[c-nsp] PIX 515E PPTP VPN Routing?

Vinny Abello vinny at tellurian.com
Mon Sep 24 09:44:26 EDT 2007 

With PPTP "split-tunneling" (or the closest thing you can consider split-tunneling), it's either all or nothing... or nothing and then doing some creative work with static routes on the Windows box, again not recommended.

I'm curious though, is the address pool being assigned out to the clients in the same subnet as a network on the inside interface of the PIX? Do you want to allow all PPTP traffic through or are you going to limit it? 

Unless you have "sysopt permit-pptp" in your config (which allows all traffic tunneled through PPTP), you need to specifically allow the traffic on your outside interface access-list. 

If the address space you are assigning to the PPTP clients is on the same subnet as the inside interface (or whatever network you are trying to access), your access-list will contain the same source and destination addresses to allow the traffic through. It looks a little weird, but it is required if you don't allow everything with the sysopt command. 

Finally, again if the ip pool is on the same subnet, be sure you do not disable proxy-arp on that interface or else the PIX won't ARP for the PPTP clients when the hosts on that subnet are trying to communicate with them.


Hope one or more of these helps resolve the issue!

Church, Charles wrote:
> I think it's working the way it should.  THe MS client is very
> non-intelligent, compared to the Cisco client.  I don't believe you can
> define for an MS client the concept of split tunneling, at least not
> from the PIX or router itself.  You can do it from the client, after the
> VPN session is established.  If you do a 'route print' from the Windoze
> box, you'll see an additional entry for the default network using the
> VPN adaptor, with a better metric.  You can manually delete that entry,
> and add in any that you need with another route statement (such as
> saying all 172.16.0.0/12 routes should use the VPN interface).  You
> don't have any odd configuration, such as your PIX giving out addresses
> in the same range as what's local to the PC?  That could cause some
> oddities as well.  But honestly, you're much better off using the Cisco
> client, from a security and a feature standpoint.  I haven't worked with
> PPTP in a couple years, but I think I rememeber all the faults pretty
> well.
> 
> Chuck 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lyndon Tiu
> Sent: Monday, September 24, 2007 7:18 AM
> To: haykan at qalacom.com
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] PIX 515E PPTP VPN Routing?
> 
> 
> I did this (it is checked by default) and I got 0.0.0.0 as the default
> gateway.
> 
> But it does not matter either ways. I still could not do anything.
> Cannot ping/ssh/telnet/http to any other computer on the local LAN. No
> internet connection (to the outside world) either.
> 
> Any more suggestions?
> 
> On Mon, 24 Sep 2007 13:34:12  0800 haykan at qalacom.com wrote:
>> on your windows client go to properties - networking - tcp/ip -
> advanced
>> and check the box - Use default gateway on remote network
>>
>> regards,
>>
>> Lyndon Tiu wrote:
>>> Hi guys,
>>>
>>> I have a PIX 515E.
>>>
>>> I setup the PIX as a PPTP VPN server accepting PPTP connections from
> the 
>>> outside. I have a Windows XP client on the outside connecting to the
> 
>>> internal network using the PIX as the PPTP server.
>>>
>>> I followed instructions setting up the VPN and the Windows client is
> 
>>> able to connect to the PIX and obtain an ip from the ip pool.
>>>
>>> Problem is, the Windows client is unable to do anything after this.
> It 
>>> cannot ping any other machines on the network.
>>>
>>> I believe this is a routing issue. Can someone on this list confirm
> if 
>>> routing is something I have to do separate from the VPN
> configuration?
>>> Ipconfig says that a default gateway is not assigned to the Windows 
>>> client by the PIX through the PPTP VPN. Route /print shows no routes
> 
>>> added by the PPTP. I do not see any PPTP VPN configuration that
> allows 
>>> me to setup routes.
>>>
>>>
>>>   
> 
> 
> --
> Lyndon Tiu
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 

Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of fear" -- Mark Twain

More information about the cisco-nsp mailing list