Announcement

Collapse
No announcement yet.

pix pptp vpn can't ping webserver | hosts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • pix pptp vpn can't ping webserver | hosts

    i can set up the pptp vpn tunnel via a pix firewall 6.3
    but i can't ping the webserver and can't visit the webpage of the webserver
    on port 6512

    there are no routers between the pix and webserver on the pix i can ping the webserver

    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto shutdown
    interface ethernet3 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    nameif ethernet3 intf3 security6
    hostname PIX-520
    domain-name testing.be
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.25.1.12 webserver
    access-list 100 permit icmp any any
    access-list 100 permit gre any any
    access-list 100 permit tcp any host webserver eq 6512
    access-list 101 permit icmp any any
    access-list 101 permit tcp any 209.89.100.37 255.255.255.240 eq www
    access-list inside_outbound_nat0_acl permit ip any 172.17.0.0 255.255.255.192
    access-list inside_outbound_nat0_acl permit icmp any any
    access-list outside_cryptomap_dyn_20 permit ip any 172.17.0.0 255.255.255.192
    access-list outside_cryptomap_dyn_20 permit icmp any any
    pager lines 24
    logging on
    logging timestamp
    logging standby
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    logging trap debugging
    logging history debugging
    logging facility 21
    logging host inside 209.89.100.37
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    ip address outside 209.89.100.37 255.255.255.224
    ip address inside 172.25.100.26 255.255.0.0
    no ip address intf2
    no ip address intf3
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pocketpool 172.17.0.1-172.17.0.32
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address intf2
    no failover ip address intf3
    no pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    global (outside) 1 209.89.100.37
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 209.89.100.37 6512 webserver 6512 netmask 255.255.25
    5.255 0 0
    access-group 101 in interface outside
    access-group 100 in interface inside
    route outside 0.0.0.0 0.0.0.0 209.89.100.62 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 172.25.200.17 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 172.17.0.0 255.255.0.0 outside
    telnet 172.25.0.0 255.255.0.0 inside
    telnet 172.17.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh 172.25.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    vpdn group L2TP-VPDN-GROUP accept dialin pptp
    vpdn group L2TP-VPDN-GROUP ppp authentication mschap
    vpdn group L2TP-VPDN-GROUP ppp encryption mppe 40
    vpdn group L2TP-VPDN-GROUP client configuration address local pocketpool
    vpdn group L2TP-VPDN-GROUP client configuration dns test-dom 172.25.1.2
    vpdn group L2TP-VPDN-GROUP pptp echo 60
    vpdn group L2TP-VPDN-GROUP client authentication local
    vpdn username testing password *********
    vpdn enable outside
    username user1 password xxxx encrypted privilege 15
    vpnclient server 209.89.100.37
    vpnclient mode client-mode
    vpnclient vpngroup stijn password ********
    terminal width 80

  • #2
    Re: pix pptp vpn can't ping webserver | hosts

    You need allow the PPTP VPN Pool (172.17.0.1-172.17.0.32) access to your inside (172.25.x.x 255.255.0.0) network.
    CCNA, Network+

    Comment


    • #3
      Re: pix pptp vpn can't ping webserver | hosts

      oke have done that but still he doesn't want to reply on my ping

      i've added these code access-list 101 permit tcp 172.17.0.0 255.255.255.224 172.25.0.0 255.255.0.0

      but thanks for your response, still any idea? you might think why don't you permit icmp but i have an icmp any any so that may not be the problem

      Comment


      • #4
        Re: pix pptp vpn can't ping webserver | hosts

        I think by default the pix will think the 172.17.x.x network has a 255.255.0.0 subnet mask. So try it like this.

        access-list 101 permit 172.17.0.0 255.255.0.0 172.25.0.0 255.255.0.0

        EDIT:
        I just check my pix 501, this is how I have mine.

        access-list 101 permit (inside network) (vpn network). So.
        access-list 101 permit 172.25.0.0 255.255.0.0 172.17.0.0 255.255.0.0

        And

        nat (inside) 0 access-list 101
        Last edited by Daze; 15th March 2008, 02:15.
        CCNA, Network+

        Comment


        • #5
          Re: pix pptp vpn can't ping webserver | hosts

          k thanks i'll check it on monday cause remote telnet is disabeled

          Comment


          • #6
            Re: pix pptp vpn can't ping webserver | hosts

            well first of all you have forgotten the tcp and off course that doesn't works because first of all i cant ping from vpn clients to a webserver

            access-list 101 permit (inside network) (vpn network). so this must be
            access-list 101 permit (vpn network) (inside network).

            and i use access-list inside_outbound_nat0_acl for the traffic between vpn and pix but still doesn't works but you said that the subnets can be a problem?

            access-list inside_outbound_nat0_acl permit ip any 172.17.0.0 255.255.255.192
            so just change is into a class B? 255.255.0.0

            Comment


            • #7
              Re: pix pptp vpn can't ping webserver | hosts

              Originally posted by grimp View Post

              and i use access-list inside_outbound_nat0_acl for the traffic between vpn and pix but still doesn't works but you said that the subnets can be a problem?

              access-list inside_outbound_nat0_acl permit ip any 172.17.0.0 255.255.255.192
              so just change is into a class B? 255.255.0.0
              Yes, trying changing it to a Class B address.
              CCNA, Network+

              Comment

              Working...
              X