Is there any PPTP issues with the PIX 506E and is it a good solution
Posted on 2003-11-24
I want to make this as plan as possible. The company I work for does work for different agencies in the government. I have only been there 3 weeks. They want a VPN solution. Currently they have PIX 506E.
There are two seprate networks in house that share the same default gateway of 65.X.X.1. The in house network is 10.10.0.1 and my government network is 192.168.1.0. On the 192.168.1.0 side there are 23 public 65.X.X.1 web/development servers. The 192 network knows nothing about the 10 network and vice verser. The current 192 network is made up of the PIX 506E and 3com 4200 manageable switch (don't ask me why) The portion of the T1 I have comes in off the patch panel tied back to demarc area into FE0/0 on the firewall and the FE0/1 ties into the switch for the 192.168.1.0.
The corporate network is made up of Internet>T1>2621>Sonic Firewall>
The Government Network is made up of Corp T1>Patch Panel>PIX506e>3COM>users/servers
Here are the issues
1. If I attempt to ping any public address space (from any workstation on the 192.168.1.0)get no reply. I have ICMP wide open on the firewall coming and going. Cisco said that is because the traffic only has one way into the network and with a PIX the traffic can't come and go out the same interface. Any suggestions.
2. Is there any issues with the PIX 506E when it comes to VPN. I only need for 20 remote users to connect from the outside. Is there anything special I need to do. Is there a base document that shows me how to create this connection. I have researched and researched and everything I have tried from cisco dies on me using MS PPTP even using MS RADIUS server for authentication to 18.104.22.168 domain.
These are my results from the outside world trying to ping of my public address
Tracing route to host52.XXXXXXXXXX.com [65.X.X.52]
over a maximum of 30 hops:
1 20 ms 20 ms 20 ms
2 30 ms 30 ms 20 ms
3 20 ms 30 ms 20 ms
4 20 ms 30 ms 30 ms 22.214.171.124
5 20 ms 30 ms 20 ms dcx-edge-02.inet.qwest.net [126.96.36.199]
6 30 ms 21 ms 20 ms 188.8.131.52
7 230 ms 20 ms 20 ms dcp-brdr-01.inet.qwest.net [184.108.40.206]
8 31 ms 20 ms 20 ms 0.so-0-0-3.BR1.DCA5.ALTER.NET [220.127.116.11]
9 30 ms 20 ms 30 ms 0.so-0-3-0.XL2.DCA5.ALTER.NET [18.104.22.168]
10 30 ms 20 ms 20 ms 0.so-2-2-0.XL2.DCA8.ALTER.NET [22.214.171.124]
11 20 ms 20 ms 20 ms 188.at-6-0-0.XR2.TCO1.ALTER.NET [126.96.36.199]
12 30 ms 20 ms 30 ms 192.ATM7-0.GW7.TCO1.ALTER.NET
13 31 ms 30 ms 30 ms host1.XXXXXXX.com [65.X.X.1]
14 * * * Request timed out.
15 * * * Request timed out.
They all die at the corporate router. You never see the other side.
Any idea's from a true professional would truly help me out.
I hope I have provide enough info.