01-28-2004 03:24 PM - edited 02-21-2020 01:01 PM
Folks,
In addition this command i have an access-list applied to the outbound interface inbound which permits icmp, ssh. When i VPN to the Pix, the tunnel is established, but, i can not sent traffic across the network behind the Pix. I see the packets encrypted at my workstation, but, no decriptions.
Would i have to open up gre on the access-list applied inbound on the outside interface, but, thought sysopt connection permit-ipsec took care of that.
also when i get an ip address from the PIX after VPNing, it does not have a default gateway in it, I find that very strange, any thoughts?
01-28-2004 03:58 PM
Are you VPN'ing using IPSec or PPTP? You mention opening up GRE which implies you're using PPTP, in which case you don't need to open up GRE, but you do need the command:
sysopt connection permit-pptp
If you can't connect to anything internally, and you're not seeing any decrypts get back to you, check your "nat 0" access-list statement, make sure you have something like the following:
nat (inside) 0 access-list 100
access-list 100 permit ip
Also, you won't see a default gateway, similarly to how you don't see one when you dial up to an ISP. The VPN software takes care of it and knows what traffic needs to be encrypted and what doesn't.
01-28-2004 04:26 PM
Glenn probably hit the nail on the head but I thought I would go ahead and add one other (probably obvious) thought. Make sure the network behind the PIX that you cannot get to has a route for the pool of addresses that you hand to the VPN clients pointing back to the inside interface on the PIX. If you default routes pointing to the inside interface of the PIX from your entire network, then you are good to go. Just a thought....
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide