Solved

MS PPTP VPN Client and Pix 506E

Posted on 2006-07-18
7
420 Views
Last Modified: 2010-04-12
I am trying to connect a remote vpn client (Microsoft Windows XP VPN Client) to a pix506e.  I have setup the PPTP on the pix end and setup the authentiaciton/users.  Client authenticates, but can not send data to devices on the inside of the firewall.  I also have the Cisco VPN Client on the pix side.  If I connect w/ the Cisco VPN client, data will pass.  
Suggestions where I should look?
Thanks.
0
Comment
Question by:jtmoske
  • 4
  • 3
7 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17140007
It would be better if you could post the configuration of the PIX (Mask out the 2nd octect of the public ip and remove passwords).

Cheers,
Rajesh
0
 

Author Comment

by:jtmoske
ID: 17146427
Thank you for the response Rajesh.
Here is the config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name onlan.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list Test_splitTunnelAcl permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.128
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 208.X.X.X 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Test 192.168.2.50-192.168.2.99
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 208.X.X.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Test address-pool Test
vpngroup Test dns-server 205.171.3.65
vpngroup Test split-tunnel Test_splitTunnelAcl
vpngroup Test idle-time 1800
vpngroup Test password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group Test accept dialin l2tp
vpdn group Test ppp authentication pap
vpdn group Test ppp authentication chap
vpdn group Test ppp authentication mschap
vpdn group Test client configuration address local Test
vpdn group Test client configuration dns 205.171.3.65
vpdn group Test client authentication local
vpdn group Test l2tp tunnel hello 300
vpdn group Test1 accept dialin pptp
vpdn group Test1 ppp authentication pap
vpdn group Test1 ppp authentication chap
vpdn group Test1 ppp authentication mschap
vpdn group Test1 client configuration address local Test
vpdn group Test1 client configuration dns 205.171.3.65
vpdn group Test1 pptp echo 300
vpdn group Test1 client authentication local
vpdn username test password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username whatever password whatever
username whatever password whatever encrypted privilege 3
terminal width 80
Cryptochecksum:afb57d989e8587e33a3aa09056c8e068
: end
[OK]

Comments Appreciated.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17147964
On the client machine;

control panel =>network connections => right click on the VPN/virtual adapter and choose properties => Networking => TCP/IP -properties => advanced => general => Check “use default gateway on remote network”

Check this.

Cheers,
Rajesh

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jtmoske
ID: 17150283
Thanks for the tip, I will try that.  I did test this thought out though prior to posting.  Only rather than use this method I manually removed the default route and added the default route to the vpn adapter via the route delete and route add in a dos box.  I will let you know how it comes out.
Thanks for your help.
0
 

Author Comment

by:jtmoske
ID: 17169199
This box was checked, checked by default.  Still did not work.  I stripped out all of the IPSEC/Cisco VPN related config and started from scratch w/ PPTP.  I am now able to access inside network from PPTP.  Here is the new config.  Does anything strike you as different that may have caused the problem.  My next step is to put back in the cisco VPN config and see if this breaks PPTP.

Thanks.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password whatever encrypted
passwd whatever encrypted
hostname pixfirewall
domain-name onlan.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 208.46.82.9 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP-MS 192.168.2.1-192.168.2.254
pdm location 192.168.2.0 255.255.255.128 outside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 208.x.x.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local PPTP-MS
vpdn group PPTP-VPDN-GROUP client configuration dns 205.171.3.65
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username whatever password *********
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username whatever password whatever
terminal width 80
Cryptochecksum:c0b090a68e0c372d33c141447ff49da3
: end
[OK]

0
 

Author Comment

by:jtmoske
ID: 17367975
Hi Rajesh,
Hi am going to close this thread and award you the points as you responded twice and no others provided input.  I was never able to determine why the pptp failed initially, but when I removed the cisco client vpn information from the config and then setup the PPTP, I had no issues.
Thanks again for your responses.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17368888
thnx for the points, I couldn't figure it either.

Cheers,
Rajesh
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now