06-29-2004 01:42 PM - edited 02-21-2020 01:13 PM
I am having trouble seeing the Internet while connected by VPN to my PIX 515E (v6.3.1). I am doing PPTP with Windows XP clients and local authentication. I can connect very quickly with no problems and can see the internal network I just cant see the Internet.
Can someone take a look at my configuration and tell me what Im doing wrong?
The Syslog shows the following messages when I try to connect to Google:
<163>Jun 29 2004 14:19:31: %PIX-3-106011: Deny inbound (No xlate) tcp src outside:192.55.9.32/1161 dst out-side:66.102.7.99/80
IPconfig shows that the default gateway on the client is the same as the client's IP address. I would think that this should be the address of the PIX but I haven't found where to change that setting.
NOTE: the config will follow in the next message because it is too big to fit with theis message.
06-29-2004 01:44 PM
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list acl_out permit tcp any host 12.45.xx.xx eq https
access-list acl_out permit tcp any host 12.45.xx.xx eq ssh log 5
access-list acl_out permit tcp any host 12.45.xx.xx eq 3389
access-list acl_out permit tcp any host 12.45.xx.xx eq https
access-list acl_out permit tcp any host 12.45.xx.xx eq smtp
access-list acl_out permit tcp any host 12.45.xx.xx eq www
access-list inside_outbound_nat0_acl permit ip any 192.55.9.0 255.255.255.192
logging host inside 192.55.9.81
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 12.45.xx.xx 255.255.255.0
ip address inside 192.55.9.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.55.9.30-192.55.9.39
pdm location 192.55.9.81 255.255.255.255 inside
pdm location 192.55.11.0 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location 192.55.9.1 255.255.255.255 inside
pdm location 12.45.xx.xx 255.255.255.255 outside
pdm location 192.55.9.5 255.255.255.255 inside
pdm location 192.55.9.3 255.255.255.255 inside
pdm location 192.55.9.0 255.255.255.192 outside
pdm location 192.55.9.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 12.45.xx.xx 3389 192.55.9.5 3389 netmask 255.255.255.255 0 0
static (inside,outside) 12.45.xx.xx 192.55.9.1 netmask 255.255.255.255 0 0
static (inside,outside) 12.45.xx.xx 192.55.9.3 netmask 255.255.255.255 0 0
static (inside,outside) 12.45.xx.xx 192.55.9.2 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 12.45.xx.xx 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.55.9.2 timeout 5 protocol TCP version 1
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 192.5.41.41 source outside
ntp server 131.107.1.10 source outside prefer
http server enable
http 192.55.9.0 255.255.255.0 inside
http 192.55.11.0 255.255.255.0 inside
snmp-server location (my location)
snmp-server contact (my name)
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.55.9.81 /pix_config
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
vpngroup PPTP-VPDN-GROUP split-tunnel inside_outbound_nat0_acl
vpngroup PPTP-VPDN-GROUP idle-time 1800
telnet 192.55.9.0 255.255.255.0 inside
telnet 192.55.11.0 255.255.255.0 inside
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 128 required
vpdn group PPTP-VPDN-GROUP client configuration address local VPN_Pool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.55.9.5 192.55.9.2
vpdn group PPTP-VPDN-GROUP client configuration wins 192.55.9.5 192.55.9.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn group 1 client authentication local
vpdn username Beth password *********
vpdn username Betty password *********
vpdn username Rick password *********
vpdn username Judi password *********
vpdn username BrianL password *********
vpdn enable outside
06-30-2004 06:44 AM
The issue is that you are wanting traffic to flow outside of the same interface upon which it came in on. The pix code will not allow you to do this. You will either need to setup a internal proxy server and have clients establish outside connections via that proxy, or use another interface on the pix (physical or logical) and have the vpn connections terminate on the 3rd interface - with this you will need another set of ip addresses from your provider and that may not be possible depending upon how you connect to your provider.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide