• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 804
  • Last Modified:

PPTP vpn users unable to ping/access inside resources after connect

I have site to site vpn and dns working fine.

Remote vpn access connection goes fine and authenticates with 2k3 server, using PPTP.

From PPTP client I'm unable to ping or access any internal resources.  

I have two site-site connections coming in using 10.70.23.xx and 10.70.22.xx, PPTP VPN users should be assigned 10.70.24.xx and servers that are behind the firewall are 10.70.21.xx

I'm guessing my problem is in the ACL.

Here's some of my config settings.

access-list 101 line 1 permit ip 10.70.21.0 255.255.255.0 10.70.0.0 255.255.0.0 (hitcnt=154)
access-list 101 line 2 permit ip 10.70.21.0 255.255.255.0 10.70.24.0 255.255.255.0 (hitcnt=0)

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0

ip local pool pptp-pool 10.70.24.1-10.70.24.50

sysopt connection permit-ipsec

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 10.70.21.9
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn enable outside
0
jasonlevens
Asked:
jasonlevens
  • 8
  • 4
  • 2
1 Solution
 
nodiscoCommented:
Jason

Have you the following in your config - as it was not in your post

sysopt connection permit-pptp
0
 
jasonlevensAuthor Commented:
Yes, sorry I left that out of it.
0
 
nodiscoCommented:
Jason

Can you try the following as a test:

change your local pptp-pool to a different ip schema:
ip local pool pptp-pool 192.168.1.10-192.168.1.20

Modify your acl as follows:
access-list 101 line 2 permit ip 10.70.21.0 255.255.255.0 192.168.10.0 255.255.255.0


The reason i am suggesting this is that you cannot set the vpn pptp pool to be in the same range as your local lan ip range.  Although you are using a different range, you are not specifically implying this by the access list "access-list 101 line 1 permit ip 10.70.21.0 255.255.255.0 10.70.0.0 255.255.0.0"

Pls test and post result
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
jasonlevensAuthor Commented:
nodisco,

I set the ip pool to 192.168.10.1-192.168.10.50
and changed the access-list to permit ip 10.70.21.0 255.255.255.0 192.168.10.0 255.255.255.0

Still the same problem. Client now gets an ip in the new range.  One thing I notice on these PPTP clients is that they are being assigned a subnet mask of 255.255.255.255, is that correct?
0
 
nodiscoCommented:
Jason

- you noticed my typo in my second post - ACL should be 192.168.1.10-192.168.1.20 not 192.168.10.10-192.168.10 20 - to match the local pool.

The pptp client will show the connected subnet mask as 255.255.255.255 - that is normal.

Can you try changing your nat statement here from :
nat (inside) 1 0.0.0.0 0.0.0.0

to
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Pls test pptp and other 2 tunnels
0
 
jasonlevensAuthor Commented:
It's allready got the 2 zero's on the end of the nat statement.  It put them there by default when I entered the nat command and params.
0
 
nodiscoCommented:
Hey again

That config looks fine - have setup pptp like this dozens of times before.  
Question : How are the other two sites communicating with the PIX?  Are there vpn tunnels terminating inside the firewall?

Or are they IPsec terminating at the PIX?

Can you post your entire config?

Also - is the pix connected to the internet via a router? what kind?

0
 
lrmooreCommented:
Do you have the vpn dialer client configured to [x] Use Default Gateway on remote network
nodisco, I don't agree with using a different class IP for the clients. Keeping in the same class will give many options. If it's a different class (192.168.x.x instead of same 10.x.x.x), then you have no choice but to check Use Default Gateway on the client and this disables split-tunneling for the client. Been down that road too many times in this forum..

>I'm guessing my problem is in the ACL.
>    access-list 101 line 1 permit ip 10.70.21.0 255.255.255.0 10.70.0.0 255.255.0.0 (hitcnt=154)
>    access-list 101 line 2 permit ip 10.70.21.0 255.255.255.0 10.70.24.0 255.255.255.0 (hitcnt=0)

Notice the hitcount on the first line, none on the second. With the mask that you have applied to line 1, it already covers both remote vpn sites as well as the vpn pool. line 2 is simply redundant and not needed, but there is no functional issue with the acl as it is.

Can I assume that your PIX inside iP address is 10.70.21.X with mask 255.255.255.0 ?
Can I assume that this PIX inside IP is the specified default gateway for all servers/hosts on the internal LAN?


0
 
jasonlevensAuthor Commented:
Can I assume that your PIX inside iP address is 10.70.21.X with mask 255.255.255.0 ?

Yes

Can I assume that this PIX inside IP is the specified default gateway for all servers/hosts on the internal LAN?

No, we're in the middle of a conversion, however the network resources I'm trying to access to have this device set as their default gateway.

Here's the entire config.

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx encrypted
passwd xxx encrypted
hostname xxx
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list tserv permit tcp any interface outside eq 3389 log
access-list 101 permit ip 10.70.21.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list 101 permit ip 10.70.21.0 255.255.255.0 10.70.24.0 255.255.255.0  //I'll remove this one
pager lines 24
logging on
icmp deny any outside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.240
ip address inside 10.70.21.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.70.24.1-10.70.24.50 // I switched this one back
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp <outside ip not published here> 3389 10.70.21.14 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp <outside ip not published here> domain 10.70.21.9 domain netmask 255.255.255.255 0 0
static (inside,outside) udp <outside ip not published here> domain 10.70.21.9 domain netmask 255.255.255.255 0 0
access-group tserv in interface outside
route outside 0.0.0.0 0.0.0.0 <routerip not published here> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 10.70.21.14 xxx timeout 10
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.70.21.14 xxx timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set sml-wat_tset esp-des esp-md5-hmac
crypto map sml-wat_map 1 ipsec-isakmp
crypto map sml-wat_map 1 match address 101
crypto map sml-wat_map 1 set peer <outside ip of site1>
crypto map sml-wat_map 1 set peer <outside ip of site2>
crypto map sml-wat_map 1 set transform-set xxx_tset1
crypto map sml-wat_map 20 ipsec-isakmp
crypto map sml-wat_map 20 match address 101
crypto map sml-wat_map 20 set peer <outside ip of site1>
crypto map sml-wat_map 20 set peer <outside ip of site2>
crypto map sml-wat_map 20 set transform-set xxx_tset2
crypto map sml-wat_map interface outside
isakmp enable outside
isakmp key ******** address <outside ip of site1> netmask 255.255.255.255
isakmp key ******** address <outside ip of site2> netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh 10.70.21.0 255.255.255.0 inside
ssh timeout 30
management-access inside
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 10.70.21.9
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn enable outside
terminal width 80



0
 
jasonlevensAuthor Commented:
Do you have the vpn dialer client configured to [x] Use Default Gateway on remote network?

Yes, using the windows xp pro client that comes with the os
0
 
lrmooreCommented:
>Can I assume that this PIX inside IP is the specified default gateway for all servers/hosts on the internal LAN?
>No, we're in the middle of a conversion, however the network resources I'm trying to access to have this device set as their default gateway.

Looks like you have a simple routing issue. Whatever *is* the default gateway must have a specified route to the other network
0
 
jasonlevensAuthor Commented:
The only devices not yet pointing to the pix as their default gateway are the client machines in the office.  All of the servers  have it as their default gateway and they will until August.  The default gateway of the remote vpn clients is the same as the dhcp address they get from the pix.  Where does the value of the setting 'use default gateway on remote network' come from?
0
 
jasonlevensAuthor Commented:

Ok I've been experimenting.  When I remove all of the crypto entries 'clear crypto', I'm then able to do EVERYTHING I want to do.  I was running a continuous ping on a client connected using PPTP vpn and I was adding crypto rules watching the ping and as soon as I applied the crypto map to the outside interface I immediately lost my ping requests  I didn't lose my connection and I am still able to authenticate which takes place using IAS on a machine behind the PIX.

Any ideas?
0
 
jasonlevensAuthor Commented:
I take that back.  I'm not able to run site-site vpn without it :P

I'm able to run the pptp just the way I want to w/o the crypto
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 8
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now