Hi,
I'm having problem with PIX configuration. We want to have VPN access to our dislocated server(s).
Initial (PPTP) VPN connection with PIX is made without any problem.
Client settings (IP address, DNS, gateway) are properly set at client side after connecting to PIX, but no further traffic is possible. I can't ping neither access mail or web server.
It seems that all packets are gone somewhere but I can find where [:(]
Can anyone tell me what is wrong in this configuration?
Thank you for your time.
Boscko
---------------
:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol skinny 2000
no fixup protocol rsh 514
no fixup protocol sip 5060
names
name 192.168.5.0 LAN
name 80.x.y.224 Public_subnet
name 62.x.y.115 WS1
name 62.x.y.116 WS2
name 62.x.y.117 WS3
name 212.x.y.41 Office
access-list outside_access_in permit ip host WS1 any
access-list outside_access_in permit ip host WS2 any
access-list outside_access_in permit ip host WS3 any
access-list outside_access_in permit ip host Office any
access-list outside_access_in permit tcp any host 80.x.y.226 eq smtp
access-list outside_access_in permit tcp any host 80.x.y.230 eq www
access-list outside_access_in permit tcp any host 80.x.y.230 eq 443
access-list outside_access_in deny ip any any
access-list vpn101 permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor warnings
logging buffered warnings
logging trap warnings
interface ethernet0 100full
interface ethernet1 100full
icmp permit host Office outside
icmp deny any echo-reply outside
icmp permit any unreachable outside
icmp permit 192.168.0.0 255.255.0.0 outside
icmp permit 192.168.0.0 255.255.0.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 80.x.y.254 255.255.255.224
ip address inside 192.168.5.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name infpol1 info action alarm
ip audit name attpol1 attack action alarm drop
ip audit interface outside infpol1
ip audit interface outside attpol1
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.7.200-192.168.7.250
pdm logging warnings 512
pdm history enable
arp timeout 14400
nat (inside) 0 access-list vpn101
static (inside,outside) 80.x.y.226 192.168.5.226 netmask 255.255.255.255 0 0
static (inside,outside) 80.x.y.230 192.168.5.230 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 80.x.y.225 1
route outside 192.168.7.0 255.255.255.0 80.x.y.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss minimum 48
sysopt connection permit-pptp
no sysopt route dnat
service resetinbound
service resetoutside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 80.x.y.1 80.x.y.2
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username ******* password *******
vpdn enable outside
terminal width 80
: end
--------------------
This thread was automatically locked due to age.
