03-22-2004 01:52 PM
We have a PIX 501 that seems to be working perfectly. Clients on internal network are able to reach internal servers properly, and are able to reach external networks properly as well (via NAT/PAT).
I have set up a PPTP VPN on the PIX via the VPN wizard. That works nearly perfectly. Once connected from an external machine, traffic is routed properly to internal machines (i.e. with VPN up a remote client is able to browse SMB shares, access MS Exchange server, SSH to internal computers, etc.) However, with VPN connected, same client machines are unable to reach networks outside of internal network.
I've included the vpdn config below, please let me know if there is any other information missing, etc. (One question -- should the address pool be OUTSIDE the normal address group, i.e. instead of 192.168.0.x, which is our internal network, should I use 10.0.0.x for VPN clients?)
ip local pool vpnclients 192.168.0.70-192.168.0.79
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local vpnclients
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.0.8 192.168.0.9
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.0.8
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username lsmith password *********
vpdn enable outside
03-22-2004 03:18 PM
Since the PIX will not pass traffic out the interface it received it on, you need to enable split tunneling. Split tunneling is enabled by using the following command: vpdn group group_name split-tunnel access_list. The group name is your group name, in this case PPTP-VPDN-GROUP and the access-list identifies the traffic to send down the IPSec tunnel, all other traffic is sent normally. Assuming that the addresses cannot be used on your internal network, using a unique network will help you with troubleshooting and other security measures where you would use a route map or access list.
04-07-2004 09:32 AM
VPDN does not support that command, use the following workaround instead:
Here is the procedure you can follow to enable split-tunneling for PPTP clients, the same procedure has to be followed everytime the PPTP client connects as it is a work-around to enable split-tunneling for PPTP clients.
The current configuration is:
ip local pool bigpool 192.168.9.1-192.168.9.254
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 client authentication local
vpdn username xxx password xxx
vpdn enable outside
Route print on the client system before connecting pptp client:
C:\Documents and Settings\ciscotrg>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0b cd 67 6e 6c ...... Intel 8255x-based Integrated Fast Ethernet
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.130.102.1 10.130.102.34 1
10.130.102.0 255.255.255.0 10.130.102.34 10.130.102.34 1
10.130.102.34 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 10.130.102.252 10.130.102.34 1
224.0.0.0 224.0.0.0 10.130.102.34 10.130.102.34 1
255.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1
Default Gateway: 10.130.102.1
===========================================================================
Persistent Routes:
! ; Networ k Address Netmask Gateway Address Metric
192.168.10.0 255.255.255.0 10.130.102.252 1
Route print on the client system after connecting pptp client:
C:\Documents and Settings\ciscotrg>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0b cd 67 6e 6c ...... Intel 8255x-based Integrated Fast Ethernet
0x2000004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.130.102.1 10.130.102.34 2
0.0.0.0 0.0.0.0 192.168.9.1 192.168.9.1 1
10.130.102.0 255.255.255.0 10.130.102.34 10.130.102.34 1
10.130.102.34 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.9.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.9.255 255.255.255.255 192.168.9.1 192.168.9.1 ! ; 1
& nbsp; 192.168.10.0 255.255.255.0 10.130.102.252 10.130.102.34 1
216.184.96.242 255.255.255.255 10.130.102.1 10.130.102.34 1
224.0.0.0 224.0.0.0 10.130.102.34 10.130.102.34 1
224.0.0.0 224.0.0.0 192.168.9.1 192.168.9.1 1
255.255.255.255 255.255.255.255 10.130.102.34 10.130.102.34 1
Default Gateway: 192.168.9.1
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.10.0 255.255.255.0 10.130.102.252 1
Delete the default route from the client machine, and add the following routes again, where the first route will direct the Internet traffic and the second route will direct the traffic to the local network behind the headend device.
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 10.130.102.1 1
route add 192.168.1.0 mask 255.255.255.0 192.168.9.1
Thanks.
Atul.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide