No announcement yet.

Cisco VPN 3000 (3060), PIX 515E and PPTP Sessions - Help Pls

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco VPN 3000 (3060), PIX 515E and PPTP Sessions - Help Pls

    Hi All;

    I hope you can help me to solve this annoying issue.

    I have a Cisco VPN 3060 setup to accept PPTP connections to it, the VPN Server authenticates onto a Freeradius server.

    The setup is working fine; users get accepted or rejected based on the username/password combination.

    My problem begins when I have 2 users connecting from the same network, like an internet cafe, the VPN Server is denying the connection throwing a message like this one:

    1054 08/28/2009 13:14:56.590 SEV=4 PPTP/33 RPT=68
    PPTP tunnel for peer denied - already established

    I had a look every where to try to resolve this and couldn't find a solution. Then I though, if I place a PIX 515E before the VPN Server, and NAT all incoming connections to different IP Addresses, that might resolve, no chance same thing. The PIX is dishing the same IP Address and the VPN server is rejecting.

    This is the PIX setup:

    PIX Version 8.0(4)
    interface Ethernet0
    nameif outside
    security-level 0
    ip address
    interface Ethernet1
    nameif inside
    security-level 100
    no ip address
    interface Ethernet2
    nameif DMZ
    security-level 50
    ip address
    boot system flash:/image.bin
    ftp mode passive
    dns server-group DefaultDNS
    access-list outside_access_in extended permit tcp any host eq pptp
    access-list outside_access_in extended permit gre any host
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1460
    mtu inside 1500
    mtu DMZ 1460
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm.bin
    no asdm history enable
    arp timeout 14400
    global (DMZ) 1 netmask
    nat (outside) 1 outside norandomseq
    static (DMZ,outside) netmask
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    http DMZ
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept