cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
3
Replies

PPTP with Win2k no Cisco Client routing question

pheuch
Level 1
Level 1

I configured our PIX to accept PPTP connections for a test network. This network is a class C network of our class A intranet. The clients are Win2K clients. We are using the native Microsoft PPTP support. We disabled the function to set the default route to the PPTP interface.

After a connection to the PIX we see a route for our class A network with destination to the assigned address of the PPTP address pool.

I changed the ip local pool to addresses out of the 10.x range and could observe a route for 10/8 to the assigned PPTP address.

I could not find a statement to define the routes that the PIX is assigning to the clients. What is wrong ? Is the PIX really not able to perform such a basic function or did I something wrong ?

Regards Peter

3 Replies 3

jdepies
Level 1
Level 1

If you deselect the "use default gateway of remote network" and do not have a static route on the workstation to the PPTP network you need to reach, then your workstation will not know how to route to the PPTP network. It will then route out the ISPs default gateway which wil not route for private addresses.

Either keep the check box enabled on the client, or you will need to add a static route of 10.0.0.0 255.0.0.0 PPTP_IP_ADDRESS_ASSIGNED

to each PPTP workstation everytime you connect to the PIX.

If I am not addressing your issue, I would suggest posting your config so I can better understand your build.

Jeff

Jeff,

The checkbox is disabled. If I enable it, I will get the problem that every traffic is routed to the pix. Not a good solution.

But I do not have a problem to reach the PPTP network. Here is the netstat -rn output after I connected to the PIX:

Network Destination Netmask Gateway Interface

0.0.0.0 0.0.0.0 x.155.26.129 x.155.26.201

x.155.11.11 255.255.255.255 x.155.26.129 x.155.26.201

x.155.11.11 255.255.255.255 10.0.1.0 10.0.1.0

x.155.26.128 255.255.255.128 x.155.26.201 x.155.26.201

x.155.26.201 255.255.255.255 127.0.0.1 127.0.0.1

x.255.255.255 255.255.255.255 x.155.26.201 x.155.26.201

x.0.0.0 255.0.0.0 x.155.11.202 x.155.11.202

x.155.11.202 255.255.255.255 127.0.0.1 127.0.0.1

x.255.255.255 255.255.255.255 x.155.11.202 x.155.11.202

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1

224.0.0.0 224.0.0.0 x.155.26.201 x.155.26.201

224.0.0.0 224.0.0.0 10.0.1.0 10.0.1.0

255.255.255.255 255.255.255.255 x.155.26.201 x.155.26.201

Default Gateway: x.155.26.129

The routes

x.0.0.0 255.0.0.0 x.155.11.202 x.155.11.202

x.155.11.202 255.255.255.255 127.0.0.1 127.0.0.1

x.255.255.255 255.255.255.255 x.155.11.202 x.155.11.202

are added by the PIX. when I connected via PPTP. They are not static.

The problem is, that the route is for a class A network. I could not find a statement where I can define the network the PPTP server is good for. The network I want to connect to is a class C network (x.155.3.0/24) (x is in the range of class A networks). We do not connect from the internet, it is a connection within intranet to give only some authenticated user connection to this special network.

PIX config:

ip address inside x.155.11.11 255.255.255.0

ip address testnet x.155.3.1 255.255.255.0

ip local pool pptp-pool x.155.3.202-x.155.3.251

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server RADIUS (inside) host x ....

vpdn group 1 ppp authentication pap

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client authentication aaa RADIUS

vpdn group 1 pptp echo 60

vpdn group 1 accept dialin pptp

vpdn enable inside

PIX Version 6.2(2) can be changed if necessary

Regards Peter

Just for other user, I found the problem. If Win2K is not allowed to set the default route when activating a RAS network, it sets a route based on the class of the ip address. So a 10.x ip address gives you a route for a class A network, a 192. x ip address gives you a route for a class C network. This is sometimes useful, sometimes not. I did not check the PPTP RFC but I got the impression that the route can not be transmitted by the protocol, but I'm not sure about this.

Here is a solution for the problem. Setup a RAS defintion and activate it with a bat file, like testnet.bat:

@start /w rasphone -t "VPN Testnetz"

@

@REM replace 10.0.0.0 with your network address

@

@route print 10.0.0.0 > %TEMP%\route.tmp

@echo starting with program

@for /F "tokens=1,*" %%i in (%TEMP%\route.tmp) do @call :findroute %%i %%j %%k

@goto :EOF

:findroute

@REM

@REM replace 10.0.0.0 255.0.0.0.0 with your network address and netmask

@REM

@if not "%1 %2"=="10.0.0.0 255.0.0.0" @goto :EOF

@route delete %1

@route add 10.0.0.0 mask 255.255.255.0 %3

:EOF

This little script opens the PPTP connection, extract the pptp ip address from the routing table, removes the wrong route and add the correct one. It is working fine for me

Regards Peter