1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco PIX PPTP VPN Connected Not Passing Traffic

Discussion in 'Network Security' started by craigie, May 12, 2010.

  1. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I have received a call from an adhoc client who can connect to Cisco PIX via PPTP but it won't pass any traffic across from the tunnel. I have confirmed that I can connect via PPTP, but no traffic is passing.

    I have changed the ip local pool1 to 192.168.1.201-192.168.1.215 and I was still unable to access any local resources.

    Any advice would be appreciated.

    Checking the config as follows:

    No NAT

    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

    nat (inside) 0 access-list 101

    VPN Pool

    ip local pool pool1 192.168.20.1-192.168.20.254

    I pick up an IP Address without any issues and show vpdn gives the connection information.

    Sysopt Allow PPTP

    sysopt connection permit-pptp

    VPN Authentication

    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local pool1
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local

    Show vpdn

    %No active L2TP tunnels

    PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)

    Tunnel id 8, remote id is 8, 1 active sessions
    Tunnel state is estabd, time since event change 2 secs
    remote Internet Address 87.102.27.196, port 22991
    Local Internet Address 193.82.9.179, port 1723
    10 packets sent, 141 received, 337 bytes sent, 12231 received


    Call id 8 is up on tunnel id 8
    Remote Internet Address is 87.102.27.196
    Session username is admin, state is estabd
    Time since event change 182 secs, interface outside
    Remote call id is 849
    PPP interface id is 1
    10 packets sent, 141 received, 337 bytes sent, 12231 received
    Seq 11, Ack 140, Ack_Rcvd 10, peer RWS 64
    0 out of order packets

    Running Config

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password BMZqMaVNotzOBbCk encrypted
    passwd BMZqMaVNotzOBbCk encrypted
    hostname xxxxx
    domain-name xxxxx
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.0.0 Hamburg
    name 10.1.0.0 Towers-dk
    name 192.168.9.0 grimsby
    access-list out-acl permit icmp any any echo-reply
    access-list out-acl permit icmp any any unreachable
    access-list out-acl permit icmp any any time-exceeded
    access-list out-acl permit icmp any any source-quench
    access-list out-acl permit icmp any any parameter-problem
    access-list out-acl permit tcp any host 193.82.9.178 eq 3389
    access-list out-acl permit gre any any
    access-list out-acl permit tcp any any eq https
    access-list out-acl permit udp any any eq 443
    access-list out-acl permit tcp 62.173.108.16 255.255.255.240 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 62.173.108.208 255.255.255.240 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 62.231.131.0 255.255.255.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 85.158.136.0 255.255.248.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 193.109.254.0 255.255.254.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 194.106.220.0 255.255.254.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 194.205.110.128 255.255.255.224 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp host 195.216.16.211 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 195.245.230.0 255.255.254.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp host 212.125.74.44 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 212.125.75.0 255.255.255.224 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 216.82.240.0 255.255.240.0 host 193.82.9.178 eq smtp
    access-list out-acl permit tcp 70.60.37.0 255.255.255.0 host 193.82.9.178 eq imap4
    access-list 101 permit ip 192.168.1.0 255.255.255.0 Hamburg 255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 Towers-dk 255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 grimsby 255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Hamburg 255.255.255.0
    access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 Towers-dk 255.255.255.0
    access-list outside_cryptomap_60 permit ip 192.168.1.0 255.255.255.0 grimsby 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 193.82.9.179 255.255.255.248
    ip address inside 192.168.1.60 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pool1 192.168.20.1-192.168.20.254
    pdm location 192.168.1.4 255.255.255.255 inside
    pdm location 62.173.108.16 255.255.255.240 outside
    pdm location 62.173.108.208 255.255.255.240 outside
    pdm location 62.231.131.0 255.255.255.0 outside
    pdm location 85.158.136.0 255.255.248.0 outside
    pdm location 193.109.254.0 255.255.254.0 outside
    pdm location 194.106.220.0 255.255.254.0 outside
    pdm location 194.205.110.128 255.255.255.224 outside
    pdm location 195.216.16.211 255.255.255.255 outside
    pdm location 195.245.230.0 255.255.254.0 outside
    pdm location 212.125.74.44 255.255.255.255 outside
    pdm location 212.125.75.0 255.255.255.224 outside
    pdm location 216.82.240.0 255.255.240.0 outside
    pdm location Hamburg 255.255.255.0 outside
    pdm location Hamburg 255.255.255.0 inside
    pdm location 70.60.37.0 255.255.255.0 outside
    pdm location Towers-dk 255.255.255.0 outside
    pdm location 192.168.20.0 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 193.82.9.178 192.168.1.4 netmask 255.255.255.255 0 0
    access-group out-acl in interface outside
    route outside 0.0.0.0 0.0.0.0 193.82.9.177 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http Hamburg 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 87.193.210.178
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 40 ipsec-isakmp
    crypto map outside_map 40 match address outside_cryptomap_40
    crypto map outside_map 40 set peer 93.161.197.134
    crypto map outside_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 60 ipsec-isakmp
    crypto map outside_map 60 match address outside_cryptomap_60
    crypto map outside_map 60 set peer 213.1.227.226
    crypto map outside_map 60 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 87.193.210.178 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 93.161.197.134 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key ******** address 213.1.227.226 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication pap
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto
    vpdn group 1 client configuration address local pool1
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username admin password *********
    vpdn enable outside
    username xxxxx password eziJsMGvscXahrI/ encrypted privilege 15
    username xxxxx password lcWKh3HRLwG9.wN8 encrypted privilege 15
    terminal width 80
    Cryptochecksum:8fae74203dab5fb38502cdafea561907
    : end
     
    Last edited: May 12, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  2. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I have performed the following which has not resolved:

    - ip local pool1 to 192.168.1.201-192.168.1.215 and I was still unable to access any local resources.
    - added access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
    - removed the vpdn group 1, rebooted and readded
    - added fixup protocol pptp 1723

    I'm thinking its a routing issue.
     
    Last edited: May 12, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Rebooted my laptop and tested again, all working lol
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5

Share This Page

Loading...