PPTP VPN cliet connected but can't ping inside network

I have PIX 506E running software 6.3(4).
I am trying to allow Windows clients PPTP access to the inside network.
I have 192.xxx.xxx.0 as my inside network, I configured 10.0.0.20-10.0.0.80 as my PPTP pool, set up using the VPN Wizard in PDM (also tried this manually but no help).
I created user and can get connect and get an IP address (from cisco for vpn client), but cannot ping the inside network.
Also, sh access-list inside_outbound_nat0_acl give me hitcnt=1553.

What I’m missing?

Portion of my configuration:

Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host 67.xxx.xxx.188 eq imap4
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 993
access-list 101 permit tcp any host 67.xxx.xxx.188 eq nntp
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 563
access-list 101 permit tcp any host 67.xxx.xxx.188 eq domain
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5900
access-list 101 permit tcp any host 67.xxx.xxx.188 eq 5902
access-list 101 permit udp any host 67.xxx.xxx.188 eq domain
access-list inside_outbound_nat0_acl permit ip 192.xxx.xxx.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.xxx.xxx.188 255.255.255.0
ip address inside 192.xxx.xxx.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool SBpool 10.0.0.20-10.0.0.60
pdm location 10.0.0.0 255.255.255.0 outside
global (outside) 2 67.xxx.xxx.195 netmask 255.255.255.192
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 192.xxx.xxx.11 255.255.255.255 0 0
nat (inside) 2 192.xxx.xxx.65 255.255.255.255 0 0
nat (inside) 1 192.xxx.xxx.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5902 192.xxx.xxx.12 5902 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.xxx.xxx.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 https 192.xxx.xxx.11 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 3389 192.xxx.xxx.11 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 5900 192.xxx.xxx.11 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 smtp 192.xxx.xxx.65 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.195 www 192.xxx.xxx.11 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 67.xxx.xxx.186 www 192.xxx.xxx.65 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group inside_access_in in interface inside
sysopt connection permit-pptp
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP client configuration address local SBpool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP client configuration wins 192.xxx.xxx.10
vpdn group PPTP-VPDN-GROUP pptp echo 300
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username VPNuser password *********
vpdn enable outside

Thank you.
SB304





LVL 1
SB304Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

calvinetterCommented:
The LAN where your remote clients are connecting from, is it possibly using the same exact IP scheme (192.xxx.xxx.xxx) as your internal LAN behind your PIX?  If so, either your remote users' LAN or the LAN behind the PIX would have to change their local IP scheme.  (BTW, if the inside network is 192.168.xxx.xxx, there's no need to hide the address, since it's a private IP range & isn't visible/reachable from the Internet.)

>access-group inside_access_in in interface inside
Is it permitting the GRE protocol outbound? (line should appear after any "deny" statements) ie:  
    access-list inside_access_in permit gre any any
If not, add the line to your inside ACL, & re-apply the ACL to the interface:
    access-group inside_access_in in interface inside
Or, simple remove the inside ACL temporarily & re-test: no access-group inside_access_in in interface inside

Also, I assume the PIX is the default gateway for hosts that you're trying to ping?

cheers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SB304Author Commented:
Hi calvinetter,

- Yes, client was using the same exact IP scheme 192.xxx.xxx. as internal users. I changed client IP.
- I added line for GRE in access-list
- Yes, PIX is the default gateway for local hosts.
Looks like it working now. Also I noticed that CISCO assigning IP for client (10.0.0.20) and same IP for client's gateway. Is that correct?

Thanks,
SB304
calvinetterCommented:
>- Yes, client was using the same exact IP scheme 192.xxx.xxx. as internal users.
 Yep, that's one of the most common problems when the VPN connects but you can't ping internal hosts.

>Looks like it working now.
Great!

>noticed that CISCO assigning IP for client (10.0.0.20) and same IP for client's gateway. Is that correct?
Yes. It may not seem correct, but that's the behaviour for Cisco.

cheers
SB304Author Commented:
Thanks for your help,

SB304

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.