05-12-2003 07:37 AM - edited 03-09-2019 03:15 AM
I configured our PIX to accept PPTP connections for a test network. This network is a class C network of our class A intranet. The clients are Win2K clients. We are using the native Microsoft PPTP support. We disabled the function to set the default route to the PPTP interface.
After a connection to the PIX we see a route for our class A network with destination to the assigned address of the PPTP address pool.
I changed the ip local pool to addresses out of the 10.x range and could observe a route for 10/8 to the assigned PPTP address.
I could not find a statement to define the routes that the PIX is assigning to the clients. What is wrong ? Is the PIX really not able to perform such a basic function or did I something wrong ?
Regards Peter
05-12-2003 09:26 AM
If you deselect the "use default gateway of remote network" and do not have a static route on the workstation to the PPTP network you need to reach, then your workstation will not know how to route to the PPTP network. It will then route out the ISPs default gateway which wil not route for private addresses.
Either keep the check box enabled on the client, or you will need to add a static route of 10.0.0.0 255.0.0.0 PPTP_IP_ADDRESS_ASSIGNED
to each PPTP workstation everytime you connect to the PIX.
If I am not addressing your issue, I would suggest posting your config so I can better understand your build.
Jeff
05-12-2003 11:56 PM
Jeff,
The checkbox is disabled. If I enable it, I will get the problem that every traffic is routed to the pix. Not a good solution.
But I do not have a problem to reach the PPTP network. Here is the netstat -rn output after I connected to the PIX:
Network Destination Netmask Gateway Interface
0.0.0.0 0.0.0.0 x.155.26.129 x.155.26.201
x.155.11.11 255.255.255.255 x.155.26.129 x.155.26.201
x.155.11.11 255.255.255.255 10.0.1.0 10.0.1.0
x.155.26.128 255.255.255.128 x.155.26.201 x.155.26.201
x.155.26.201 255.255.255.255 127.0.0.1 127.0.0.1
x.255.255.255 255.255.255.255 x.155.26.201 x.155.26.201
x.0.0.0 255.0.0.0 x.155.11.202 x.155.11.202
x.155.11.202 255.255.255.255 127.0.0.1 127.0.0.1
x.255.255.255 255.255.255.255 x.155.11.202 x.155.11.202
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
224.0.0.0 224.0.0.0 x.155.26.201 x.155.26.201
224.0.0.0 224.0.0.0 10.0.1.0 10.0.1.0
255.255.255.255 255.255.255.255 x.155.26.201 x.155.26.201
Default Gateway: x.155.26.129
The routes
x.0.0.0 255.0.0.0 x.155.11.202 x.155.11.202
x.155.11.202 255.255.255.255 127.0.0.1 127.0.0.1
x.255.255.255 255.255.255.255 x.155.11.202 x.155.11.202
are added by the PIX. when I connected via PPTP. They are not static.
The problem is, that the route is for a class A network. I could not find a statement where I can define the network the PPTP server is good for. The network I want to connect to is a class C network (x.155.3.0/24) (x is in the range of class A networks). We do not connect from the internet, it is a connection within intranet to give only some authenticated user connection to this special network.
PIX config:
ip address inside x.155.11.11 255.255.255.0
ip address testnet x.155.3.1 255.255.255.0
ip local pool pptp-pool x.155.3.202-x.155.3.251
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server RADIUS (inside) host x ....
vpdn group 1 ppp authentication pap
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client authentication aaa RADIUS
vpdn group 1 pptp echo 60
vpdn group 1 accept dialin pptp
vpdn enable inside
PIX Version 6.2(2) can be changed if necessary
Regards Peter
05-13-2003 08:11 AM
Just for other user, I found the problem. If Win2K is not allowed to set the default route when activating a RAS network, it sets a route based on the class of the ip address. So a 10.x ip address gives you a route for a class A network, a 192. x ip address gives you a route for a class C network. This is sometimes useful, sometimes not. I did not check the PPTP RFC but I got the impression that the route can not be transmitted by the protocol, but I'm not sure about this.
Here is a solution for the problem. Setup a RAS defintion and activate it with a bat file, like testnet.bat:
@start /w rasphone -t "VPN Testnetz"
@
@REM replace 10.0.0.0 with your network address
@
@route print 10.0.0.0 > %TEMP%\route.tmp
@echo starting with program
@for /F "tokens=1,*" %%i in (%TEMP%\route.tmp) do @call :findroute %%i %%j %%k
@goto :EOF
:findroute
@REM
@REM replace 10.0.0.0 255.0.0.0.0 with your network address and netmask
@REM
@if not "%1 %2"=="10.0.0.0 255.0.0.0" @goto :EOF
@route delete %1
@route add 10.0.0.0 mask 255.255.255.0 %3
:EOF
This little script opens the PPTP connection, extract the pptp ip address from the routing table, removes the wrong route and add the correct one. It is working fine for me
Regards Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide