We help IT Professionals succeed at work.
Get Started

PIX 501 Windows VPN Client config

brandonrainbolt
on
563 Views
Last Modified: 2012-05-11
I've got a PIX 501 that I am trying to configure for windows client VPN access. I was able to configure the PIX to allow the incoming connection, but I am not able to reach anything on the inside of the PIX. I've noticed that when I connect the VPN, the IP settings of the machine connecting to the network show the default gateway as being the same as the machine IP address.

What am I missing here?
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123456789 encrypted
passwd 21324354657 encrypted
hostname hostname
domain-name domain-name
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out permit icmp any any
access-list out permit tcp any host x.x.105.228 eq smtp
access-list out permit tcp any host x.x.105.228 eq www
access-list out permit tcp any host x.x.105.227 eq 3389
access-list out permit tcp any host x.x.105.228 eq 3389
access-list out permit tcp any host x.x.105.228 eq pop3
access-list out permit tcp any host x.x.105.229 eq 3389
access-list out permit tcp any host x.x.105.230 eq 3389
access-list out permit tcp any host x.x.105.231 eq 2698
access-list out permit udp any host x.x.105.231 eq 2698
access-list out permit tcp any host x.x.105.230 eq www
access-list out permit tcp any host x.x.105.230 eq 554
access-list VPN-nonat permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN_Trenton permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.105.226 255.255.255.240
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 10.0.1.201-10.0.1.220
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 x.x.105.228
global (outside) 2 x.x.105.230
nat (inside) 0 access-list VPN-nonat
nat (inside) 10 10.0.1.11 255.255.255.255 0 0
nat (inside) 2 10.0.1.101 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.105.227 3389 10.0.1.10 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 www 10.0.1.11 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp x.x.105.228 smtp 10.0.1.11 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 3389 10.0.1.11 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 pop3 10.0.1.11 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.230 3389 10.0.1.101 3389 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.105.230 www 10.0.1.101 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp x.x.105.229 3389 10.0.1.12 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.231 2698 10.0.1.210 2698 netmask 255.255
.255.255 0 0
static (inside,outside) udp x.x.105.231 2698 10.0.1.210 2698 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.105.230 554 10.0.1.101 554 netmask 255.255.2
55.255 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.105.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map VPN_xyz 20 ipsec-isakmp
crypto map VPN_xyz 20 match address VPN_Trenton
crypto map VPN_xyz 20 set peer y.y.220.3
crypto map VPN_xyz 20 set transform-set strong
crypto map VPN_xyz interface outside
isakmp enable outside
isakmp key ******** address y.y.220.3 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username test password *********
vpdn enable outside
terminal width 80
Cryptochecksum:asdvasdfasdfasdfasdfasdf
: end

Open in new window

Comment
Watch Question
Senior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
This problem has been solved!
Unlock 1 Answer and 11 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE