PIX 501 Windows VPN Client config

brandonrainbolt
brandonrainbolt used Ask the Experts™
on
I've got a PIX 501 that I am trying to configure for windows client VPN access. I was able to configure the PIX to allow the incoming connection, but I am not able to reach anything on the inside of the PIX. I've noticed that when I connect the VPN, the IP settings of the machine connecting to the network show the default gateway as being the same as the machine IP address.

What am I missing here?
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 123456789 encrypted
passwd 21324354657 encrypted
hostname hostname
domain-name domain-name
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out permit icmp any any
access-list out permit tcp any host x.x.105.228 eq smtp
access-list out permit tcp any host x.x.105.228 eq www
access-list out permit tcp any host x.x.105.227 eq 3389
access-list out permit tcp any host x.x.105.228 eq 3389
access-list out permit tcp any host x.x.105.228 eq pop3
access-list out permit tcp any host x.x.105.229 eq 3389
access-list out permit tcp any host x.x.105.230 eq 3389
access-list out permit tcp any host x.x.105.231 eq 2698
access-list out permit udp any host x.x.105.231 eq 2698
access-list out permit tcp any host x.x.105.230 eq www
access-list out permit tcp any host x.x.105.230 eq 554
access-list VPN-nonat permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN_Trenton permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.105.226 255.255.255.240
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 10.0.1.201-10.0.1.220
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 x.x.105.228
global (outside) 2 x.x.105.230
nat (inside) 0 access-list VPN-nonat
nat (inside) 10 10.0.1.11 255.255.255.255 0 0
nat (inside) 2 10.0.1.101 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.105.227 3389 10.0.1.10 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 www 10.0.1.11 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp x.x.105.228 smtp 10.0.1.11 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 3389 10.0.1.11 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.228 pop3 10.0.1.11 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.230 3389 10.0.1.101 3389 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.105.230 www 10.0.1.101 www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp x.x.105.229 3389 10.0.1.12 3389 netmask 255.255.
255.255 0 0
static (inside,outside) tcp x.x.105.231 2698 10.0.1.210 2698 netmask 255.255
.255.255 0 0
static (inside,outside) udp x.x.105.231 2698 10.0.1.210 2698 netmask 255.255
.255.255 0 0
static (inside,outside) tcp x.x.105.230 554 10.0.1.101 554 netmask 255.255.2
55.255 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.105.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map VPN_xyz 20 ipsec-isakmp
crypto map VPN_xyz 20 match address VPN_Trenton
crypto map VPN_xyz 20 set peer y.y.220.3
crypto map VPN_xyz 20 set transform-set strong
crypto map VPN_xyz interface outside
isakmp enable outside
isakmp key ******** address y.y.220.3 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username test password *********
vpdn enable outside
terminal width 80
Cryptochecksum:asdvasdfasdfasdfasdfasdf
: end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Not that this answers your question but we typically configure the PIX with an IPSec Client VPN and leave the PPTP to the Microsoft Server since that's so ridiculously easy to configure.  Would you be willing to cancel the PIX config and simply port forward tcp/1723 to your Windows 2000 or greater server?


Either way, connect a client and ping an inside device (server, printer, something) IP Address and give the output from a #show log and #show pdm log
Senior infrastructure engineer
Top Expert 2012
Commented:
Try changing the following:

no ip local pool bigpool 10.0.1.201-10.0.1.220
ip local pool bigpool 10.0.2.1-10.0.2.30

access-list VPN-nonat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.224


And see if that helps.
I agree with rehamris, in that it is easy to configure the cisco ipsec vpn client config on the 501. And it does great pass-thru to a Windows pptp server. I must admit I have not done a PPTP to the 501 recently. But I think I have some 501 VPN PPTP configs at home I can look this up. I recommend two documents: Cisco VPN Troubleshooting Guide.docx, and the 6.3 Cmd Ref.   I would remove the PAP and CHAP authentications and use only the MSCHAP for obvious security concerns. MSCHAP is the most secure auth you get out of PPTP and you have the MPPE on also, which is good. Off the top of my head, I dont see what is failing, but your symptom does sound like a translation issue.  to troubleshoot, do a show xlate, show conn, sh vpdn , etc and post some results.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
@rehamris: I am willing to look at that, but I don't know how to implement it - conceptually or otherwise. To be honest, I don't know how to do any of this. I'm just trying to figure it out.

What type of logging needs to be turned on for this? I don't have anything enabled right now.

@erniebeek: That address range is outside of my pool, so I don't think it would help. Is there another way to accomplish what you are suggesting?

@Boilermaker85: I'm working remotely from the location I am trying to establish the VPN from, and when I connect, I lose my internet connection (probably because my machine is trying to send all the traffic to the default gateway, which is itself), so I can't run those commands while the connection is in place.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
That is correct. The pool overlapped by the inside range which can give you issues.
Wouldn't hurt to try would it?

Author

Commented:
@erniebeek: Sorry, I should have been more clear. Those addresses are outside of the subnet being used on my network. I have my DHCP server configured to not assign the addresses used in the pool for the VPN clients, so there are not going to be any IP address conflicts, if that's what you mean by "issues." Does that make sense?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Well it does, but it isn't what I meant ;)

The thing is that vpns are terminated on the outside interface so the ip adresses they get are 'seen' by the pix on the outside interface. You have now assigned the pool in a range that is also on the inside interface. Simply put, that is confusing for the pix. The pix should be in between networks. In this setup it isn't.
So now it's my turn to ask: do I make sense to you?

Author

Commented:
Sorry for the delay. I've been out of town. I will try your suggestion as soon as possible.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
No problem, let us know when you had the time to try this.

Author

Commented:
Awesome! Thanks!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Glad it worked out for you :)
Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial