SB304
asked on
PPTP VPN cliet connected but can't ping inside network
I have PIX 506E running software 6.3(4).
I am trying to allow Windows clients PPTP access to the inside network.
I have 192.xxx.xxx.0 as my inside network, I configured 10.0.0.20-10.0.0.80 as my PPTP pool, set up using the VPN Wizard in PDM (also tried this manually but no help).
I created user and can get connect and get an IP address (from cisco for vpn client), but cannot ping the inside network.
Also, sh access-list inside_outbound_nat0_acl give me hitcnt=1553.
What I’m missing?
Portion of my configuration:
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 67.xxx.xxx.188 eq imap4
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 993
access-list 101 permit tcp any host 67.xxx.xxx.188 eq nntp
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 563
access-list 101 permit tcp any host 67.xxx.xxx.188 eq domain
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5900
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5902
access-list 101 permit udp any host 67.xxx.xxx.188 eq domain
access-list inside_outbound_nat0_acl permit ip 192.xxx.xxx.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xxx.xxx.188 255.255.255.0
ip address inside 192.xxx.xxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SBpool 10.0.0.20-10.0.0.60
pdm location 10.0.0.0 255.255.255.0 outside
global (outside) 2 67.xxx.xxx.195 netmask 255.255.255.192
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.xxx.xxx.11 255.255.255.255 0 0
nat (inside) 2 192.xxx.xxx.65 255.255.255.255 0 0
nat (inside) 1 192.xxx.xxx.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5902 192.xxx.xxx.12 5902 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 https 192.xxx.xxx.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 3389 192.xxx.xxx.11 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 5900 192.xxx.xxx.11 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 smtp 192.xxx.xxx.65 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 www 192.xxx.xxx.11 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.186 www 192.xxx.xxx.65 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group inside_access_in in interface inside
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP client configuration address local SBpool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP pptp echo 300
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username VPNuser password *********
vpdn enable outside
Thank you.
SB304
I am trying to allow Windows clients PPTP access to the inside network.
I have 192.xxx.xxx.0 as my inside network, I configured 10.0.0.20-10.0.0.80 as my PPTP pool, set up using the VPN Wizard in PDM (also tried this manually but no help).
I created user and can get connect and get an IP address (from cisco for vpn client), but cannot ping the inside network.
Also, sh access-list inside_outbound_nat0_acl give me hitcnt=1553.
What I’m missing?
Portion of my configuration:
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 67.xxx.xxx.188 eq imap4
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 993
access-list 101 permit tcp any host 67.xxx.xxx.188 eq nntp
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 563
access-list 101 permit tcp any host 67.xxx.xxx.188 eq domain
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5900
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5902
access-list 101 permit udp any host 67.xxx.xxx.188 eq domain
access-list inside_outbound_nat0_acl permit ip 192.xxx.xxx.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xxx.xxx.188 255.255.255.0
ip address inside 192.xxx.xxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SBpool 10.0.0.20-10.0.0.60
pdm location 10.0.0.0 255.255.255.0 outside
global (outside) 2 67.xxx.xxx.195 netmask 255.255.255.192
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.xxx.xxx.11 255.255.255.255 0 0
nat (inside) 2 192.xxx.xxx.65 255.255.255.255 0 0
nat (inside) 1 192.xxx.xxx.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5902 192.xxx.xxx.12 5902 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 https 192.xxx.xxx.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 3389 192.xxx.xxx.11 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 5900 192.xxx.xxx.11 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 smtp 192.xxx.xxx.65 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 www 192.xxx.xxx.11 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.186 www 192.xxx.xxx.65 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group inside_access_in in interface inside
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP client configuration address local SBpool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP pptp echo 300
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username VPNuser password *********
vpdn enable outside
Thank you.
SB304
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>- Yes, client was using the same exact IP scheme 192.xxx.xxx. as internal users.
Yep, that's one of the most common problems when the VPN connects but you can't ping internal hosts.
>Looks like it working now.
Great!
>noticed that CISCO assigning IP for client (10.0.0.20) and same IP for client's gateway. Is that correct?
Yes. It may not seem correct, but that's the behaviour for Cisco.
cheers
Yep, that's one of the most common problems when the VPN connects but you can't ping internal hosts.
>Looks like it working now.
Great!
>noticed that CISCO assigning IP for client (10.0.0.20) and same IP for client's gateway. Is that correct?
Yes. It may not seem correct, but that's the behaviour for Cisco.
cheers
ASKER
Thanks for your help,
SB304
SB304
ASKER
- Yes, client was using the same exact IP scheme 192.xxx.xxx. as internal users. I changed client IP.
- I added line for GRE in access-list
- Yes, PIX is the default gateway for local hosts.
Looks like it working now. Also I noticed that CISCO assigning IP for client (10.0.0.20) and same IP for client's gateway. Is that correct?
Thanks,
SB304