pptp and ipsec to pix

isk-admin · ‎04-25-2006

Dear all,

we use pptp-clients for our mobile-users to get access into LAN. vpn-gateway is pix520 version 6.3.3

Now I have to configured a site-to-site vpn over ipsec to allow access to a special server.

There is my problem: I´ve configured access-lists shown below

access-list nonat permit ip 10.10.10.0 255.255.255.255 172.16.30.0 255.255.255.0

access-list nonat permit ip host 10.10.11.1 host 172.16.31.1

Well, if I configured now for ipsec

crypto map abc 10 match address nonat

crypto map abc interface outside

the pptp-clients can´t access anymore.

What´s going wrong?

Regards

Helmut

Fernando_Meza · ‎04-25-2006

your access list is not correct

access-list nonat permit ip 10.10.10.0 255.255.255.255 172.16.30.0 255.255.255.0

it should be

access-list nonat permit ip 10.10.10.0 255.255.255.0 172.16.30.0 255.255.255.0

Can you post your config to check !!!

isk-admin · ‎04-26-2006

thanks for your answer,indeed there is a mistake in the access-list above, but not in the configuration of the PIX. Sry, my mistake!

In addition in the attachment is the special part of the original confuguration:

Thx

isk-admin · ‎04-26-2006

someone told me that I have to create another acl-id like

access-list 100 permit ip host 172.16.16.200 10.11.11.240 255.255.255.248

crypto map toXYZ 20 match address 100

but I think I can´t do this because I have to use nat 0?

I tried the suggestion but it doesn´t work. Now I haven´t a problem with the pptp-clients but the site-to-site connection can´t create. I think perhaps I use for the whole LAN

nat (inside) 1 0 0

What can I do?

Many thanks