[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 353
  • Last Modified:

PIX 506e VPN with Internet Access

Ah, the age old question...

I currently have PPTP VPN access up and running on a PIX 506e and users can get to all the LAN resources.  They also need to be able to access internet resources while using the VPN connection.  I would really like the users to  continue using the MS VPN client so I don't have to roll out the Cicso VPN client.  I have a seperate Pix 506e that is our internet GW for our LAN.  Is there any way to route VPN users to the other GW 506 so they can have internet access?  Any help is appreciated.

                      LAN
< ---------------------------------------->
         |                              |
     vpn-pix(in)                 gw-pix(out)
         |                              |
< ---------------------------------------->
                    Internet

vpn-pix = 172.16.100.9
gw-pix = 172.16.100.10



PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Hd9lqPrsUVLyGqGl encrypted
passwd Iaj4vgQsIpB649yp encrypted
hostname pix9
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit ip 172.16.100.0 255.255.255.0 172.16.100.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.233 255.255.255.240
ip address inside 172.16.100.9 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.16.100.70-172.16.100.79
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_in
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside 0.0.0.0 0.0.0.0 172.16.100.10 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet 172.16.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username vpnuser password *********
vpdn enable outside
terminal width 80
Cryptochecksum:5053ae2d51c1b99b73716376f2580f6f
: end

0
b_stockton
Asked:
b_stockton
2 Solutions
 
rsivanandanCommented:
The users already do have Internet Connection right? That is how they connect to the PPTP VPN. Then is there any reason for having this? The speed is going to be the slowest link anyways. I mean, if the user connects using 64K to your VPN PIX and you have 5Mbps connection out through GwPIX, still users get only 64Kbps encrypted bandwidth.

Cheers,
Rajesh
0
 
prueconsultingCommented:
Bascially the easiest way to push them there would be layer 3 switching but i do not know if you have that in your network.

However you can imply enable split tunneling and they can use thier existing interenet connection which they are using to launch the PPTP session over.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now