Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 506 PPTP can login but cannot see LAN 1

Status
Not open for further replies.
glory3321

glory3321

IS-IT--Management
Aug 14, 2001
27
DE
I setup VPN for PIX 506, when I try to login I can be auhenticated by the firewall using the account name and password. IP address was given dynamically by PIX and it can received by the remote PC.

However when I try to ping the Internal network I could not receive any reply from any internal IP address.
 
Sort by date Sort by votes
There are several things you can do at this point.
1. Enable logging on the PIX to the buffer or syslog server so you can capture what happens.

config t
logging host x.x.x.x
logging trap debug
logging buffer debug

After enabling logging, try pinging again and see what shows up. It's possible an access list is blocking packets in one direction or the other. This should tell you.

2. Enable debugging on the PIX for icmp packets

debug packet icmp

Check the log again. You should have some indication why the ping failed. Remember to turn off debugging when you are done. You should also disable the logs or set them back to something that is not as intensive as debugging, perhaps errors.

Bluecrack
 
Upvote 0 Downvote
Thanks BlueCrack..

The problem is that.. when the remote user login to PIX throught PPTP, then PIX give an IP which an internal IP.
The internal network can ping the remote users and can even views its shared files. However when the remote user try to ping the Internal network it seems could not find any route to reach the network..

conduit icmp any any was configured, do you have any idea ?

 
Upvote 0 Downvote
Off the top of my head, I would say it sounds like an access-list problem or a routing problem.

Curiously, did you enable the logging? What messages came up when you tried to ping an internal client from the VPN client? You can also try a traceroute to the internal network to give you an idea of where the packets are dropping.

What client OS are you using? What are you using for the PPTP connection? Also, is the VPN client trying to ping an IP address or a DNS name?

Bluecrack
 
Upvote 0 Downvote
It does not say much about the logging .. I am only using microsoft PPTP client service. I can login successfully but the problem I think is the routing ?

DO I need to open the GRE ( Generic routing Protocol )

fixup protocol gre 47

right now I did not open this port on PIX.

I am only using windows 2000 professional as client and use the PPTP service connecting to PIX 506 version 5.3
 
Upvote 0 Downvote
I am having a similar problem with a PIX 515. The following was very helpfull at solving part of the problem:
Currently, the PPTP client can ping the internal network and the internal network can ping the PPTP client. But, the PPTP client cannot login to a NT domain nor view shared resoures. When logging is enabled, the firewall is clearly blocking the attempts to browse/ view a resource. Interestingly, a mail server can be accessed (IP Address Port 25). The sysopt connection permit-pptp has been enabled. Any suggestions?
Thanks!
 
Upvote 0 Downvote
Hi Point2,


What kind of PPTP local pool did you used?

In my case I did use the same Network address in my internal network. example 192.168.25.1 to 192.168.25.100 for my internal network.

Then 192.168.25.101 -192.168.25.115 I set it for PPTP local pool. Is this right ? or should I use a different IP pool for PPTP ?

Thank !
 
Upvote 0 Downvote
glory3321,

You may have a problem with defining PPTP local pool to use the same subnet as you have on the inside pix interface. When I used PPTP on the pix I used

192.168.10.0 /24 as the inside network's subnet
and
192.168.5.1 - 192.168.5.20 /24 as the local pool

Note: 192.168.10.0 is dhcp assigned via another dhcp server (not the pix).

This setup worked well for months.

Bluecrack
 
Upvote 0 Downvote
Hello BlueCrack,


I noticed in the console logging file, it seems it does not allow to ping internally. Here is the log of the PIX.

106010: Deny inbound icmp src outside:192.168.20.150 dst inside:192.168.25.81 (t ype 8, code 0)
106011: Deny inbound (No xlate) tcp src outside:192.168.20.150/1237 dst outside


Here is the only access-list that I define from PIX

access-list japvpn permit ip 192.168.0.0 255.255.0.0 130.2.0.0 255.255.0.0


The Nat I define is
nat (inside) 0 access-list japvpn

Conduit permit icmp any any

ip local pool pptp-pool 192.168.20.150-192.168.20.159


Everything seems to be fine, including login, internal network can view the PPTP client.

However PPTP client cannot ping the Internal network, beign block by PIX. Is there away to allow PPTP client to ping and access the resource of internal network.

What comamnd shall i used ?

Thanks

Glory3321




 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
276
DivemasterBill
DivemasterBill
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
243
ISDPCMAN
ISDPCMAN
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
221
Garbear
Garbear
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
195
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
249
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top