Solved

506E PPTP VPN - connected vpn clients can't ping or browse internal network

Posted on 2004-09-27
12
2,237 Views
Last Modified: 2013-11-16
From what i've been reading i think it has to do something with an access-list or something i'm missing.

The VPN Client MSCHAP PPTP can connect and authenticate just fine.  However, when connected, the client cannot browse or see any of our servers behind our pix firewall.  the client can browse the internet fine (i found the checkbox in the MS client config)...  i'm sure this is pretty common.  below is my config.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password asdf encrypted
passwd asdf encrypted
hostname pix1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list out_in permit tcp any any
access-list out_in permit tcp any host 70.241.39.25 eq domain
access-list out_in permit udp any host 70.241.39.25 eq domain
access-list out_in permit tcp any host 70.241.39.25 eq www
access-list out_in permit tcp any host 70.241.39.10 eq www
access-list out_in permit tcp any host 70.241.39.30 eq smtp
access-list out_in permit tcp any host 70.241.39.30 eq 143
access-list out_in permit tcp any host 70.241.39.30 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq smtp
access-list out_in permit tcp any host 70.241.39.10 eq pop3
access-list out_in permit tcp any host 70.241.39.10 eq 143
access-list out_in permit tcp any host 70.241.39.47 eq www
access-list out_in permit icmp any any echo-reply
access-list out_in permit icmp any any unreachable
access-list out_in permit tcp any host 70.241.39.10 eq telnet
access-list out_in permit tcp any host 70.241.39.30 eq ftp
access-list out_in permit tcp any host 70.241.39.47 eq ftp
access-list out_in permit tcp any host 70.241.39.47 eq 22
pager lines 24
interface ethernet0 10full
interface ethernet1 10full
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 70.241.39.3 255.255.255.0
ip address inside 10.8.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.8.1.230-10.8.1.250
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.8.1.107 70.241.39.10 255.255.255.255
alias (inside) 10.8.1.4 70.241.39.30 255.255.255.255
alias (inside) 10.8.1.12 70.241.39.47 255.255.255.255
static (inside,outside) 70.241.39.25 10.8.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.10 10.8.1.107 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.30 10.8.1.4 netmask 255.255.255.255 0 0
static (inside,outside) 70.241.39.47 10.8.1.12 netmask 255.255.255.255 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.241.39.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
no sysopt route dnat
telnet 10.8.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group group1 accept dialin pptp
vpdn group group1 ppp authentication mschap
vpdn group group1 ppp encryption mppe 40
vpdn group group1 client configuration address local mypool
vpdn group group1 pptp echo 60
vpdn group group1 client authentication local
vpdn username nick password asdf
vpdn enable outside
dhcpd address 10.8.1.100-10.8.1.150 inside
dhcpd dns 151.164.169.201 151.164.67.201
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 100
0
Comment
Question by:NickUA
  • 6
  • 6
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12163541
Well, you are correct that you need an access-list of some sort. What you need is an acl that will exempts traffic between the local LAN and the VPN clients from the NAT process. Cisco PIX does this with nat "zero" and an acl.
Typically, an acl has a source subnet and a destination subnet. In your case, you have the VPN clients on the same subnet as the local LAN. This presents both a solution to one problem and creation of another. You have seen the results. The result is that while you can browse the Internet, you cannot browse the remote LAN. The alternate solution provides for full access to the LAN, but stops you from browsing the internet while connected to the VPN (at least without manually adjusting your default gateway while keeping the box ticked "use default gateway on remote network")

Given
>ip local pool mypool 10.8.1.230-10.8.1.250
>ip address inside 10.8.1.1 255.255.255.0
You'll need to create an acl:
    access-list nat_zero permit ip 10.8.1.0 255.255.255.0 10.8.1.224 255.255.255.224
    nat (inside) 0 access-list nat_zero

Alternate using variable length subnet masks:
Use a mask-able subset of the 10.8.1.x subnet in your dhcp scope. i.e. change scope to:
     dhcpd address 10.8.1.12-10.8.1.126 inside  <== allows for 1-12 to be manually assigned
and the nat_zero acl looks a little better:
    access-list nat_zero permit ip 10.8.1.0 255.255.255.128 10.8.1.224 255.255.255.224
    nat (inside) 0 access-list nat_zero

Alternate #2: (breaks Internet access because the 'use default gateway on remote network' must be left checked)
Use a totally different subnet for the VPN users:
    ip local pool myvpnpool 192.168.123.1 - 192.168.123.51
    access-list nat_zero permit ip 10.8.1.0 255.255.255.0 192.168.123.0 255.255.255.0
    nat (inside) 0 access-list nat_zero

 
0
 
LVL 1

Author Comment

by:NickUA
ID: 12163608
lrmoore: which solution do you recommend?  i'd like the VPN Clients to be able to browse the internet and access our network?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12163804
Try the middle solution where everyone appears to be on the same subnet, but the access-list actually makes sense using the variable length masks...

I haven't the opportunity to test this out, but if it works, then this will be a valuable solution for many others. I typically recommend using a different subnet altogether, and the Cisco solution docuements show it also. This almost always leads back to this scenario - OK, I can get to the LAN now, but can't get to the Internet at the same time...

It's really a matter of what you want clients to be able to do while connected to your network. Do you trust them not to be a conduit to the world? Most businesses go with the feeling that while you're connected to the company network, you are doing compay business and only need access to company resources. If you want to check your yahoo mail while reading that trade secret Excel spreadsheet, too bad.

Using the Cisco VPN client, you can control that behavior with "split-tunneling" and separate acls. Using a VPN client, Radius server and individual ACLs, you can control it even further. Using the Cisco VPN client and a Cisco VPN concentrator, you get extremely fine control over what a user can/can't do, can enforce AV updates, and can enforce personal firewall rules (the VPN client comes with built-in zone-alarm client) and there is NOTHING a user can do about how you enforce the rules. Using the Microsoft PPTP client, you have NO control over the client getting around you. Check/uncheck the "use default gateway" or uncheck it and add a manual route entry is childs play and there is nothing you can do about it.
0
 
LVL 1

Author Comment

by:NickUA
ID: 12163894
lrmoore: this is just for myself and a few other developers ... not a business wide solution .. if i was doing this for someone but myself and a couple others i wouldn't have even thought about pptp... i'll let you know how this works out.

Thanks,
Nick
0
 
LVL 1

Author Comment

by:NickUA
ID: 12164210
Alternate using variable length subnet masks:
Use a mask-able subset of the 10.8.1.x subnet in your dhcp scope. i.e. change scope to:
     dhcpd address 10.8.1.12-10.8.1.126 inside  <== allows for 1-12 to be manually assigned
and the nat_zero acl looks a little better:
    access-list nat_zero permit ip 10.8.1.0 255.255.255.128 10.8.1.224 255.255.255.224
    nat (inside) 0 access-list nat_zero

lrmoore: - i did the above - bust i changed the dhcpd to 10.8.1.200 - 10.8.1.230 and i left the vpdn mypool at 10.8.1.230 - 10.8.1.250 - and everything seems to work great.  Myself and whoever can VPN using PPTP w/ that box unchecked and browse the web, ping our workstations, etc... the only thing we can't do is resolve internal windows computer names - but i don't care about that - probably has something to do w/ when i do the ping for the name it goes out the cable modem connection rather than the vpn connection - not a big deal.  Do you see anything wrong w/ the changes i did or where it might screw up and overlap other things?

Thanks,
Nick
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12164369
> - bust i changed the dhcpd to 10.8.1.200 - 10.8.1.230
This range overlaps into the VPN client pool. That's why I suggested the lower range. If you only want 30 clients using dhcp, suggest that you use 10.81.1.96-10.81.1.126

If you want name resolution, try adding:

  vpdn group group 1 client configuration dns <ipaddress internal dns server>
  vpdn group group 1 client configuration wins <ip address internal WINS server>

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:NickUA
ID: 12164509
ack - i lost all communication w/ 10.8.1.107 - nothing inside can ping it - however it can ping anything else and the internet?!  it's like it's cut off from anything accessing it?  what could be causing this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12164564
You didn't change the subnet mask on the inside interface did you?
Did it get its new IP addres from the new DHCP scope? If yes, just relax, go get a cup of coffee and try again. The ARP caches need time to time out..

0
 
LVL 1

Author Comment

by:NickUA
ID: 12164584
it's static configured linux box...  i don't know jack about linux - how can i check it's settings - it's at a command prompt?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12164625
Boy, this is morphing into a real headache, no?

I think this might work for you..

prompt# /sbin/ifconfig
prompt# /sbin/route



0
 
LVL 1

Author Comment

by:NickUA
ID: 12165555
lrmoore - i owe ya one buddy ... you know your stuff.  i'm golden on my end now.  I'm learning along the way - that's what counts right?

Thanks,
Nick
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12165579
Wooo hooo!!!
Nice work, Nick!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now