1. Home
  2. Cisco Systems
  3. PIX 501 VPN problem..

PIX 501 VPN problem..

Use ms-windows VPN client to connect to the outside interface of the PIX via a public, fixed, IP address. (Remote machine is 69.xxx.xxx.xxx, LAN is at 71.xxx.xxx.xxx).

Once the remote machine is authenticated on the VPN do 'ipconfig /all' and note that I have another IP address: 192.168.4.1 from the 'Alien' pool on the PIX. (Using PIX local authentication.)

From the remote machine attempt to map a drive on the LAN: net use x: \\\\192.168.0.250\\sharename Get back: "The network path was not found"

From the remote machine ping a machine on the internal LAN: ping 192.168.0.250 Get back "Request Timed Out"

From an internal LAN machine ping the remote machine using it's pool assigned IP address: ping 192.168.4.1 Get back: "Reply from 192.168.4.1: bytes=32 time=141ms TTL=128"

From an internal LAN machine attempt to map a drive on the remote machine: net use x: \\\\192.168.4.1\\sharename The drive maps OK and I have read access but not write access.

That's nice but is back-asswords from what I'm trying to achieve. I want outside users to have access to LAN shares. Not LAN users accessing remote shares.

Issue the command: "show vpdn"

%No active L2TP tunnels PPTP Tunnel and Session Information (Total tunnels=1 sessions=1) Tunnel id 13, remote id is 13, 1 active sessions Tunnel state is estabd, time since event change 39 secs remote Internet Address 69.xxx.xxx.xxx, port 10033 Local Internet Address 192.168.3.2, port 1723 396 packets sent, 502 received, 47262 bytes sent, 261777 received Call id 13 is up on tunnel id 13 Remote Internet Address is 69.xxx.xxx.xxx Session username is haz, state is estabd Time since event change 10282 secs, interface outside Remote call id is 1000 PPP interface id is 1 396 packets sent, 502 received, 47262 bytes sent, 261777 received Seq 397, Ack 553, Ack_Rcvd 396, peer RWS 64 23 out of order packets %No active PPPoE tunnels

Get currently running configuration:

PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 3OQvc6UWCVetmyWL encrypted passwd 3OQvc6UWCVetmyWL encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list msvpn permit ip any 192.168.0.0 255.255.255.0 access-list inside_outbound_nat0_acl permit ip any 192.168.4.0

255.255.255.0 pager lines 24 logging on logging timestamp logging trap informational logging host inside 192.168.0.253 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool Aliens 192.168.4.1-192.168.4.11 pdm location 192.168.0.250 255.255.255.255 inside pdm location 192.168.0.254 255.255.255.255 inside pdm location 192.168.0.253 255.255.255.255 inside pdm location 192.168.4.0 255.255.255.240 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-pptp telnet 192.168.0.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local Aliens vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username haz password ********* vpdn enable outside dhcpd address 192.168.0.2-192.168.0.33 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:a12e181d68e425791bbe5c2877d429ad : end [OK]

I'm not sure how to proceed. I'm inclinded to issue a debug command or two but I'm not sure what I'm looking for yet. I don't see much of interest in the log (logging host is a Solaris machine) so I also think I need to adjust my logging level.

Any suggestions gratefully received!

Reply to
Hank Zoeller
Loading thread data ...

Don't forget that this PPTP that you are using is totally unencrypted. SO it might be a good idea to use the Cisco VPN client and use true IPsec.

IF you are able to ping from the workstation on the LAN sounds like you ahve

2 way communication working..

Did you check any security settings (i.e. windows firewall, internet security, blah blah blah) to make sure that you are able to access from that remote subnet?

-Garrett

Hank Zoeller wrote:

Reply to
Garrett

The PIX doesn't consider that to be a "fixed public IP address", but that does not matter for your purposes.

I do not see any reference to that ACL ?

That ACL is also not referenced. This is your problem. You should have

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0

192.168.4.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

Without the nat 0 access-list, the PIX does not know that it isn't supposed to nat the traffic to 192.168.4.* so it would nat it into the interface IP.

Reply to
Walter Roberson

At one time I had a static that referenced that ACL. I replaced that with "sysopt connection permit-pptp". Which, from the command reference, I interpret as meaning that all pptp traffic would be routed through the PIX without consulting any access-lists.

But, I'm not comprehending everything I read in the Cisco docs.. Is the sysopt command appropriate for my use? Did I misinterpret the docs?

192.168.4.0 255.255.255.0

OK, I believe I understand that. So, I've deleted my initial inside_outbound_nat0_acl and replaced it with the one you suggest which replaced 'any' with a specific IP range. Also, I've added the "nat (inside)..." comand.

So, my config now looks like: ... access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0

192.168.4.0 255.255.255.0 ... nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ... sysopt connection permit-pptp ... vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local Aliens vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username haz password ********* vpdn enable outside

Now I can still connect and authenticate but I can no longer ping from inside to outside and can no longer map a drive from inside to outside. And, I still can't ping or map drives from outside to inside (which is the desired behavior).

So, I'm still floundering. Part of my problem is that I'm not sure what steps need to be taken to accomplish a known goal. I've been reading the Cisco command reference and the Cisco PIX Firewall and VPN Configuration Guide but one seems to have only details and one doesn't have enough detail. I guess I'm just too low on the learning curve..

Thanks for your help. Further suggestions greatly appreciated!

Reply to
Hank Zoeller

Hmm.. I thought the line: "vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto" enabled 128-bit Microsoft Point to Point Encryption (mppe). Is that not true? I have the client set up to disconnect if encryption is not established and it does connect and stay connected.

Yes, it *seems* like I'm close to getting this working.

For the tests I've disabled the Windows Firewall on the client.

Thanks for your thoughts -- any additional help is welcome.

Reply to
Hank Zoeller

did you reload the pix after the changes ?

Reply to
Martin Bilgrav

Earlier today I discovered the 'clear xlate' command and that helped a lot!

Now, when I connect from outside I authenticate and can ping the internal machines OK. But I still can't map any shares on those machines.

When I try to map a drive, I see the following in the PIX log: No translation group found for tcp src outside:192.168.200.2/1075 dst inside:192.168.0.250/139

I'm surprised to see the 192.168.200.2 address. That is the private, internal address of the outside machine on it's remote LAN but I guessed I would have seen the ip address assigned to it from the PIX VPN pool which is 192.168.4.1.

My current config (what is the "nat (inside) 1 ..." business?): ... access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0

192.168.4.0 255.255.255.0 ... nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 ... ip local pool vpn_users 192.168.4.1-192.168.4.254 ... sysopt connection permit-pptp ... vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication pap vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local vpn_users vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username hax password ********* vpdn enable outside ...

I'm getting closer -- thanks to you guys!

Reply to
Hank Zoeller

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.