Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
5
Replies

PIX501 VPN PPTP: I need browse the internet at remote side through my VPN server

Go to solution
rpazosvargas
Level 1
Level 1

‎05-04-2010 10:28 AM

Hi,

Im Using PPTP for Remote Access to my VPN server, its able to connect to remote LAN but I dont have Internet access from remote side, Is that i need..

Im using windows PPTP client, and it has select the "Use default gateway on remote network" option: but still not working.

Could you help me, thanks in advance

Rolando


PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
!
access-list inside_access_in permit ip any any
access-list outside_access_in remark Outside
access-list outside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.200 255.255.255.248
pager lines 24
logging history alerts
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote_users 192.168.1.200-192.168.1.205
!
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.*.*
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local Remote_users
vpdn group PPTP-VPDN-GROUP client configuration dns 200.57.2.108 200.57.7.61
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username ****** password ********
vpdn enable outside
vpdn enable inside
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 200.57.2.108 200.57.7.61
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rpazosvargas

‎05-04-2010 12:37 PM

The PIX cannot re-route traffic to the Internet because it is a feature supported on version 7.x and above. You cannot run 7.x code on PIX501.

You can send all traffic through the tunnel (to the PIX) and have the PIX route that traffic to an internal router (on the headend), and then backout the PIX to the Internet.

Federico.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-04-2010 10:32 AM

Hi,

PPTP will send by default all traffic through the tunnel (no split-tunneling).

Split-tunneling can be configured only on the client side.

Check the ''route print'' from the CLI on the client windows machine to check where's the Internet traffic going to.

Federico.

0 Helpful

Go to solution
rpazosvargas
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-04-2010 11:25 AM

Federico, Thank you for your response.

this is the exit from CLI while I'm connected to the VPN, I received Ip Address form the VPN pool

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . : xcnetworks.com
        IP Address. . . . . . . . . . . . : 192.168.248.110
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.248.1

PPP adapter VPN G:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.200

===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.200   192.168.1.200       1
          0.0.0.0          0.0.0.0    192.168.248.1  192.168.248.110      26

I can reach all the IP on the LAN where I connected to VPN ( 192.168.1.X) but  I can't reach the IP form PIX501 Inside interface (192.168.1.1) so All the VPN clients don't have INTERNET Access from central service, Is what i need.

do have any Idea

thnks

Rolando.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rpazosvargas

‎05-04-2010 11:35 AM

You can see from the output that all traffic is being sent through the tunnel.
(the default gateway for with the lowest metric).

Since all traffic is sent to the Firewall (and the Firewall is not configured to re-route traffic to the Internet), that's
why all users loose Internet.

Two options:
1. Have the headend receive all traffic and re-route it to the Internet.
2. Configure the default gateway on the client to prefer the regular default gateway over the tunnel default gateway.

Federico.

0 Helpful

Go to solution
rpazosvargas
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-04-2010 11:54 AM

this is the point

how can I configure the firewall to re-route traffic to Internet while I connected to VPN.

The Internet used must be from the side where is the PIX, because I need centralize the service.

At the first post is current configuration

Could you helpme?

thnks

Rolando

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rpazosvargas

‎05-04-2010 12:37 PM

The PIX cannot re-route traffic to the Internet because it is a feature supported on version 7.x and above. You cannot run 7.x code on PIX501.

You can send all traffic through the tunnel (to the PIX) and have the PIX route that traffic to an internal router (on the headend), and then backout the PIX to the Internet.

Federico.

0 Helpful
Customers Also Viewed These Support Documents