PPTP....letting only access to internal network

bigassmonkey · ‎06-27-2003

Firewall is running NAT...PPTP is set up and doling out internal addresses from the Pool... when I connect to the untrusted interface, I can access internal address fine but I can access nothing else... can I configure the PPTP sesion to route off network requests....back out over the PIX?

gfullage · ‎06-29-2003

The PIX won't route a packet back out the same interface it came in on, so if you want to access the Internet with a PPTP tunnel established you're out of luck. PPTP is also a point-to-point tunnelling protocol, so there is no concept of split tunnelling in it like there is with IPSec, ALL traffic goes over the tunnel with the tunnel up.

Actually you can do split tunnelling with PPTP, but it's a bit of a pain and takes some manual intervention each time the tunnel is built. Uncheck the "Use

default gateway on remote network" check box in the VPN properties on the

client. Then add a static route onto the client in the form:

> route add 192.168.0.0 mask 255.255.0.0 10.1.1.1

where 192.168.0.0 is your PIX internal network, and 10.1.1.1 is the IP address you got out of the pool on the PIX. As I said, each time you bring the tunnel up you'll probably get a different IP address so you have to manually add this route in each time the tunnel comes up, making sure to use the pool address as the gateway to the remote network.

bigassmonkey · ‎06-29-2003

Thanks...this is what I suspected...I think the bestway to set this this up is to use a 3rd party VPN client... I have plenty of SafeNet Licenses... So I'll do it right this time...thanks for your help