PIX PPTP Question

[MysticLlama]

I've got one little remaining bug that I can't seem to see in my PIX trying to get PPTP to terminate on it.

Here's how far I get at the moment.

The PIX accepts PPTP connections from the outside.
The PIX then uses a aaa server via RADIUS to a Windows 2000 server and get authentication information for the user.
.....(Which is actually really cool becuase it even asks for the allow dial-in flag)
The user gets authenticated and the box gets a valid IP address for the network.

The IP is given out, but with a subnet mask of 255.255.255.255 and a gateway of itself. I think this is fine, because it works the same way on my old Windows VPN server.

Do I have to have a specific access-list to allow this traffic back and forth? I get logged on and get an IP, but I can't actually ping anything inside of the network.

According to the book I have, since I have "sysopt connection permit-pptp" in there, it should pass through all traffic without an access-list.

Does that sound right?

Also, the other question, I'm giving the devices on the outside regular internal IPs from the 255.255.255.0 range internally. Is that wrong? Is it automatically trying to do NAT and screwing me up? I found that out through trial and error with the DMZ trying to give it external IPs, but it really just wanted its own internal range.

 

[reicherb]

I've got some PIX knowledge so I'll give it a shot. Someone more knowledgeable please correct me if I'm wrong.

You need to give the external devices addresses that can be routed on your internal network but not in the same address range and the internal network. Yes there will be a NATing problem if you use the same addresses.

I?m not sure what the "sysopt connection permit-pptp" command does. I've never used it. I've always created an access list for the tunnel and that seemed to work.

 

[MysticLlama]

Ah, I see, I'll go give changing the addresses to something else a shot and see what I get.

Am I going to need NAT statements for the new address range, or since they are all on the same device is it going to figure it out?

The sysopt permit line is explained like this in the book:
"This command implicitly allows all traffic from authenticated PPTP clients to pass to its destination without additional conduits or access lists. Without this command it is required to create additional entried in the access lists on the outside interface, because even if dial-in clients obtain internal IP address, their packets still arrice on the outside interface."

I may go with access lists to mold what's allowed through this, but that seemed like a simple way for me to allow all traffic, and keep that out of the things to troubleshoot while I'm testing it.

 

[MysticLlama]

Well, I changed the IPs, but I also did have to add a line to my access list to get it to work.

So now it's working great.

I only have one last problem... how do I get traffic to "turn around" and get back out to the Internet from the PIX?

It connects up, I can see everything internally just fine, but I don't have any Internet access. I'd like to allow the clients to be able to get to the Internet, but for the users for this, I'd rather have them behind the firewall the whole time and not split-tunnel them, if possible.

Thanks for pointing me in the right direction!

 

[reicherb]

To be honest I'm not sure. It sounds like either a nat or routing problem. I assume you have a default route and that traffic from inside gets out ok so that points me to nat. It's been a while since I've touched one and I'm really not much of an expert but I recall having to create an access list and then assigning a nat 0 (or 1 maybe) to the access list to tell it to nat or not for those address ranges specified in the access list. I wish I could help you more. Hopefully the gurus will chime in shortly and set you on your way.