01-27-2004 05:00 PM - edited 03-09-2019 06:14 AM
I am having problem to connecting to my network through the pptp. The dial in is working fine but I am not able to ping any node inside the lan.
Here is the configuration. Thanks for your help ...
access-list 101 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0
access-list 101 permit ip 192.168.168.0 255.255.255.0 10.0.0.0 255.255.255.0
ip address outside 132.239.255.50 255.255.255.0
ip address inside 192.168.168.1 255.255.255.0
ip local pool mypool 10.0.0.1-10.0.0.50
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.xx.x.168.0 netmask 255.255.255.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strongsha esp-des esp-sha-hmac
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address 101
crypto map tosonicwall 20 set peer 132.239.20.40
crypto map tosonicwall 20 set transform-set strongsha
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.x.40 netmask 255.255.255.0
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuraton address local mypool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password password
01-28-2004 05:02 PM
You need to separate your "nat 0" and your "crypto" access-list. You have them both set to ACL 101, which tells the PIX that any traffic from 192.168.168.0, going to your PPTP clients (10.0.0.0), should be encrypted and sent to 132.239.20.40, which is why your PPTP users aren't getting any response.
Do the following:
access-list 102 permit ip 192.168.168.0 255.255.255.0 192.168.169.0 255.255.255.0
crypto map tosonicwall 20 match address 102
Leave the 101 access-list as is, and leave the "nat 0" command as is. This will tell your PIX to only encrypt the traffic that it's supposed to, but to not NAT both the IPSec and the PPTP traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide