pix501 PPTP connection problem, vpn client works fine

parimp
parimp used Ask the Experts™
on
Hi There,

I have a PIX 501 that has used PPTP successfully for ages, now it is not accepting connections on PPTP from inside or outside the network, have tried resetting up the PPTP in the PDM with no success, can anyone help me with this issue?

I get error 800 when trying to connect using windows xp

I have pasted all the commands i could find related to pptp in the config.
fixup protocol pptp 1723
 
access-list outside_access_in permit tcp host 60.234.187.27 any eq pptp 
access-list outside_access_in permit tcp host 222.154.240.186 any eq pptp 
access-list outside_access_in permit tcp host 222.154.240.185 any eq pptp 
access-list outside_access_in permit tcp host 222.154.246.126 any eq pptp 
access-list outside_access_in permit tcp host 125.236.197.89 any eq pptp 
 
access-list outside_access_in remark pptp
access-list outside_access_in permit tcp any 192.168.0.0 255.255.255.0 eq pptp 
 
ip local pool PPTP 192.168.253.1-192.168.253.254
i
sysopt connection permit-pptp
 
vpdn group test1 accept dialin pptp
vpdn group test1 ppp authentication pap
vpdn group test1 ppp authentication chap
vpdn group test1 ppp authentication mschap
vpdn group test1 client configuration address local Pool2
vpdn group test1 client configuration dns 192.168.0.100 
vpdn group test1 pptp echo 60
vpdn group test1 client authentication local
vpdn username 34queen password ********* 
vpdn username queen34 password ********* 
vpdn enable outside

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
could you please send some debugging output when clients try to connect?
It will be easier to troubleshoot this


thanks

Author

Commented:
hi, thanks for the reply, i can provide that, just not quite sure how. I have setup a syslog server for warning messages setup so i pressume i can debug into there somehow? Sorry not an advanced user with pix

Commented:
hi

you would need to turn on logging to the debugging level for your syslog and turn on debug pptp

conf t
debug pptp


FYI
This line isn't doing anything:
access-list outside_access_in permit tcp any 192.168.0.0 255.255.255.0 eq pptp

And the remaining lines you have listed are restricting inbound pptp by the source ip addresses you have listed.  so no pptp from outside will work except if originating from these ips.  Sorry if it sounds like i am stating the obvious but i don't know your skillset.

Can you verify that your access-list is applied to your outside interface?  There should be a line :
access-group outside_access_in in interface outside.

If you could post your full config that would be better.

cheers



Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
here ya go, still trying to get that debug info for you!
Result of firewall command: "show run"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2HXdlAglD3bq1jwv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pix501
domain-name PIL.local
clock timezone NZST 12
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.8.0 trademe
name 192.168.4.0 East_Tamaki
name 192.168.10.0 Newmarke
name 192.168.2.0 Constellation
name 192.168.0.176 fatalbert
access-list outside_access_in permit tcp any any eq smtp 
access-list outside_access_in permit tcp any any eq 3389 
access-list outside_access_in permit tcp any any eq ftp 
access-list outside_access_in permit tcp any any eq 1433 
access-list outside_access_in permit gre any any 
access-list outside_access_in permit tcp host 60.234.187.27 any eq pptp 
access-list outside_access_in permit tcp host 222.154.240.186 any eq pptp 
access-list outside_access_in permit tcp host 222.154.240.185 any eq pptp 
access-list outside_access_in permit tcp host 222.154.246.126 any eq pptp 
access-list outside_access_in permit tcp host 125.236.197.89 any eq pptp 
access-list outside_access_in permit tcp any any eq https 
access-list outside_access_in permit tcp any any eq telnet 
access-list outside_access_in permit tcp any any eq 5000 
access-list outside_access_in permit udp any any eq 5000 
access-list outside_access_in remark pptp
access-list outside_access_in permit tcp any 192.168.0.0 255.255.255.0 eq pptp 
access-list outside_access_in permit tcp any any eq 19638 
access-list outside_access_in permit tcp any eq www host fatalbert eq www 
access-list inside_access_in permit tcp host 192.168.0.100 any eq smtp 
access-list inside_access_in deny tcp any any eq smtp log 4 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq https 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq ftp 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq pcanywhere-data 
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq pcanywhere-status 
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq isakmp 
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq 4500 
access-list inside_access_in permit esp 192.168.0.0 255.255.255.0 any 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 3389 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq pop3 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 8080 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq domain 
access-list inside_access_in permit udp 192.168.0.0 255.255.255.0 any eq domain 
access-list inside_access_in remark Naz for multibox tool
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 9998 
access-list inside_access_in remark Secure email
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 587 
access-list inside_access_in remark Secure email
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 995 
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq www 
access-list inside_access_in remark pgrepairs
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 19638 
access-list inside_access_in remark mysql
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 3306 
access-list inside_access_in remark For Sudeep Motorola Update Tools
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 7102 
access-list inside_access_in remark For Nazer
access-list inside_access_in remark 13/11/07
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 3217 
access-list inside_access_in permit ip host 192.168.0.102 192.168.253.0 255.255.255.0 
access-list inside_access_in deny ip host 192.168.0.100 192.168.253.0 255.255.255.0 
access-list inside_access_in remark For Naz BB5 Box
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 8851 
access-list inside_access_in remark SSH
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 4643 
access-list inside_access_in remark Plesk
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 8443 
access-list inside_access_in remark For Joel Box
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 34072 
access-list inside_access_in remark For Joel Box
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 1236 
access-list inside_access_in remark SMTP freeparking
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 2525 
access-list inside_access_in remark SSH
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq ssh 
access-list inside_access_in remark PS
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 1168 
access-list inside_access_in remark PS
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 26002 
access-list inside_access_in remark MSN Live
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 1863 
access-list inside_access_in remark zYNGA
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 9339 
access-list inside_access_in remark ftp secure
access-list inside_access_in permit tcp 192.168.0.0 255.255.255.0 any eq 81 
access-list inside_access_in remark Sridhar
access-list inside_access_in permit tcp host 192.168.0.2 any eq 5000 
access-list inside_access_in remark Sridhar
access-list inside_access_in permit udp host 192.168.0.3 any eq 23 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0 
access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.254.0 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 trademe 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip host 192.168.0.102 192.168.0.0 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.253.0 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip any 192.168.254.0 255.255.255.0 
access-list staff_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any 
access-list outside_cryptomap_dyn_20 permit ip any 192.168.254.0 255.255.255.0 
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 trademe 255.255.255.0 
access-list outside_cryptomap_40 permit ip 192.168.0.0 255.255.255.0 East_Tamaki 255.255.255.0 
access-list outside_cryptomap_60 permit ip 192.168.0.0 255.255.255.0 Newmarke 255.255.255.0 
access-list outside_cryptomap_80 permit ip 192.168.0.0 255.255.255.0 Constellation 255.255.255.0 
access-list outside_cryptomap_dyn_40 permit ip any 192.168.254.0 255.255.255.0 
no pager
logging on
logging timestamp
logging console debugging
logging monitor debugging
logging buffered warnings
logging trap debugging
logging host inside 192.168.0.100
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any traceroute outside
icmp permit 192.168.0.0 255.255.255.0 inside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.11 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.254.1-192.168.254.254
ip local pool PPTP 192.168.253.1-192.168.253.254
ip local pool Pool2 192.168.0.104-192.168.0.106
pdm location 192.168.0.201 255.255.255.255 inside
pdm location 203.97.50.97 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 outside
pdm location trademe 255.255.255.0 outside
pdm location 192.168.0.102 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.0.0 255.255.0.0 outside
pdm location 60.234.187.27 255.255.255.255 outside
pdm location 125.236.197.89 255.255.255.255 outside
pdm location 192.168.0.103 255.255.255.255 outside
pdm location 192.168.0.104 255.255.255.252 outside
pdm location 192.168.0.108 255.255.255.255 outside
pdm location 192.168.0.109 255.255.255.255 outside
pdm location 222.154.240.185 255.255.255.255 outside
pdm location 222.154.240.186 255.255.255.255 outside
pdm location 222.154.246.126 255.255.255.255 outside
pdm location 192.168.0.100 255.255.255.255 outside
pdm location 192.168.253.0 255.255.255.0 outside
pdm location East_Tamaki 255.255.255.0 outside
pdm location 60.234.220.91 255.255.255.255 outside
pdm location Newmarke 255.255.255.0 outside
pdm location Constellation 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.3 255.255.255.255 inside
pdm location fatalbert 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm logging debugging 512
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.100 smtp netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 3389 192.168.0.100 3389 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface ftp 192.168.0.100 ftp netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 1433 192.168.0.102 1433 netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface https 192.168.0.100 https netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface telnet 192.168.0.3 telnet netmask 255.255.255.255 0 0 
static (inside,outside) tcp interface 5000 192.168.0.2 5000 netmask 255.255.255.255 0 0 
static (inside,outside) udp interface 5000 192.168.0.2 5000 netmask 255.255.255.255 0 0 
static (inside,outside) fatalbert fatalbert netmask 255.255.255.255 0 0 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 11645
aaa-server radius-acctport 11646
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server RADIUS (inside) host 192.168.0.100 radiuskey timeout 5
aaa-server LOCAL protocol local 
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 203.97.50.97 255.255.255.255 outside
http 60.234.220.91 255.255.255.255 outside
http 192.168.0.201 255.255.255.255 inside
http 192.168.0.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 125.236.197.89
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 222.154.240.185
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 125.236.224.138
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 222.154.240.186
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL 
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 125.236.197.89 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 222.154.240.185 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 125.236.224.138 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 222.154.240.186 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup staff address-pool VPN
vpngroup staff dns-server 192.168.0.100
vpngroup staff split-tunnel staff_splitTunnelAcl
vpngroup staff idle-time 1800
vpngroup staff password ********
vpngroup staff1 address-pool VPN
vpngroup staff1 dns-server 192.168.0.100
vpngroup staff1 idle-time 1800
vpngroup staff1 password ********
vpngroup pilvpn address-pool VPN
vpngroup pilvpn dns-server 192.168.0.100
vpngroup pilvpn idle-time 1800
vpngroup pilvpn password ********
telnet timeout 5
ssh 203.97.50.97 255.255.255.255 outside
ssh 192.168.0.100 255.255.255.255 inside
ssh 192.168.0.201 255.255.255.255 inside
ssh timeout 30
console timeout 30
vpdn group test1 accept dialin pptp
vpdn group test1 ppp authentication pap
vpdn group test1 ppp authentication chap
vpdn group test1 ppp authentication mschap
vpdn group test1 client configuration address local Pool2
vpdn group test1 client configuration dns 192.168.0.100 
vpdn group test1 pptp echo 60
vpdn group test1 client authentication local
vpdn username 34queen password ********* 
vpdn username queen34 password ********* 
vpdn enable outside
 
terminal width 80
Cryptochecksum:249d062e833b27e0946d51afccd6c9a6
: end

Open in new window

Author

Commented:
How is this info? This was an attempt from inside the network to the inside interface
07-22-2009	15:33:03	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-305011: Built dynamic UDP translation from inside:192.168.0.133/53302 to outside:10.1.1.11/15827
07-22-2009	15:33:03	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:57: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/docs/scripts/ga.js
07-22-2009	15:33:03	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-302013: Built outbound TCP connection 65335 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2271 (10.1.1.11/41866)
07-22-2009	15:33:03	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2271 to outside:10.1.1.11/41866
07-22-2009	15:33:03	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-302013: Built outbound TCP connection 65334 for outside:210.247.196.6/443 (210.247.196.6/443) to inside:192.168.0.164/2270 (10.1.1.11/41865)
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2270 to outside:10.1.1.11/41865
07-22-2009	15:33:02	Local4.Debug	192.168.0.1	Jul 22 2009 15:25:57: %PIX-7-710005: TCP request discarded from 192.168.0.201/1276 to inside:192.168.0.1/pptp
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-302013: Built outbound TCP connection 65333 for outside:70.42.153.71/443 (70.42.153.71/443) to inside:192.168.0.164/2269 (10.1.1.11/41864)
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:57: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2269 to outside:10.1.1.11/41864
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302013: Built outbound TCP connection 65332 for outside:210.247.196.6/443 (210.247.196.6/443) to inside:192.168.0.164/2268 (10.1.1.11/41863)
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2268 to outside:10.1.1.11/41863
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302014: Teardown TCP connection 65323 for outside:123.100.99.61/80 to inside:192.168.0.164/2260 duration 0:00:01 bytes 17301 TCP FINs
07-22-2009	15:33:02	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302014: Teardown TCP connection 65330 for outside:123.100.99.61/80 to inside:192.168.0.164/2266 duration 0:00:01 bytes 12690 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302014: Teardown TCP connection 65329 for outside:123.100.99.61/80 to inside:192.168.0.164/2265 duration 0:00:01 bytes 8727 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302014: Teardown TCP connection 65326 for outside:123.100.99.61/80 to inside:192.168.0.164/2263 duration 0:00:01 bytes 8010 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:56: %PIX-6-302014: Teardown TCP connection 65325 for outside:123.100.99.61/80 to inside:192.168.0.164/2262 duration 0:00:01 bytes 8781 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-302014: Teardown TCP connection 65319 for outside:203.97.33.211/25 to inside:192.168.0.100/26746 duration 0:00:01 bytes 8507 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-302014: Teardown TCP connection 65324 for outside:123.100.99.61/80 to inside:192.168.0.164/2261 duration 0:00:01 bytes 1361 TCP FINs
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-302013: Built outbound TCP connection 65331 for outside:70.42.153.71/443 (70.42.153.71/443) to inside:192.168.0.164/2267 (10.1.1.11/41862)
07-22-2009	15:33:01	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2267 to outside:10.1.1.11/41862
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-302016: Teardown UDP connection 65327 for outside:193.108.91.57/53 to inside:192.168.0.100/60848 duration 0:00:01 bytes 118
07-22-2009	15:33:00	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:55: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/products/HCUEBN9FS_small.jpg
07-22-2009	15:33:00	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:55: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/products/IZFGAN9G1_small.jpg
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:55: %PIX-6-302013: Built outbound TCP connection 65330 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2266 (10.1.1.11/41861)
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2266 to outside:10.1.1.11/41861
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-302013: Built outbound TCP connection 65329 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2265 (10.1.1.11/41860)
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2265 to outside:10.1.1.11/41860
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-302013: Built outbound TCP connection 65328 for outside:210.247.196.6/443 (210.247.196.6/443) to inside:192.168.0.164/2264 (10.1.1.11/41859)
07-22-2009	15:33:00	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2264 to outside:10.1.1.11/41859
07-22-2009	15:32:59	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:54: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/products/AAMHBW8AH_small.jpg
07-22-2009	15:32:59	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:54: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/template_sprite.png
07-22-2009	15:32:59	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:54: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/header_backgroundGR.gif
07-22-2009	15:32:59	Local4.Notice	192.168.0.1	Jul 22 2009 15:25:54: %PIX-5-304001: 192.168.0.164 Accessed URL 123.100.99.61:/images/GRSprite.gif
07-22-2009	15:32:59	Local4.Info	192.168.0.1	Jul 22 2009 15:25:54: %PIX-6-302015: Built outbound UDP connection 65327 for outside:193.108.91.57/53 (193.108.91.57/53) to inside:192.168.0.100/60848 (10.1.1.11/15826)
07-22-2009	15:32:59	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-305011: Built dynamic UDP translation from inside:192.168.0.100/60848 to outside:10.1.1.11/15826
07-22-2009	15:32:59	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-302013: Built outbound TCP connection 65326 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2263 (10.1.1.11/41858)
07-22-2009	15:32:59	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2263 to outside:10.1.1.11/41858
07-22-2009	15:32:59	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-302013: Built outbound TCP connection 65325 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2262 (10.1.1.11/41857)
07-22-2009	15:32:58	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-305011: Built dynamic TCP translation from inside:192.168.0.164/2262 to outside:10.1.1.11/41857
07-22-2009	15:32:58	Local4.Info	192.168.0.1	Jul 22 2009 15:25:53: %PIX-6-302013: Built outbound TCP connection 65324 for outside:123.100.99.61/80 (123.100.99.61/80) to inside:192.168.0.164/2261 (10.1.1.11/41856)

Open in new window

Commented:
Hi

You have pptp enabled on your outside interface so it won't work on inside::
vpdn enable outside


You need to do a pptp test from outside your firewall to test this.

hth
Commented:
And as mentioned, due to the access-list lines below - you are only allowing pptp to come in from these ips and nowhere else:
access-list outside_access_in permit tcp host 60.234.187.27 any eq pptp
access-list outside_access_in permit tcp host 222.154.240.186 any eq pptp
access-list outside_access_in permit tcp host 222.154.240.185 any eq pptp
access-list outside_access_in permit tcp host 222.154.246.126 any eq pptp
access-list outside_access_in permit tcp host 125.236.197.89 any eq pptp

Author

Commented:

Hi nodisco, I have tested this from outside on one of those IP address other than the one I was having trouble on and got on successfully, went back to the trouble network and tried again and now it works, I can only suspect that the pix and a hung session or the like on the pptp, not sure if thats possible.

Thank you so much for your help, this site and the help is fantastic, well worth the money!

Commented:
no worries mate - glad you got working :-)

Author

Commented:
top guy! :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial