Need help on Pix Urgent

Hi forgoted to leave the config here is the config plz let me know wut shud i do, also my pdm has stoped working and giving me error.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password RgJtt01a0tCQUeNg encrypted
passwd RgJtt01a0tCQUeNg encrypted
hostname pixfirewall
domain-name lotusexim.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 208.210.221.70 manager
name 192.168.10.100 LOTUSFAX
name 192.168.10.99 IBMMAIN
name 192.168.10.98 LOTUS-CITRIX
name 192.168.10.23 rankit
name 192.168.10.101 ibmsql
access-list inside_access_in permit tcp any any
access-list 101 permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 200 permit icmp any any echo-reply
access-list 200 permit icmp any any unreachable
access-list 200 permit icmp any any time-exceeded
access-list 200 permit tcp any host 67.154.78.165 eq pcanywhere-data
access-list 200 permit udp any host 67.154.78.165 eq pcanywhere-status
access-list 200 permit tcp any host 67.154.78.164 eq pcanywhere-data
access-list 200 permit udp any host 67.154.78.164 eq pcanywhere-status
access-list 200 permit tcp host 203.101.126.81 host 67.154.78.171 eq citrix-ica
access-list 200 permit tcp any host 67.154.78.166 eq www
access-list 200 permit tcp any host 67.154.78.166 eq https
access-list 200 permit tcp any host 67.154.78.164 eq ftp
access-list 200 permit tcp any host 67.154.78.171 eq citrix-ica
access-list 200 permit tcp host 64.178.39.18 host 67.154.78.171
access-list 200 permit tcp any host 67.154.78.164 eq www
access-list 200 permit tcp any host 67.154.78.164 eq 3389
access-list 200 permit tcp any host 67.154.78.166 eq 5800
access-list 200 permit tcp any host 67.154.78.166 eq 5900
access-list 200 permit tcp any host 67.154.78.164 eq 8081
access-list 200 permit tcp any host 67.154.78.164 eq 5900
access-list 200 permit tcp any host 67.154.78.164 eq https
access-list 200 permit tcp any host 67.154.78.164 eq 8098
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 67.154.78.162 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.1.1.2-10.1.1.25
pdm location IBMMAIN 255.255.255.255 inside
pdm location LOTUSFAX 255.255.255.255 inside
pdm location rankit 255.255.255.255 inside
pdm location LOTUS-CITRIX 255.255.255.255 inside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 61.95.201.73 255.255.255.255 outside
pdm location 67.154.146.74 255.255.255.255 outside
pdm location 203.101.126.65 255.255.255.255 outside
pdm location 203.101.126.81 255.255.255.255 outside
pdm location 206.126.178.156 255.255.255.255 outside
pdm location 207.38.252.225 255.255.255.255 outside
pdm location manager 255.255.255.255 outside
pdm location 67.154.78.166 255.255.255.255 outside
pdm location 64.178.39.18 255.255.255.255 outside
pdm location ibmsql 255.255.255.255 inside
pdm location 10.1.1.2 255.255.255.255 inside
no pdm history enable
arp timeout 14400
global (outside) 1 67.154.78.168-67.154.78.177 netmask 255.255.255.224
global (outside) 1 67.154.78.178
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.0 10.1.1.25 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 67.154.78.165 LOTUSFAX netmask 255.255.255.255 0 0
static (inside,outside) 67.154.78.164 IBMMAIN netmask 255.255.255.255 0 0
static (inside,outside) 67.154.78.171 LOTUS-CITRIX netmask 255.255.255.255 0 0
static (inside,outside) 67.154.78.166 ibmsql netmask 255.255.255.255 0 0
access-group 200 in interface outside
route outside 0.0.0.0 0.0.0.0 67.154.78.161 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 206.126.178.156 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet manager 255.255.255.255 outside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh manager 255.255.255.255 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 209.216.241.10 216.99.225.31
vpdn group 1 client configuration wins IBMMAIN LOTUSFAX
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username perfectvpn password *********
vpdn username elegantvpn password *********
vpdn username gmkconsult password *********
vpdn username bestvpn password *********
vpdn username rankitt password *********
vpdn username lotusexim password *********
vpdn username rankit password *********
vpdn enable outside
terminal width 80

Hi photograffiti.. i tried doing that also but dint worked out with me.. can u suggest me looking at the pix config file and let me know if anything to be done in pix.. i really need to solve this asap. thanks for your quick reply

ya i want that all the clients who get connected thru vpn, their traffic for internet shud go thru vpn it self. Means they can also browse all the websites. as of now they can only access our internal user, so when they get connected to vpn they cannot access yahoo or hotmail. so i have pasted the configuration and let me know if i have to do something on pix , coz i m new in pix and dont have much knowledge about it. thanks for your help

so u mean to say nothing can be done in that case.. wut if we install proxy server in the win2k3 server and then give the proxy ip on the client's pc, will it work ?

Yes, that will work. The VPN traffic in that case will be flowing all the way through the PIX (to the proxy server) and then back out via the proxy server. If you don't care that all traffic should have to go through the VPN then you can do a split tunnel type of setup with web traffic going out their local connections from home/hotel.

so u mean in that the existing internal user's will not be affected while creating split tunnel for that. can u plz let me know who shud i configure split tunnel for the same. to be very frank, my existing manager left the organisation without any handover and i am not too techy in pix. and now its totaly on me and i m in soup. i really appreciate your help.

Sorry to hear about your situation. As for the split tunneling, what I originally posted should have worked. Your configuration looks fine and should work with that little tweak on the PC.
Also, I would suggest you contact an admin and have them remove the outside IP address from your config as well as any NAT addresses. You don't want to open yourself up to any hacking.

hi, can anyone tell me whether pix 6.2 version support split tunnel so that i can configure it on the same.

The PIX supports split-tunneling but only for the Cisco VPN client (IPSec). To get split-tunneling to work on the Microsoft PPTP client the changes have to all be done on the client side, not the PIX. One additional thing that might be needed on your client is to add a route manually. This isn't always needed but can help.
When you connect via the PPTP client you should get an IP address assigned to the new PPTP adapter. Find out what it is by going to the Command Prompt and typing 'ipconfig'. When you find out what IP address it is then type in the following - 'route add 10.1.1.0 mask 255.255.255.0 w.x.y.z' - where w.x.y.z is the IP address of your adapter. Note that you are pointing to your own IP address and not some other default gateway.
Let me know how it goes.

hi thanks a lot dude.. u really helping me.. from your comment, i understand that when i get the ip address 10.1.1.2 i have to go to pix and give the manual route, correct.

hi i tried adding route add command but no success on my computer , i mean i connected my laptop thru vpn pptp client and got the default gateway. and tried to add but still no sucess.. ? this is really driving me crazy.. i think i m going to die now :-)

Did you try to add or were you successful adding the route, but it still didn't help? Did you also uncheck the Use Default Gateway part that I mentioned in my original post? You're supposed to do both.

yes i tried to add the route successfully, but the problem is when i tried to uncheck the default gateway from the part mentioned it takes my internet thing. and over here in UAE some of the sites are blocked so i cannot access my company's website due to that, thats the only reason i want my traffic shud go thru U.S firewall. as we have some user's in dubai and over there we cannot access sites thru IP address. or some of the sites are banned as they are using content filtering thats the reason i want my traffic shud go from pix. or u.s proxy.

Well, we're back to my other post then. If you want split-tunneling then that's what you have right now. But since you don't want Internet traffic to go out your local connection then you DON'T want split tunneling. In that case you will have to get a proxy server or update your firewall because as it is right now that won't work.

ok so no other option except updating the firewall rite..

Well you can update the firewall or use the proxy option. And if you want to update the firewall you might or might not be able to depending on the hardware you have. If you have a PIX 501 or 506 then you are SOL. You need at least a PIX 515 to get to PIX 7.0 code.

ok dude can u tell me one thing.. i have terminal server installed on my server which works on https://ipaddress:8098 and in uae its blocked. with port. now i want to have a port translation or NAT thru which my user's in uae can access that thru default port. means. they just have to type the http://ipaddress can u suggest me what shud i do for the same. in the pix how will pix translate the port.