cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2070
Views
0
Helpful
16
Replies

PPTP users over IPsec

pramod
Level 1
Level 1

Dear Experts,
Please refer the attached scenario.

I have formed an IP sec Tunnel and advertised the LAN subnets & its working fine.
But i have another requirement
External users are connected to site A pix using pptp vpn and once they connected they will get ip range of 192.168.5.1-5.100.My requirement is these subnets 192.168.5.x has to access site B's LAN subnets (10.2.2.0/24) Is this possible, If so what configurations i have to do on PIX. Please help me!
Thanks,
Pramod

16 Replies 16

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try the following:

-- Add a nonat rule for traffic from 192.168.5.x subnet to 10.2.2.x subnet

-- Add the crypto access-list for traffic from 192.168.5.x subnet to

10.2.2.x subnet

-- Add a nonat rule for traffic from 10.2.2.x subnet to 192.168.5.x subnet

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration

_example09186a00804675ac.shtml

Hope this helps.

Regards,

NT

you will need to do u turning too

since u have a pix can you plz mention the version u r running, as on pix on certain versions u turning is not supported

The version currently running is "Cisco PIX Firewall Version 6.3(4)"

in that case you will not be able to do u turning or hair pinning

so i guess we will have to figure out a way around

will version upgrade of 7.3 will fix ?

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 464 MHz !!!

i would suggest that you go the latest code for PIX here is the doc which will help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

by the way the latest and the max you can go for PIX is 8.04

Note PPTP users are connected to

Site A using PIX outside interface from the internet cloud!!!

yes i understand so u have pptp and site site terminating on the same interface right

yes, u r right !!!

yup so you cant do it with the current version of PIX

Hello,

Code version above 7.2(4) will work and you will be able to do the U-turn.

Hope this helps.

Regards,

NT

Ok, think if i replace the pptp with site to reamote access vpn for site A,(users connecting from outside
{internet} )... then if i need to access LAN subnets in site B, still we need u turning ? or any other mechanism to work ?

you will still need it... in any case i would still recommend you upgrade because 6.3 is a ancient code which is soon going into the books and you dont want to play catching up ...

u turning is just one small feature that you get in newer code, one of the most important tool that i personally find the most useful as tac engg is packet tracer,

as such the structure of the code is new and diff compared to 6.3

..

Review Cisco Networking for a $25 gift card