Firewall Wizards mailing list archives

Pix - access list trouble?

From: "Michael H" <af_pilot33 () hotmail com>
Date: Fri, 02 Jul 2004 13:08:54 -0700

Hello,

I've been working on this for a couple weeks now and just can't seem to getit to work. I think I'm pretty close, but I've exhausted my book searchesand various newsgroup review trying to see what it might be.

This is a remote location where I want to force all users to have to connectvia our VPN and not have the ability for any other traffic to pass.

I'm having some trouble getting traffic to pass from the remote user(172.16.10.x) to the RAS Server (10.10.10.43) and back allowing for a VPNsession to get created. I can ping the remote user from the remote pix and Ican ping the RAS Server from the remote pix.

I am unable to get the remote user to successfully start the VPN sessionthough. This is all I want them to be able to do so I don't currently haveICMP or anything open to validate it can send and receive the ping packet.Perhaps I should do that or is what I'm missing obvious?


Pix-515
Version 6.3(3)
Network layout looks like this:

RAS Server -10.10.10.43
        |
Internal Router -10.10.10.30
        |
Remote Router  10.0.0.30
        |
Remote Pix  10.0.0.100/172.16.10.1
        |
Remote User  172.16.10.65

nat (inside) 1 10.0.0.0 255.255.255.0 0 0
nat (dmz) 1 172.16.10.0 255.255.255.0 0 0
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.254.0 0 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

access-list dmz permit tcp 172.16.10.64 255.255.255.240 host 10.10.10.43 eqpptp

access-list dmz permit gre 172.16.10.64 255.255.255.240 host 10.10.10.43
access-list dmz deny ip any any
access-list dmz permit ip any any

access-list inside_acl permit gre host 10.10.10.43 172.16.10.64255.255.255.240access-list inside_acl permit tcp host 10.10.10.43 172.16.10.64255.255.255.240 eq pptp

access-list inside_acl deny ip any any
access-list inside_acl deny udp any any

My routes:
inside 10.0.0.0 255.255.255.0 10.0.0.100 1 CONNECT static
inside 10.10.10.0 255.255.254.0 10.0.0.100 0 OTHER static
dmz 172.16.10.0 255.255.255.0 172.16.10.1 1 CONNECT static

Thanks for your input!
Michael


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix - access list trouble? Michael H (Jul 06)
- <Possible follow-ups>
- RE: Pix - access list trouble? Melson, Paul (Jul 08)