VPN Question Pix 501

Goodmorning,

I have a problem with my Cisco Pix 501. This device is configured as a Cisco VPN 2 Cisco VPN This is working perfectly no problems. I made an alternate configuration to enable pptp to one side of the Office.

The problem is: I can use pptp to the office but then i have no connection to the other office (vpn tunnel goes down). I think the problem is this line:

nat (inside) 0 access-list outside_nat0

If i changed the above line to:

nat (inside) 0 access-list outside_nat0_acl --> then works PPTP and i can access the local network but if the line is: nat (insdie) 0 access-list outside_nat0 then works the vpn between the two offices, en i'm unable to access the local lan with my pptp.

Please can someone help me. Excuses for my bad English i'm Dutch.

----------PIX CONFIG------------

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ABSDGHIJKL encrypted passwd ASDFGHIJKLM encrypted hostname mypix domain-name localdomain.nl fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 no fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list ipsec_tun_colopix permit ip 10.12.14.0 255.255.255.0 10.2.0.0

255.255.255.0 access-list outside_nat0 permit ip 10.12.14.0 255.255.255.0 10.2.0.0 255.255.255.0 access-list outside_nat0_acl permit ip 10.12.14.0 255.255.255.0 192.168.10.0 255.255.255.0 pager lines 24 logging on logging console debugging logging monitor debugging logging trap informational icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo-reply inside icmp permit any echo inside mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.12.14.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnippool 10.12.12.1-10.12.12.25 ip local pool pptp 192.168.10.1-192.168.10.50 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list outside_nat0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 3:00:00 timeout conn 4:00:00 half-closed 1:00:00 udp 0:30:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:00:00 absolute uauth 3:00:00 inactivity aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set ipsec_tun_colopix esp-aes esp-md5-hmac crypto ipsec transform-set ibstransformset esp-aes esp-md5-hmac crypto dynamic-map ibsdynmap 30 set transform-set ibstransformset crypto map ibsmap 10 ipsec-isakmp crypto map ibsmap 10 match address ipsec_tun_colopix crypto map ibsmap 10 set peer ip-address crypto map ibsmap 10 set transform-set ipsec_tun_colopix crypto map ibsmap 30 ipsec-isakmp dynamic ibsdynmap crypto map ibsmap interface outside isakmp enable outside isakmp key ******** address ip-address netmask 255.255.255.255 isakmp identity address isakmp keepalive 10 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet timeout 60 ssh 10.0.1.0 255.255.255.0 outside ssh 10.0.1.0 255.255.255.0 inside ssh 10.12.14.0 255.255.255.0 inside ssh timeout 60 console timeout 0 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication chap vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto vpdn group PPTP-VPDN-GROUP client configuration address local pptp vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username USERNAME password ********* vpdn enable outside dhcpd address 10.12.14.200-10.12.14.230 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username sandy password IDONTKNOW encrypted privilege 15 terminal width 80 banner motd Unauthorized access is forbidden! Cryptochecksum:9165d4675cbfd4994ac905cfd3ecb112 : end
Reply to
Arjan de Vrieze
Loading thread data ...

Hello Arjan,

I wonder if it makes a difference if you configure the ACL to allow everything (just for testing):

access-list outside_nat0 permit ip any any

Regards,

snipped-for-privacy@solutionfinders.nl

formatting link
We=B4ve got answers !

Reply to
helpdesk

Hi,

I tried this but same problem, the tunnel between the two offices is gone.

The problem is or the tunnel between the two office is up, or the tunnel between my computer @ home and the office is up.

I don't know what to do, but i must work in a few days.

Can you tell me how i can use pat at the pix 501.

So i can open a port for PCAnywhere or VNC so i can redirect it to a client at the inside.

Is there anyone who can say how to open poort 5901 i.e. and redirect it to a host inside i.e. ip: 10.12.14.5 ?

Anyone?

schreef in bericht news: snipped-for-privacy@g43g2000cwa.googlegroups.com... Hello Arjan,

I wonder if it makes a difference if you configure the ACL to allow everything (just for testing):

access-list outside_nat0 permit ip any any

Regards,

snipped-for-privacy@solutionfinders.nl

formatting link
We´ve got answers !

Reply to
Arjan de Vrieze

It's all working now. The problem was to add the following line.

Thanks Georg for the answer. access-list split permit ip 10.12.14.0 255.255.255.0 192.168.10.0

255.255.255.0 vpngroup PPTP-VPDN-GROUP split-tunnel split

"Arjan de Vrieze" schreef in bericht news: snipped-for-privacy@zeelandnet.nl...

Reply to
Arjan de Vrieze

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.