Firewall Wizards mailing list archives
Pix - access list trouble?
From: "Michael H" <af_pilot33 () hotmail com>
Date: Fri, 02 Jul 2004 13:08:54 -0700
Hello,I've been working on this for a couple weeks now and just can't seem to get it to work. I think I'm pretty close, but I've exhausted my book searches and various newsgroup review trying to see what it might be.
This is a remote location where I want to force all users to have to connect via our VPN and not have the ability for any other traffic to pass.
I'm having some trouble getting traffic to pass from the remote user (172.16.10.x) to the RAS Server (10.10.10.43) and back allowing for a VPN session to get created. I can ping the remote user from the remote pix and I can ping the RAS Server from the remote pix.
I am unable to get the remote user to successfully start the VPN session though. This is all I want them to be able to do so I don't currently have ICMP or anything open to validate it can send and receive the ping packet. Perhaps I should do that or is what I'm missing obvious?
Pix-515 Version 6.3(3) Network layout looks like this: RAS Server -10.10.10.43 | Internal Router -10.10.10.30 | Remote Router 10.0.0.30 | Remote Pix 10.0.0.100/172.16.10.1 | Remote User 172.16.10.65 nat (inside) 1 10.0.0.0 255.255.255.0 0 0 nat (dmz) 1 172.16.10.0 255.255.255.0 0 0 static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.254.0 0 0 static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0access-list dmz permit tcp 172.16.10.64 255.255.255.240 host 10.10.10.43 eq pptp
access-list dmz permit gre 172.16.10.64 255.255.255.240 host 10.10.10.43 access-list dmz deny ip any any access-list dmz permit ip any anyaccess-list inside_acl permit gre host 10.10.10.43 172.16.10.64 255.255.255.240 access-list inside_acl permit tcp host 10.10.10.43 172.16.10.64 255.255.255.240 eq pptp
access-list inside_acl deny ip any any access-list inside_acl deny udp any any My routes: inside 10.0.0.0 255.255.255.0 10.0.0.100 1 CONNECT static inside 10.10.10.0 255.255.254.0 10.0.0.100 0 OTHER static dmz 172.16.10.0 255.255.255.0 172.16.10.1 1 CONNECT static Thanks for your input! Michael _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix - access list trouble? Michael H (Jul 06)
- <Possible follow-ups>
- RE: Pix - access list trouble? Melson, Paul (Jul 08)