[nsp] PIX OS 6.3 and VPN/VPDN
Tony Mucker
Tony at tonymucker.com
Mon Jul 12 17:52:06 EDT 2004
I just gave this idea a shot (thanks!). I was able to ping the internet
at large, but wasn't able to get anything on the VPN side (DNS/WINS
servers included). Here are my relevant configs:
vpngroup vpnclientgroup address-pool vpnclient
vpngroup vpnclientgroup dns-server 172.16.0.33 172.16.0.32
vpngroup vpnclientgroup wins-server 172.16.0.33
vpngroup vpnclientgroup default-domain ********
vpngroup vpnclientgroup split-tunnel vpnpools
vpngroup vpnclientgroup idle-time 1800
vpngroup vpnclientgroup password ********
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local pptp
vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.0.33 172.16.0.32
vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.0.33
vpdn group PPTP-VPDN-GROUP client authentication aaa masterbdc
vpdn group PPTP-VPDN-GROUP client accounting masterbdc
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
access-list no-nat-inside permit ip any 172.16.100.0 255.255.255.0
access-list no-nat-inside permit ip any 172.16.110.0 255.255.255.0
access-list vpnpools permit ip 172.16.100.0 255.255.255.0 any
access-list vpnpools permit ip 172.16.110.0 255.255.255.0 any
ip local pool pptp 172.16.100.1-172.16.100.254
ip local pool vpnclient 172.16.110.1-172.16.110.254
nat (inside) 0 access-list no-nat-inside
Any clues as to what I'm doing wrong?
Also, is there something similar to split-tunnels for the VPDN (PPTP?)
Thanks
Tony
info at beprojects.com wrote:
>You need to setup split tunneling and the policy will be pushed to the users
>when they connect. Anything that matches the split tunnel acl will go
>through the VPN. ANything else will go directly out to the internet. There
>is no way to force Internet traffic through the pix and back out (althought
>I don't think you really want this any way, I just thought I would let you
>know).
>
>Say you have the following setup:
>
>vpnpool = 192.168.3.x
>internal networks= 192.168.1.x and 192.168.2.x
>
>
>Try something like this:
>
>access-list VPNUSER permit ip 192.168.1.0 255.255.255.0 192.168.3.0
>255.255.255.0
>access-list VPNUSER permit ip 192.168.2.0 255.255.255.0 192.168.3.0
>255.255.255.0
>
>vpngroup BLAH split-tunnel VPNUSER
>
>
>
>
>
>>1) How do I set up the VPN configs to allow them access to the outside
>>world while VPN'd in? Is this something handled on the client side?
>>
>>2) Is it possible for the client/PIX to send all traffic not destined
>>for the internal side through the client's LAN gateway? I only have a
>>T1, and it's already abused as it is.
>>
>>Thanks again
>>Tony
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>
>
More information about the cisco-nsp
mailing list