I setup the VPN on my PIX firewall. It is setup for radius server on the inside. I have one PAT port and one static Nat port. I VPN into either and it lets me connect perfectly, but no access to anything. It is like I am not connected at all. The PIX is setup site-to-site with 2 other locations, and I am just trying to make this a remote access server. Any help!! I don't see any problems with my access list, but maybe I am blind.
Cisco does not recommend that the IP pool for the VPN overlaps or is on the same subnet as that of the internal network. I would recommend that you change your IP pool to something other than 192.168.70.0/24. Once you create a new IP pool, add an access-list entry to acl 150 for the new pool.
e.g
ip local pool pptp_pool 10.10.10.1-10.10.10.20 mask 255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 10.10.10.0 255.255.255
Agree w/ stressedout2004 - if your 'ip local pool' overlaps any of the subnets that the PIX knows about, then you'll hit a routing loop, as you've already seen. The client VPN pool also mustn't overlap any of the remote LANs on the other side of the site-site VPN links, nor the IP range of the LAN where the remote VPN client PC resides on, or again you'll hit a routing loop.
You should also add this to your config:
isakmp nat-traversal
I also hope you're not trying to access any of the remote site-site LANs (eg 192.168.1.x) directly from the remote VPN client - even if your client VPN pool doesn't overlap anything, you won't be able to get from the remote VPN client & across the site-site VPN link to the other sites. PIX 6.x series won't let you do this "U-turn" (aka hairpinning), since traffic would have to enter & exit the same interface in order to get out to the other VPN site. Only PIX 7.x series supports hairpinning, & 7.x is only supported on PIX 515 or above.
A workaround would be to connect to a local PC/server on the 192.168.70.x subnet, then from there you'd be able to get over the site-site VPN links.
Once you've made your changes to the client VPN pool, run this:
clear xlate
crypto map gb-map interface outside <- important to re-apply VPN settings anytime you change the VPN config
Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network. Check out this quarters report on the threats that shook the industry in Q4 2017.
e.g
ip local pool pptp_pool 10.10.10.1-10.10.10.20 mask 255.255.255.0
access-list 150 permit ip 192.168.70.0 255.255.255.0 10.10.10.0 255.255.255