cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
734
Views
3
Helpful
4
Replies

PPTP VPN question

brianj
Level 1
Level 1

I have a 4 site VPN setup using a Hub and Spoke topology allowing PPTP connections to site A (Hub site) configured and working well. I am able to get to each site from site A and am able to get into site A using a pptp connection.

The sites are addressed as follows:

Site A: 10.0.1.0/24

Site B: 10.0.2.0/24

Site C: 10.0.3.0/24

Site D: 10.0.4.0/24

pptp users: 10.0.6.0/24

My question is this. Is it possible for the pptp connections, when connected to site A, to get to the spoke sites (B,C, and D)?

Thanks,

Brian

4 Replies 4

aftermath
Level 1
Level 1

Hi Brian,

You'll have to enable GRE in the outside access list, or enable Sysopt for PPTP.

fixup protocol pptp 1723

access-list acs-outside permit tcp host PartnerPublicIP host PPTP-Public eq pptp

access-list acs-outside permit gre host PartnerPublicIP host PPTP-Public

access-group acs-outside in interface outside

static (inside,outside) PPTP-Public PPTP-User-Server-IP netmask 255.255.255.255 0 0

There is also the: "sysopt connection permit-pptp" this will ignore ACL statements for incomming and outcomming connections and permit gre and pptp.

Thanks for the response.

I have enabled sysopt for PPTP and it still doesn't work.

Just so that I am clear. In the ACL's for the PPTP-Public addresses, the PPTP connections are coming from home users. Would you just put "any" there?

Will I need to create an ACE for each PartnerPublicIP?

Also, on the static statement the PPTP-User-Server-IP, is this the IP of the Hub pix that has the vpdn accounts?

Lastly, will I need to add the information into each of the sites or only the hub site?

Thanks so much!

Brian

If the hub is a pix then it will not be possible because PIX will not bounce the traffic. (Redirection to site B from Site A).

If it is anyother cisco device like a concentrator or a router then you need to allow the PPTP pool in the interesting traffic list of each site back and forth.

Hope this will help

Thanks for the information. The devices are all Pix. Your insight confirms what I previously learned from someone else.

Thanks again,

Brian