08-27-2004 02:03 PM - edited 02-20-2020 11:36 PM
Hello All. I'm having a problem with my PIX and PPTP VPN. I can authenticate and get and IP address no problem, but I can't access (ping) any devices inside my network. Here is my PIX config file. Any help would be appreciated. Thanks.
access-list xxxxxxxx_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.0.240 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 192.168.0.248 255.255.255.248
access-list outside_cryptomap_dyn_80 permit ip any 192.168.0.240 255.255.255.240
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.xx 255.255.255.0
ip address inside 192.168.0.3 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Radio 192.168.100.145-192.168.100.147
ip local pool RemoteClients1 192.168.0.245-192.168.0.249
ip local pool RemoteClients2 192.168.0.250-192.168.0.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http xx.xxx.xxx.xx 255.255.255.255 outside
http xxx.xxx.xx.xx 255.255.255.255 outside
http xx.xxx.xx.xx 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup xxxxxxx split-tunnel xxxxxxx_splitTunnelAcl
vpngroup xxxxxxx idle-time 1800
vpngroup Tisdale password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh xx.xxx.xxx.xx 255.255.255.255 outside
ssh xxx.xxx.xx.xx 255.255.255.255 outside
ssh xx.xxx.xx.xx 255.255.255.255 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group walker_l2tp accept dialin l2tp
vpdn group walker_l2tp ppp authentication mschap
vpdn group walker_l2tp client configuration address local RemoteClients1
vpdn group walker_l2tp client configuration dns 142.165.21.5 142.165.5.2
vpdn group walker_l2tp client authentication local
vpdn group walker_l2tp l2tp tunnel hello 60
vpdn group walker_pptp accept dialin pptp
vpdn group walker_pptp ppp authentication mschap
vpdn group walker_pptp ppp encryption mppe 40
vpdn group walker_pptp client configuration address local RemoteClients2
vpdn group walker_pptp client configuration dns 142.165.21.5 142.165.5.2
vpdn group walker_pptp pptp echo 60
vpdn group walker_pptp client authentication local
vpdn username remote password *********
vpdn username test password *********
vpdn username walker password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username Admin password DG.hZ16GKd7m3kjA encrypted privilege 15
terminal width 80
Cryptochecksum:1a01312dc4ebedf6bb3928dbf1ac7b55
: end
08-30-2004 02:59 PM
I think this line is your problem:
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
The ACL this references includes traffic for your PPTP pool of addresses, so I think as traffic goes back out the PIX it is matching this first and the PIX is trying to encrypt it using IPSec.
Remove this line with "no crypto ...." and see how you go, it doesn't look like you're using the crypto map stuff anyway, and even if you are removing this line won't affect these tunnels.
08-31-2004 06:40 AM
Thanks, that worked!
shawn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide