Re: PPTP VPN in PIX 506e

george_hassman · ‎10-28-2005

Hello

Here's my problem. I have a pptp vpn configured in my pix 506e. I can connect fine and browse network resources on the remote network by IP address. I can connect to any computer using MS remote desktop connection. I cannot browse by netbios name, also I am using the windows vpn client and when I clear the check box "use default gateway on remote network" I connect but cannot see any network resources and am unable to ping anything.

I have copied a partial configuration here. Please keep in mind that I am a newcomer to cisco PIX.

names

access-list inbound permit tcp any any eq www

access-list inbound permit tcp any any eq pop3

access-list inbound permit tcp any any eq pptp

access-list inbound permit tcp any host 64.122.79.130 eq www

access-list inbound permit tcp any host 192.168.20.102 eq www

access-list inbound permit tcp any any eq smtp

access-list inside_outbound_nat0_acl permit ip any 192.168.20.48 255.255.255.240

access-list inside_outbound_nat0_acl permit ip any 192.168.20.0 255.255.255.252

access-list inside_outbound_nat0_acl permit ip any host 192.168.20.0

access-list inside_outbound_nat0_acl permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 101 permit ip 64.122.79.0 255.255.255.252 192.168.20.0 255.255.255.0

access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 64.122.x.x.255.255.252

ip address inside 192.168.20.253 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool AtritechVPN 192.168.2.1-192.168.2.250 mask 255.255.255.0

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 64.x.79.130 smtp 192.168.20.102 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 64.x.79.130 www 192.168.20.102 www netmask 255.255.255.255 0 0

static (inside,outside) 192.168.x.253 64.122.79.130 netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.x.x.122.79.129 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

sysopt connection permit-l2tp

vpngroup Atritechvpn idle-time 1800

vpngroup <Atritechvpn> idle-time 1800

vpngroup "Atritechvpn" idle-time 1800

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Atritechvpn accept dialin pptp

vpdn group Atritechvpn ppp authentication chap

vpdn group Atritechvpn ppp authentication mschap

vpdn group Atritechvpn ppp encryption mppe 128

vpdn group Atritechvpn client configuration address local AtritechVPN

vpdn group Atritechvpn client configuration dns 192.168.20.103 192.168.20.102

vpdn group Atritechvpn client configuration wins 192.168.20.103

vpdn group Atritechvpn pptp echo 60

vpdn group Atritechvpn client authentication local

Thanks in advance

smahbub · ‎11-04-2005

Make sure the VPN server (PIX Firewall, Cisco VPN Concentrator or a router) successfully assigns a DNS server IP address to the Cisco VPN Client. To check, issue the ipconfig/all command on your PC after you are connected with the VPN Client.

If you do not see the correct IP address for your DNS field, check the configuration on the VPN server to make sure it was configured properly. This pushes the DNS server's IP address to the VPN Client's IP address.

To assign the DNS server's IP address for the VPN Client's, issue these commands:

On the PIX Firewall:

vpngroup test dns-server x.x.x.x

Note: The test dns-server is an optional parameter that is available when issuing the vpngroup command.

On the router:

crypto isakmp client configuration group 3000client

dns x.x.x.x

On the VPN Concentrator:

Go under Configuration > User Management > Groups.

Select the group you are working with and click Modify Group.

Go to the General tab and scroll down. You can assign DNS settings to the clients in this location. Make sure the correct IP address was specified.

If the VPN Client receives the correct DNS IP address from the VPN server, but name resolution still does not work, check to make sure the Network Basic Input and Output System (NetBIOS) over Transmission Control Protocol (TCP) and IP option is checked under Advanced TCP/IP properties > WINS on the PC that runs the VPN Client.

Note: If you do not have split tunneling configured for the VPN Client, you will not be able to use the DNS server of the Internet Service Provider (ISP) anymore. This is because all traffic is now encrypted and sent to the VPN server

branfarm1 · ‎07-18-2006

I have this same problem right now, and as far as I can tell its because my VPN clients are receiving invalid netmasks and default gateways. For example, I defined an IP pool for VPN users, and the addresses are handed out correctly. But an ipconfig reveals the information as :

IP: 10.1.1.200

Netmask: 255.255.255.255

Def Gateway: 10.1.1.200

Where can I change what the assigned netmask and gateway are?

jmia · ‎07-18-2006

Take a look here...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

HTH