10-28-2005 01:05 PM - edited 02-21-2020 12:29 AM
Hello
Here's my problem. I have a pptp vpn configured in my pix 506e. I can connect fine and browse network resources on the remote network by IP address. I can connect to any computer using MS remote desktop connection. I cannot browse by netbios name, also I am using the windows vpn client and when I clear the check box "use default gateway on remote network" I connect but cannot see any network resources and am unable to ping anything.
I have copied a partial configuration here. Please keep in mind that I am a newcomer to cisco PIX.
names
access-list inbound permit tcp any any eq www
access-list inbound permit tcp any any eq pop3
access-list inbound permit tcp any any eq pptp
access-list inbound permit tcp any host 64.122.79.130 eq www
access-list inbound permit tcp any host 192.168.20.102 eq www
access-list inbound permit tcp any any eq smtp
access-list inside_outbound_nat0_acl permit ip any 192.168.20.48 255.255.255.240
access-list inside_outbound_nat0_acl permit ip any 192.168.20.0 255.255.255.252
access-list inside_outbound_nat0_acl permit ip any host 192.168.20.0
access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 64.122.79.0 255.255.255.252 192.168.20.0 255.255.255.0
access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 64.122.x.x.255.255.252
ip address inside 192.168.20.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool AtritechVPN 192.168.2.1-192.168.2.250 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.x.79.130 smtp 192.168.20.102 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.79.130 www 192.168.20.102 www netmask 255.255.255.255 0 0
static (inside,outside) 192.168.x.253 64.122.79.130 netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.x.x.122.79.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
vpngroup Atritechvpn idle-time 1800
vpngroup <Atritechvpn> idle-time 1800
vpngroup "Atritechvpn" idle-time 1800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Atritechvpn accept dialin pptp
vpdn group Atritechvpn ppp authentication chap
vpdn group Atritechvpn ppp authentication mschap
vpdn group Atritechvpn ppp encryption mppe 128
vpdn group Atritechvpn client configuration address local AtritechVPN
vpdn group Atritechvpn client configuration dns 192.168.20.103 192.168.20.102
vpdn group Atritechvpn client configuration wins 192.168.20.103
vpdn group Atritechvpn pptp echo 60
vpdn group Atritechvpn client authentication local
Thanks in advance
11-04-2005 06:52 AM
Make sure the VPN server (PIX Firewall, Cisco VPN Concentrator or a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.
If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.
To assign the DNS server's IP address for the VPN Client's, issue these commands:
On the PIX Firewall:
vpngroup test dns-server x.x.x.x
Note: The test dns-server is an optional parameter that is available when issuing the vpngroup command.
On the router:
crypto isakmp client configuration group 3000client
dns x.x.x.x
On the VPN Concentrator:
Go under Configuration > User Management > Groups.
Select the group you are working with and click Modify Group.
Go to the General tab and scroll down. You can assign DNS settings to the clients in this location. Make sure the correct IP address was specified.
If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.
Note: If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server
07-18-2006 05:28 PM
I have this same problem right now, and as far as I can tell its because my VPN clients are receiving invalid netmasks and default gateways. For example, I defined an IP pool for VPN users, and the addresses are handed out correctly. But an ipconfig reveals the information as :
IP: 10.1.1.200
Netmask: 255.255.255.255
Def Gateway: 10.1.1.200
Where can I change what the assigned netmask and gateway are?
07-18-2006 11:51 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide