cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
499
Views
5
Helpful
2
Replies

PIX and PPTP unable to access internal network

shawn
Level 1
Level 1

Hello All. I'm having a problem with my PIX and PPTP VPN. I can authenticate and get and IP address no problem, but I can't access (ping) any devices inside my network. Here is my PIX config file. Any help would be appreciated. Thanks.

access-list xxxxxxxx_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.240 255.255.255.240

access-list inside_outbound_nat0_acl permit ip any 192.168.0.248 255.255.255.248

access-list outside_cryptomap_dyn_80 permit ip any 192.168.0.240 255.255.255.240

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx 255.255.255.0

ip address inside 192.168.0.3 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool Radio 192.168.100.145-192.168.100.147

ip local pool RemoteClients1 192.168.0.245-192.168.0.249

ip local pool RemoteClients2 192.168.0.250-192.168.0.254

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http xx.xxx.xxx.xx 255.255.255.255 outside

http xxx.xxx.xx.xx 255.255.255.255 outside

http xx.xxx.xx.xx 255.255.255.255 outside

http 192.168.0.0 255.255.255.0 inside

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup xxxxxxx split-tunnel xxxxxxx_splitTunnelAcl

vpngroup xxxxxxx idle-time 1800

vpngroup Tisdale password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh xx.xxx.xxx.xx 255.255.255.255 outside

ssh xxx.xxx.xx.xx 255.255.255.255 outside

ssh xx.xxx.xx.xx 255.255.255.255 outside

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group walker_l2tp accept dialin l2tp

vpdn group walker_l2tp ppp authentication mschap

vpdn group walker_l2tp client configuration address local RemoteClients1

vpdn group walker_l2tp client configuration dns 142.165.21.5 142.165.5.2

vpdn group walker_l2tp client authentication local

vpdn group walker_l2tp l2tp tunnel hello 60

vpdn group walker_pptp accept dialin pptp

vpdn group walker_pptp ppp authentication mschap

vpdn group walker_pptp ppp encryption mppe 40

vpdn group walker_pptp client configuration address local RemoteClients2

vpdn group walker_pptp client configuration dns 142.165.21.5 142.165.5.2

vpdn group walker_pptp pptp echo 60

vpdn group walker_pptp client authentication local

vpdn username remote password *********

vpdn username test password *********

vpdn username walker password *********

vpdn enable outside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username Admin password DG.hZ16GKd7m3kjA encrypted privilege 15

terminal width 80

Cryptochecksum:1a01312dc4ebedf6bb3928dbf1ac7b55

: end

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

I think this line is your problem:

crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80

The ACL this references includes traffic for your PPTP pool of addresses, so I think as traffic goes back out the PIX it is matching this first and the PIX is trying to encrypt it using IPSec.

Remove this line with "no crypto ...." and see how you go, it doesn't look like you're using the crypto map stuff anyway, and even if you are removing this line won't affect these tunnels.

Thanks, that worked!

shawn

Review Cisco Networking for a $25 gift card