pix做vpn，vpn client拨入后不能访问内网

现在的问题是内网地址可以ping通vpn client地址，可以ping通outside地址，但vpn client 不能ping通内网地址，outside地址不能ping通内网地址
( l' k: b; g, [8 J: H下面是配置：
# D9 z0 X1 L& X' v& u4 cpix520(config)# sh run
: Saved
+ r  ?1 n9 c7 ^, t. h9 @:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
9 {' J3 p) Z5 U% r8 a+ m/ N9 fnameif ethernet0 outside security0
nameif ethernet1 inside security100
! Z' X+ y4 _$ ]' [' anameif ethernet2 dmz security50
5 e, \8 y5 U# _enable password KtzYd.GV6Ee0dpHi encrypted
( `4 K( h/ a9 _8 Ppasswd KtzYd.GV6Ee0dpHi encrypted
hostname pix520
3 u6 N( b( I) W+ \) M/ p. h5 Afixup protocol dns maximum-length 512
8 w( o, w2 T3 p  o( X1 `" E' U! J5 Tfixup protocol ftp 21
: L5 I/ T# @0 w( wfixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
6 I+ G8 n$ _  m% g* m$ `* ]fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
# I+ L- y" J) rfixup protocol sip udp 5060
8 J: M6 c1 ^3 _7 K+ T4 N, Z/ N  Qfixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
  R( m$ J0 u; z6 z. A9 s# xfixup protocol tftp 69
/ I6 l( o& t3 d! r' Y1 n& Onames
access-list 100 permit icmp any any
access-list 110 permit ip host 192.168.1.2 172.16.16.0 255.255.255.0
( z' ]# }& s  N" c# Taccess-list 110 permit ip host 192.168.1.1 172.16.16.0 255.255.255.0
pager lines 24
( G2 ~! }! Q  N( p8 Alogging on
  Y& V) d- U5 ]9 ~$ u3 ~! amtu outside 1500
mtu inside 1500
: B/ O9 T- M% ]% D2 W: ymtu dmz 1500
ip address outside 10.166.17.24 255.255.255.224
ip address inside 192.168.1.1 255.255.255.248
& r  x/ ?0 o% S# n2 ~1 i9 B: m6 f- n6 uip address dmz 192.168.2.254 255.255.255.0
  G/ y% t9 x* O+ m/ Tip audit info action alarm
ip audit attack action alarm
5 W8 l* E" D& ~4 j. w* g. i  vip local pool vpn 172.16.16.1-172.16.16.10
no failover
% @3 e) x5 Z7 i( K, o& b. D) Mfailover timeout 0:00:00
failover poll 15
no failover ip address outside
5 g0 `% O% h, ~. d0 R" C( D1 o" Ano failover ip address inside
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
0 R1 S! T" I5 f) pnat (inside) 0 access-list 110
1 j9 A( U" `; Jnat (inside) 1 10.166.21.197 255.255.255.255 0 0
2 J: C, B* z: X8 j; vnat (inside) 1 10.166.21.229 255.255.255.255 0 0
% @+ T" y3 ~' e* l5 O# p6 Vnat (inside) 1 10.166.21.231 255.255.255.255 0 0
nat (inside) 1 192.168.1.0 255.255.255.248 0 0
5 f; a* G$ _/ X& enat (inside) 1 10.166.17.0 255.255.255.224 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
access-group 100 in interface outside
- [8 Z2 @- j5 x7 I; s  G0 z; p: Rconduit permit icmp any any
conduit permit ip 172.16.1.0 255.255.255.0 any
route outside 0.0.0.0 0.0.0.0 222.171.24.161 1
7 y% t. A) Z: Y6 l5 l8 @route outside 10.166.0.0 255.255.0.0 10.166.17.30 1
route inside 10.166.21.197 255.255.255.255 192.168.1.6 1
route inside 10.166.21.229 255.255.255.255 192.168.1.6 1
route inside 10.166.21.231 255.255.255.255 192.168.1.6 1
' {' X0 [0 B8 _( z' G0 w. Ntimeout xlate 3:00:00
$ R( M3 }/ a1 V" O1 O* d! l$ ]timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
8 F5 G+ ]4 A8 E& w% e0 n: |timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
% I' u. q& Q, b0 Q& zaaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
( l/ v* L- [  r$ @& Yaaa-server RADIUS max-failed-attempts 3
; A1 c& `8 h, C4 p& x: uaaa-server RADIUS deadtime 10
, K+ C, m3 h- haaa-server LOCAL protocol local
( C: w2 A) R1 P/ Y4 Y( Cno snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
5 j% K4 }4 a5 Y1 M3 Atelnet 10.166.17.0 255.255.255.224 inside
' l+ B1 U, U( P: l! S6 ~! ^- etelnet 192.168.1.0 255.255.255.248 inside
telnet 172.16.16.0 255.255.255.0 inside
: u  y. K1 e- S( Qtelnet timeout 5
# I% E% J' T9 g6 Xssh timeout 5
' S# ?  k& C% g4 ~console timeout 10
vpdn group vpn accept dialin pptp
vpdn group vpn ppp authentication chap
vpdn group vpn ppp authentication mschap
vpdn group vpn client configuration address local vpn
vpdn group vpn pptp echo 60
: x! M' D0 i- s& m+ Avpdn group vpn client authentication local
4 y" q: t  `- q( N1 f! z" svpdn username hrbbvpn password *********
vpdn enable outside
7 b: n8 R. `7 E2 F# Cterminal width 80
7 B; }2 b, R( d9 ^) BCryptochecksum:fe58163e929e292f23b07d8e0e890ac3
$ L9 R# v) b6 s2 o0 a: end

顶上去，帮我解决问题呀，都好几天了，还没解决。

ip local pool vpn 172.16.16.1-172.16.16.10
用pptp做vpn,地址池应和内网在同一个网段,而ipsec vpn则不存在这种问题，试试看行么.

qq:365238063

楼上的，别误引人家.

[QUOTE=yqmqk123;1552253]ip local pool vpn 172.16.16.1-172.16.16.10
用pptp做vpn,地址池应和内网在同一个网段,而ipsec vpn则不存在这种问题，试试看行么.
) `9 j0 I3 v' G1 ]. r, K, f
qq:365238063[/


; {' t  h( l$ L8 T) p% B" KVPN地址池的地址无论跟内网地址在同一网段或不同网段都不行

: Saved
: Written by enable_15 at 05:21:42.610 UTC Fri Jan 1 1993
4 X: d/ ?- Z% T( D6 z8 T  KPIX Version 6.3(1)
interface ethernet0 auto
( `3 X% u! d! d! Y( pinterface ethernet1 auto
( c" V% v1 t2 f! Y1 einterface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
, s( T$ [! J% P1 \& B3 Tenable password BBW5rMAbR8M/iSky encrypted
3 ~' ?" L0 S: g4 ~' kpasswd BBW5rMAbR8M/iSky encrypted
* \* [% f6 ?! p$ S, Ohostname pix515
1 i8 M0 J' @0 V, x8 q  Ffixup protocol ftp 21
fixup protocol h323 h225 1720
2 s  p- G' P4 t9 t7 _fixup protocol h323 ras 1718-1719
fixup protocol http 80
8 y  r$ v6 Y+ v1 W0 k8 W! O7 Kfixup protocol ils 389
. r1 X5 y0 a7 u' Wfixup protocol rsh 514
, ]9 T- [( g6 s3 Vfixup protocol rtsp 554
6 ~! |$ A$ f9 V* _fixup protocol sip 5060
fixup protocol sip udp 5060
  [) s5 q6 W6 w# B; _$ }$ y! j' R( Cfixup protocol skinny 2000
fixup protocol smtp 25
, }$ \" @/ ?/ y: ]fixup protocol sqlnet 1521
names
( Z; _* r5 n+ R% ^access-list 101 permit ip 192.168.188.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
8 A: @' M* [" H- }; |$ \mtu inside 1500
6 K5 P$ r: y, Emtu intf2 1500
/ N0 T( N! h8 j" Y* ]0 K# y3 tip address outside 192.18.121.251 255.255.255.0
" c$ ~/ a5 L6 zip address inside 192.168.188.50 255.255.255.0
& X& M, H6 B$ H) xno ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
/ u2 Z) i' k! y4 T- b+ Zpdm history enable
arp timeout 14400
. j1 d; ~4 r/ l0 K2 D, Gglobal (outside) 1 192.18.121.80-192.18.121.90 netmask 255.255.255.0
5 J0 V2 w. o8 r5 w- o8 k! C3 Qnat (inside) 0 access-list 101
nat (inside) 1 192.168.188.0 255.255.255.0 0 0
conduit permit tcp any any
conduit permit icmp any any
conduit permit ip any any
route outside 0.0.0.0 0.0.0.0 192.18.121.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
$ `/ Y' x2 w  Y' j# ^timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
, r4 {. N) P0 u7 @* b* _aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
/ h1 V& ~+ u% J' S- j! Q% Q; @1 G% bhttp server enable
no snmp-server location
; ]# V2 j2 b' Mno snmp-server contact
9 m8 A# D  q7 Z5 usnmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
$ {' h6 U5 t2 ^' U9 q, r1 Hssh timeout 5
" \& ]1 f1 Z0 Bconsole timeout 0
3 A$ p/ {0 s2 k& v& bvpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
9 X  d+ ]* E; n3 p: m9 }vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password cisco
; G2 \0 o7 X* G4 w6 Z* f/ G7 B( uvpdn enable outside
5 o8 Q' @  k5 J8 L5 I  p. L1 Tterminal width 80
Cryptochecksum:fa58cbeb1dd1dc3d2681a13b218aab88
: end
" H6 w, I% [1 a& f这是我在pix515E上做成功的实验.
外网:192.18.121.x
内网：192.168.188.x
0 ^$ ^- P0 }; [) N  g' |  BＶＰＤＮ：192.168.1.Ｘ
1 x0 r& @& P4 r  PＰＩＸ：内网口接PC
PC：LAN IP 192.168.188.x
       网关：192.168.188.50
& D$ U! F6 u. b7 n/ Z: d/ k       DNS:当地的DNS
说明:把192.18.121.x网段当外网段，因为这个网段接另一个路由器可以上网的。你看看有没有帮助吧

vpdn group 1 ppp encryption mppe auto
兄弟，这句话在show run的时候能显示出来吗？我条设置我确实做过，但在show run中没有显示出来。

今天我把配置做了改动，改了配置后，vpn拨入后能访问dmz里的主机，不能访问inside里的主机。dmz里的主机能访问外网和vpn client，但不能访问inside里的主机。inside里的主机可以对dmz里的主机和vpn client访问。
% p2 f" c( g4 w& B/ Y
我的目的：想让vpn client拨入后能访问inside里的主机，或dmz里的主机能访问inside里的主机，都可以。

注：外网、dmz里的主机、inside里的主机都是直连到pix520上的，pix520的os是6.3（5）版本。

附配置：
- P+ c1 J, Q- zpix520# sh run
  g0 A; j; t7 C/ @, ?4 z: Saved
; ~. K' ?8 W* E:
: v# h" F  h4 N: MPIX Version 6.3(5)
4 n5 j% V3 y" e  Y# yinterface ethernet0 auto
8 ], ?5 i9 q2 J( E9 j% `# F( einterface ethernet1 auto
; x! f0 e. k! Einterface ethernet2 auto
+ O4 P, o- E4 \' Z, J% lnameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password KtzYd.GV6Ee0dpHi encrypted
passwd KtzYd.GV6Ee0dpHi encrypted
hostname pix520
fixup protocol dns maximum-length 512
- K$ A1 H  B# xfixup protocol ftp 21
fixup protocol h323 h225 1720
* ^' `3 W! F3 H* k! c7 g8 k' }fixup protocol h323 ras 1718-1719
fixup protocol http 80
' j3 p3 V! L3 r, Ffixup protocol pptp 1723
0 A# c6 N6 M# N/ I8 W* ffixup protocol rsh 514
fixup protocol rtsp 554
( v) R9 |) U" kfixup protocol sip 5060
" w# p& A- A4 N% D" ofixup protocol sip udp 5060
- i, h( p8 s/ C- J% M3 \fixup protocol skinny 2000
fixup protocol smtp 25
, K3 Z6 Y' Y2 g: {0 y9 Wfixup protocol sqlnet 1521
, i9 B' G. a4 Y$ N& ~' y2 ?fixup protocol tftp 69
; B: z6 e0 b: @8 ^1 R! Ynames
3 A: g1 F+ G4 u9 Z' ?access-list 101 permit icmp any any
4 R% _; H" f# d) _- `access-list 101 permit tcp any any eq 3389
3 J& ]; q% X" P0 X* d7 A3 {1 Baccess-list 101 permit ip any any
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 3389
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.192.192.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list 111 permit ip 192.192.192.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 111 permit ip 192.192.192.0 255.255.255.0 172.16.16.0 255.255.255.0
pager lines 24
% }( }1 G! m4 {: p" j4 klogging on
' G2 r5 U! o" Elogging monitor notifications
logging buffered errors
logging history informational
mtu outside 1500
mtu inside 1500
: y+ ~  H: V5 ?# b9 C# z' smtu dmz 1500
" B5 _# h! j4 _, Xip address outside 10.166.17.24 255.255.255.224
; r9 ?/ |4 p6 ]ip address inside 192.192.192.1 255.255.255.0
ip address dmz 192.168.2.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
- z' U+ q0 r3 E8 bip local pool vpn 172.16.16.1-172.16.16.254
  ?; `# v0 E9 ?$ X$ Nno failover
failover timeout 0:00:00
( |3 H) r( s% x+ Xfailover poll 15
7 i: c) k! ?* }2 ~+ r' O$ F3 x" H8 Ano failover ip address outside
' Y$ A" k. i9 M# Zno failover ip address inside
  R* I- g! V8 \no failover ip address dmz
  W, z0 }  _0 e+ R5 b6 dpdm history enable
5 m* k: t0 B0 X( }; F' Barp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 111
nat (inside) 1 192.192.192.0 255.255.255.0 0 0
2 F1 J1 S/ R0 S- M' w9 }8 bnat (dmz) 0 access-list 110
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
; }! r6 a/ X! L- Vstatic (inside,dmz) 192.192.192.2 192.192.192.2 netmask 255.255.255.255 0 0
7 S1 w4 ~6 N2 o' M) waccess-group 100 in interface outside
access-group 101 in interface dmz
: s$ v( G  ^, T4 d; a. ]6 nroute outside 0.0.0.0 0.0.0.0 10.166.17.30 1
/ c4 O/ o0 P( Z5 s/ B+ Atimeout xlate 3:00:00
/ i& H# \4 z$ X- Q7 stimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
4 `3 a' ^  t2 g3 j1 k1 {* a3 e! Laaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
+ b* @+ |1 x* l3 c  W/ Qno snmp-server location
9 G& ~% w& U+ i, N, P$ p0 `/ x) p! ^* gno snmp-server contact
- ^9 s) _. _* bsnmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
; S7 x: v3 q7 ksysopt noproxyarp outside
sysopt noproxyarp inside
telnet 192.192.192.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
( K$ ~8 z! b( A: Hvpdn group xxzx accept dialin pptp
vpdn group xxzx ppp authentication chap
3 L, ^  X8 @6 o0 l  ^vpdn group xxzx ppp authentication mschap
6 ~) P! N/ d: E8 V' A0 l, \5 i2 fvpdn group xxzx client configuration address local vpn
vpdn group xxzx pptp echo 60
" B6 i3 E9 j) i8 ]2 {vpdn group xxzx client authentication local
6 E: s0 W6 ~, [4 A; p; dvpdn username hrbbxxzx password *********
( w3 k% t, {  h& b3 ^" Rvpdn enable outside
, h0 ]: t, R1 B2 sterminal width 80
! }: h% O9 G- ?7 K1 aCryptochecksum:ca107db971e827731294bffc5e00dc39
: end
pix520#

顶上去

帮顶.  同样的问题