PIX Multiple Subnets

shawn · ‎10-27-2004

Hello. I am running a PIX 515E. I have a single subnet on the internal PIX int (192.168.0.0/24), no routers. I'm using PPTP to provide VPN access, works great. Problem: I need to allow VPN access from another company that is on the same subnet (192.168.0.0/24). The outside company only requires access to 1 server in my network. I thought I would add a second IP to the sever (e.g.192.168.10.10). How do I configure the PIX to allow this configuration? Thanks.

Patrick Iseli · ‎10-27-2004

Might be something like this:

fixup protocol pptp 1723

access-list acs-outside permit tcp host PartnerPublicIP host PPTP-Public2 eq pptp

access-list acs-outside permit gre host PartnerPublicIP host PPTP-Public2

access-list acs-outside permit tcp any host PPTP-Public eq pptp

access-list acs-outside permit gre any host PPTP-Public

access-group acs-outside in interface outside

access-list acs-inside permit tcp host PPTP-Partner-Server-IP PPTPoolPartner 255.255.255.0

access-list acs-inside permit tcp host PPTP-User-Server-IP PPTPoolUsers 255.255.255.0

access-list acs-inside permit ip any any

access-group acs-outside in interface inside

static (inside,outside) PPTP-Public PPTP-User-Server-IP netmask 255.255.255.255 0 0

static (inside,outside) PPTP-Public2 PPTP-Partner-Server-IP netmask 255.255.255.255 0 0

ip local pool PPTPoolUsers 192.168.201.1-192.168.201.254

ip local pool PPTPoolPartner 192.168.202.1-192.168.202.254

vpdn group PPTPUsers accept dialin pptp

vpdn group PPTPUsers ppp authentication pap

vpdn group PPTPUsers ppp authentication chap

vpdn group PPTPUsers ppp authentication mschap

vpdn group PPTPUsers client configuration address local PPTPoolUsers

vpdn group PPTPUsers pptp echo 60

vpdn group PPTPUsers client authentication local

vpdn username user password userpassword

vpdn group PPTPPartner accept dialin pptp

vpdn group PPTPPartner ppp authentication pap

vpdn group PPTPPartner ppp authentication chap

vpdn group PPTPPartner ppp authentication mschap

vpdn group PPTPPartner client configuration address local PPTPoolPartner

vpdn group PPTPPartner pptp echo 60

vpdn group PPTPPartner client authentication local

vpdn username partner password patnerpassword

vpdn enable outside

Add a route for the PPTPPool... on the PPTP Servers with the PIX as default gateway.

Try that out and give me feedback

sincerely

Patrick