Announcement

Collapse
No announcement yet.

Cisco VPN 3000 (3060), PIX 515E and PPTP Sessions - Help Pls

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco VPN 3000 (3060), PIX 515E and PPTP Sessions - Help Pls

    Hi All;

    I hope you can help me to solve this annoying issue.

    I have a Cisco VPN 3060 setup to accept PPTP connections to it, the VPN Server authenticates onto a Freeradius server.

    The setup is working fine; users get accepted or rejected based on the username/password combination.

    My problem begins when I have 2 users connecting from the same network, like an internet cafe, the VPN Server is denying the connection throwing a message like this one:

    1054 08/28/2009 13:14:56.590 SEV=4 PPTP/33 RPT=68 93.196.12.221
    PPTP tunnel for peer 93.196.12.221 denied - already established

    I had a look every where to try to resolve this and couldn't find a solution. Then I though, if I place a PIX 515E before the VPN Server, and NAT all incoming connections to different IP Addresses, that might resolve, no chance same thing. The PIX is dishing the same IP Address and the VPN server is rejecting.

    This is the PIX setup:


    PIX Version 8.0(4)
    names
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 90.xxx.xxx.108 255.255.255.240
    !
    interface Ethernet1
    shutdown
    nameif inside
    security-level 100
    no ip address
    !
    interface Ethernet2
    nameif DMZ
    security-level 50
    ip address 10.10.100.10 255.255.0.0
    !
    boot system flash:/image.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name kaduco.com
    access-list outside_access_in extended permit tcp any host 90.xxx.xxx.107 eq pptp
    access-list outside_access_in extended permit gre any host 90.xxx.xxx.107
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1460
    mtu inside 1500
    mtu DMZ 1460
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (DMZ) 1 10.10.101.1-10.10.110.254 netmask 255.255.0.0
    nat (outside) 1 0.0.0.0 0.0.0.0 outside norandomseq
    static (DMZ,outside) 90.xxx.xxx.107 10.10.100.100 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 90.xxx.xxx.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http 0.0.0.0 0.0.0.0 DMZ
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    !


    Thanks

    Lucio
Working...
X