VPN terminates on pix 501...but i cannot access windows 2000 vpn server

Discussion in 'Cisco' started by Warren Turner, Jan 9, 2004.

  1. first of all let me say that you guys really helped me out alot so far
    and thanx..but i have a really big problem and my job depends on it

    i want to configure a ms vpn client through a cisco pix firewall and
    either have it etrminate on the pix and access my local net through my
    windows 2000 vpn server or have the users terminated on the win2k vpn
    server either way would be great

    i have already configure the pix and vpn it works internaly and it
    terminates on the pix but it just wount pass through and access the
    LAN....i have enable bout port 47 and tcp protocol 1723.....

    vpn client----->-----pix------windows 2003 vpn server
    10.48.66.48
    209.165.201.25 (outside)209.165.201.1
    (inside)10.48.66.47

    i have been read all the cisco technical papers, and even a few from
    microsoft can anybody plz help me i am totally lost........ here is
    the pix configuration that i am currently using in my test lab

    thank you in advance

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name pixfirewall
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    no names
    name 10.48.66.106 vpn-server
    access-list acl-out permit gre host 209.165.201.25 host 209.165.201.5
    access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5
    eq pptp
    access-list acl-out permit gre host 10.48.66.106 host 10.48.66.2
    access-list acl-out permit tcp host 209.165.201.25 host 209.165.201.5
    eq 47
    access-list acl-out permit tcp host 209.165.201.0 host 209.165.201.0
    eq 47
    access-list 80 permit ip host 209.165.201.25 host 209.165.201.5
    access-list 101 permit tcp any host 209.165.201.5 eq www
    access-list 101 permit gre any host 209.165.201.5
    access-list 101 permit gre host 209.165.201.25 host 209.165.201.5
    access-list 101 permit ip 10.48.66.0 255.255.255.0 209.165.201.0
    255.255.255.0
    access-list 102 permit ip any 0.0.0.47 10.48.66.47
    access-list 103 permit gre host 10.48.66.47 host 209.165.201.1
    access-list 100 permit gre any host 10.48.66.47
    access-list 100 permit gre any host 10.48.66.106
    access-list 100 permit tcp any host 10.48.66.106
    access-list 100 permit tcp any host 10.48.66.47
    access-list 100 permit tcp any host 10.48.66.106 eq 47
    access-list 100 permit tcp any host 10.48.66.47 eq 47
    access-list 90 permit ip host 10.48.66.106 any
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside 209.165.201.1 255.255.255.224
    ip address inside 10.48.66.47 255.255.254.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 209.165.201.6-209.165.201.10
    pdm history enable
    arp timeout 14400
    nat (outside) 0 access-list 100
    nat (outside) 0 access-list 101 outside
    nat (inside) 0 access-list 101 outside
    nat (inside) 0 0.0.0.0 255.0.0.0 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (inside) 0 10.48.66.0 255.255.255.255 outside 0 0
    nat (inside) 1 10.48.66.47 255.255.255.255 outside 0 0
    nat (inside) 0 10.48.66.48 255.255.255.255 outside 0 0
    nat (inside) 1 10.48.66.106 255.255.255.255 outside 0 0
    nat (inside) 1 10.48.66.0 255.255.255.0 outside 0 0
    nat (inside) 1 10.0.0.0 255.0.0.0 outside 0 0
    static (inside,outside) 209.165.201.1 10.48.66.106 netmask
    255.255.255.255 0 0
    access-group 101 in interface outside
    access-group 101 in interface inside
    conduit permit icmp any any
    conduit permit gre any any
    conduit permit gre host 201.165.201.1 any
    conduit permit tcp host 201.165.201.1 eq pptp any
    route outside 0.0.0.0 0.0.0.0 10.48.66.106 1
    route outside 209.165.201.0 255.255.255.255 10.48.66.48 0
    route inside 209.165.201.0 255.255.255.0 209.165.201.1 1
    route inside 209.165.201.7 255.255.255.255 10.48.66.48 0
    route outside 209.165.201.8 255.255.255.255 10.48.66.48 0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    no floodguard enable
    sysopt connection permit-pptp
    vpngroup test dns-server 10.48.66.106
    vpngroup test default-domain nwtraders.com
    vpngroup test idle-time 1800
    vpngroup test device-pass-through
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 localname nwtraders.com
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe 128
    vpdn group 1 client configuration address local pptp-pool
    vpdn group 1 client configuration dns 10.48.66.48
    vpdn group 1 pptp echo 50
    vpdn group 1 client authentication local
    vpdn username test password *********
    vpdn username wturner password *********
    vpdn enable outside
    vpdn enable inside
    vpnclient server 10.48.66.48
    vpnclient mode client-mode
    vpnclient username wturner password ********
    terminal width 80
    Cryptochecksum:72a9c46aa94c1dc9ae56ce6679d5930f
    : end
     
    Warren Turner, Jan 9, 2004
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.