.0.0 10.201.0.0
    255.255.0.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 10.11.0.0
    255.255.255.0
    access-list inside_nat permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    255.255.255.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 10.200.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 10.201.0.0 255.255.0.0
    access-list 110 permit ip 10.0.0.0 255.0.0.0 192.168.3.0 255.255.255.0

    ip local pool ipsecpool 10.200.0.1-10.200.1.254
    ip local pool remoteVPN 10.201.0.1-10.201.0.254

    nat (inside) 0 access-list inside_nat
    nat (inside) 1 10.0.0.0 255.0.0.0 0 0

    route outside 0.0.0.0 0.0.0.0 204.145.245.15 2
    route outside 0.0.0.0 0.0.0.0 204.145.245.2 10
    route inside 10.2.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.3.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.4.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.5.0.0 255.255.0.0 10.1.0.1 1
    route inside 10.10.0.0 255.255.0.0 10.1.0.3 1
    route outside 10.200.0.0 255.255.0.0 204.145.245.15 2
    route outside 10.200.0.0 255.255.0.0 204.145.245.2 10
    route outside 10.201.0.0 255.255.255.0 204.145.245.15 2
    route outside 10.201.0.0 255.255.255.0 204.145.245.2 10
    route inside 10.254.0.0 255.255.0.0 10.1.0.1 1

    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP ppp authentication mschap
    vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
    vpdn group PPTP-VPDN-GROUP client configuration address local
    remoteVPN
    vpdn group PPTP-VPDN-GROUP client configuration dns Server-AD3_i
    vpdn group PPTP-VPDN-GROUP client configuration wins Server-AD3_i
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
     
    Scott Townsend, Sep 23, 2004
    #1
    1. Advertisements

  2. Scott Townsend

    PES Guest

    The client may be getting 10.201.x.x with a 255.0.0.0 mask. If so, it may
    not realize the need to go through next hop to get to other addresses. I
    think there is a newer version of pix os that permits the subnet mask in the
    ip pool command and resolves this issue. Also, make sure your pptp client
    is set to use default gw on remote network.
     
    PES, Sep 23, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.