Issue with Ipsec and pptp clients

Folks, I have a Pix 515E acting as the IPSec/PPTP end point.I use the CVPN 4.x version for IPSec and MS pptp client for PPTP connection

Issues I face.......

1) With IPSec,I can establish only 1 vpn connection,meaning if another ipsec connection comes in, the existing VPN IPSec connection is kicked out.

2) With PPTP, I can get authenticated,but I am unable to browse or ping the internal network.

I have given my configration below....

PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password dP6LztWI/VQ0Swy0 encrypted passwd qESl5f9ayuCTSGcv encrypted hostname xxx1 domain-name xxx fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 fixup protocol domain 53 no names access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq www access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq 3389 access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq smtp access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq pop3 access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq imap4 access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq https access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq 8000 access-list acl_out permit tcp any host xxx.xxx.xxx.30 eq ssh access-list acl_out permit icmp any any access-list acl_out permit tcp any host xxx.xxx.xxx.31 eq www access-list acl_out permit tcp any host xxx.xxx.xxx.37 eq ftp access-list acl_out deny ip any any access-list acl_dmz permit tcp host 10.0.12.243 any eq smtp access-list acl_dmz permit icmp any any echo-reply access-list acl_dmz permit udp 10.0.0.0 255.255.0.0 host

203.166.128.168 eq doma in access-list acl_dmz permit udp 10.0.0.0 255.255.0.0 host 203.166.128.188 eq doma in access-list acl_dmz permit tcp host 10.0.12.242 10.0.11.0 255.255.255.0 access-list acl_dmz permit tcp host 10.0.12.241 10.0.11.0 255.255.255.0 access-list acl_dmz deny ip any any access-list 200 permit ip 10.0.11.0 255.255.255.0 10.0.99.240 255.255.255.240 access-list 200 permit ip 10.0.11.0 255.255.255.0 172.16.9.0 255.255.255.0 pager lines 24 logging on logging trap informational interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside xxx.xxx.xxx.37 255.255.255.192 ip address inside 10.0.11.253 255.255.255.0 ip address dmz 10.0.12.253 255.255.255.240 ip audit name outside info action alarm ip audit name info1 info action alarm ip audit interface outside info1 ip audit info action alarm ip audit attack action alarm ip local pool mc3vpn 172.16.9.1-172.16.9.4 ip local pool vpnppol 10.0.99.241-10.0.99.250 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp inside 192.168.4.101 0020.7818.362a arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 201 nat (inside) 1 10.0.11.0 255.255.255.0 0 0 nat (dmz) 1 10.0.12.243 255.255.255.255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.31 www 10.0.12.243 8000 netmask 255.255.255 .255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.31 smtp 10.0.12.243 smtp netmask 255.255.25 5.255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.31 8000 10.0.12.243 www netmask 255.255.255 .255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.31 pop3 10.0.12.243 pop3 netmask 255.255.25 5.255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.31 imap4 10.0.12.243 imap4 netmask 255.255. 255.255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.30 3389 10.0.12.241 3389 netmask 255.255.25 5.255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.30 www 10.0.12.241 www netmask 255.255.255. 255 0 0 static (dmz,outside) tcp xxx.xxx.xxx.30 ssh 10.0.12.242 ssh netmask 255.255.255. 255 0 0 static (inside,outside) tcp interface ftp 10.0.11.191 ftp netmask 255.255.255.25 5 0 0 static (inside,dmz) 10.0.11.0 10.0.11.0 netmask 255.255.255.0 0 0 access-group acl_out in interface outside access-group acl_dmz in interface dmz route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp client configuration address-pool local vpnppol outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpngrp address-pool vpnppol vpngroup vpngrp idle-time 1800 vpngroup vpngrp password ******** vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local mc3vpn vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username cisco password ********* vpdn enable outside terminal width 80 Cryptochecksum:22652e21edb479617b7c28400427bfe1 : end [OK]

Any help would be appreciated.Thanks

Reply to
unknown
Loading thread data ...

That sounds more like a different issue. When you are making the multiple connections, are you starting both from within the same network and there is a firewall layer -outside- of the remote IPSec endpoint? If so then you could be running into the issue that the ESP IP protocol used by your IPSec configuration has no port numbers and so many firewalls can only handle one ESP session at a time.

If that does turn out to be your problem, then the easiest fix is to upgrade to 6.3 or later and to then turn on the new feature NAT-T (NAT Traversal) by adding "isakmp nat-traversal 20".

There have been many bug fixes since 6.2(2), and several important security fixes. As I recall, you are entitled to update to 6.2(4) for free even if you do not have a support contract. Unfortunately if you do not have a support contract, then upgrading to 6.3(4) or 6.3(5) will cost some money (it's often cheaper to buy a support contract than to pay for the upgrade by itself.)

Good, I see that your IP pools are "outside" relative to your interior interfaces, which is the way they should be.

Because you already have vpnppol attached via your isakmp client command, this statement is not strictly necessary -- but it does not hurt and makes things clearer.

That statement is necessary though.

I do not immediately see any problems with your pptp configuration. I would, though, suggest updating as far as you can for free, and I would suggest that you seriously consider going to 6.3 in order to gain the NAT Traversal.

As you have a PIX 515E, you could go to 7.0 or even 7.1 code, which has a lot of nice new features and uses a configuration syntax much much closer to IOS's. On the other hand, 7.0 and 7.1 require much more memory, require a fair bit of re-learning ... and as you are obviously not "early adopters", I suspect you might find the bugs that -any- major rewrite introduces to be too much of a nuisance to deal with.

Reply to
Walter Roberson

just some thoughts - you're using this pool:

ip local pool mc3vpn 172.16.9.1-172.16.9.4

does the pix know what to do with that network?

and also, on the nat statement:

nat (inside) 0 access-list 201

I dont see an access-list 201. I think the acl you use for the nat (inside) 0 needs to include the pool of addresses you're handing out for VPN access - but i'm not 100% sure.

Reply to
davidspollack

Guys, Thanks for your response.....some for information.....the pptp works well from my home(which doesn`t do a NAT I presume)

David, You are right the access-list is 200 not 201

Cheers

Reply to
unknown

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.