Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
5
Helpful
5
Replies

VPN configuration on PIX 515 for VPN Client Using PPTP

li.simon
Level 1
Level 1

‎11-07-2002 04:02 PM - edited ‎02-21-2020 12:10 PM

Dear Sir,

We are using PPTP VPN Client ( MS-CHAP) from WIN2K PC to access PIX 515 VPN. Please help to check my configuration below what did I miss. It did not work when I try to connect VPN via PIX's outside public ip.

ip local pool local_address 192.168.100.100-192.168.100.120

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe auto

vpdn group 1 client configuration address local local_address

vpdn group 1 client authentication local

vpdn group 1 client configuration dns 192.168.100.30

vpdn group 1 client configuration wins 192.168.100.30

vpdn username cisco password ciscovpn

vpdn enable outside

sysopt connection permit-pptp

Do I need to define access-list for TCP port 513 for login and UDP port 1812 for Dialup?

Thanks for you help.

Simon

Labels:
0 Helpful
5 Replies 5

Nairi Adamian
Cisco Employee
Cisco Employee

‎11-07-2002 04:09 PM

Make sure that you have "sysopt connection permit-pptp" configured as well as the "nat (inside) 0 access-list xxx" for traffic from your inside network to the pool you have specified.

Here is a sample configuration:

http://www.cisco.com/warp/customer/110/pptppix.html

Hope this helps,

-Nairi

0 Helpful

li.simon
Level 1
Level 1
In response to Nairi Adamian

‎11-07-2002 05:08 PM

Thanks for your prompt reply Nairi. I already had "sysopt connection permit-pptp" configured but did not have "nat (inside) 0 access-list xxx" . I will try it.

FYI, we have only one public IP address which was assigned to outside interface. It works fine for port redirection with Static commamd. Will it be a matter for VPN access? Is it correct to enter the outside interface public IP in the WIN2K VPN Client when you try to connect ?

How can you telnet to PIX firewall to do configration from remote side?

Thanks again.

Simon

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee
In response to li.simon

‎11-07-2002 05:28 PM

The one public address should be ok. And yes you should try connecting using the public address of the pix using the pptp client.

As for telnetting to the pix, you can only telnet from inside and not outside. In this case you need to allow the telnet connection for the host/network on the pix using the telnet command.

telnet ip_address [netmask] [if_name]

hope this helps,

- Nairi

0 Helpful

li.simon
Level 1
Level 1
In response to Nairi Adamian

‎11-08-2002 08:46 AM

Nairi Thanks again for your answer.

I have three more question:

1. The link below from your previous reply did not bring me to the pptp config sampe. can you check it for me?

http://www.cisco.com/warp/customer/110/pptppix.html

2. Regarding the telnet, if you can not telnet to pix itself to configure pix from outside, is there any other way that you can use to configure pix remotely without using console port?

3. How do you determine the ip range for local ip pool? Is that you can assign any unuse ip range, as long as do not overlap with inside network ip range? Am I right?

Thanks,

Simon

0 Helpful

Nairi Adamian
Cisco Employee
Cisco Employee
In response to li.simon

‎11-08-2002 07:04 PM

1. Try the following link:

http://www.cisco.com/warp/public/110/pptppix.html

2. You can access the pix from outside using SSH, here is how you configure ssh on pix:

http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH

3. Yes.

Regards,

-Nairi

Customers Also Viewed These Support Documents