[Config] How do I assign default gateway for a PPTP VPN client

Author	All Replies
howlym join:2009-08-18 San Leandro, CA	[Config] How do I assign default gateway for a PPTP VPN client Hi, guys I've config the PPTP VPN on my 2651xm router, everything is good, I can dialin, I can get the IP address, I can access all servers in the LAN, but I can't access the internet through the router, I notice there's no default gateway assigned to the client, even I put "async-bootp gateway xxx.xxx.xxx.xxx" the config, there's no use. Any help will be appreciated! vpdn enable ! vpdn-group PPTP-Group ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! ! async-bootp gateway 10.123.3.1 async-bootp dns-server 206.13.28.12 interface Virtual-Template1 ip address 10.123.3.1 255.255.255.0 ip nat inside ip virtual-reassembly peer default ip address pool PPTP ppp encrypt mppe 128 required ppp authentication ms-chap-v2 ip local pool PPTP 10.123.3.100 10.123.3.200
	to forum · permalink · · 2009-08-31 15:30:43 ·
kamikatze join:2007-11-02	Re: [Config] How do I assign default gateway for a PPTP VPN clie Here it is, »kc.forticare.com/admin/virtual/i···nfig.png [ ] Use default gateway on remote network
	to forum · permalink · · 2009-08-31 15:41:52 ·
howlym join:2009-08-18 San Leandro, CA	Thank you so much for the prompt reply, but we do need the VPN client go surf via the VPN router. How do I config this? Thanks
	to forum · permalink · · 2009-08-31 15:44:08 ·
kamikatze join:2007-11-02 1 edit	Just make sure the above checkbox is ON and your local VPN pool, ip local pool PPTP 10.123.3.100 10.123.3.200 is part of your NAT statement (ACL). Basically what you're looking for is a non-split-tunnel configuration.
	to forum · permalink · · 2009-08-31 15:53:00 ·
howlym join:2009-08-18 San Leandro, CA	haha, how stupid I am. I did forget to put the VPN client's IP range to NAT ACT Now it works like a charm!
	to forum · permalink · · 2009-08-31 15:57:49 ·
geneticx join:2009-11-06	Hello, I'm also having the same problem do you mind if you explain to me how you added the range to your NAT ACL? Thank you very much
	to forum · permalink · · 2009-11-06 00:01:43 ·
howlym join:2009-08-18 San Leandro, CA	Sure You have to put your VPN client's IP range into your NAT ACL
	to forum · permalink · · 2009-11-06 00:07:59 ·
geneticx join:2009-11-06	said by howlym : Sure You have to put your VPN client's IP range into your NAT ACL Thanks for the reply, I been searching desperately for long hours. Ok, so I have to enter my VPN client's IP range into my NAT ACL: but I don't know how to do this, can you please elaborate on this.. these are some of my NAT rules ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber is this ^ how I suppose to do it? Your help is much appreciated.
	to forum · permalink · · 2009-11-06 00:17:25 ·
howlym join:2009-08-18 San Leandro, CA	ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber this is not ACL, ACL is something like ip access-list extended NAT deny ip 192.168.0.0 0.0.0.255 10.123.11.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.123.12.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.123.21.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.123.22.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.123.31.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.123.32.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.11.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.12.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.21.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.22.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.31.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.123.32.0 0.0.0.255 permit ip 192.168.0.0 0.0.0.255 any permit ip 192.168.1.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 any please post your config
	to forum · permalink · · 2009-11-06 00:20:43 ·
geneticx join:2009-11-06	Here is my pastebin: »pastebin.com/d64d8e432 Thanks..
	to forum · permalink · · 2009-11-06 00:34:17 ·
howlym join:2009-08-18 San Leandro, CA	first of all, have you put "ip nat outside" in your Ethernet1 session? second, I saw you have this line ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 in the config file. You should do it like this ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000 or this will Nat the Dialer1 to your 192.168.1.105 only, not your whole LAN.
	to forum · permalink · · 2009-11-06 00:43:06 ·
geneticx join:2009-11-06	This is what I have for both of my interfaces: interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.1.1-255.255. 255.0$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 secondary ip address 192.168.1.200 255.255.255.0 secondary ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip tcp adjust-mss 1452 no cdp enable hold-queue 32 in ! interface Ethernet1 no ip address duplex auto pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! didn't notice that the ports got chopped off at the end of Dialer1, so yes they are like that already. Thanks..
	to forum · permalink · · 2009-11-06 00:52:55 ·
howlym join:2009-08-18 San Leandro, CA	I didn't see "ip nat outside" under your interface Ethernet1 session
	to forum · permalink · · 2009-11-06 00:55:07 ·
geneticx join:2009-11-06	ip nat outside is assigned to Dialer1, correct me if Im wrong but I thought you can only have one ip nat outside and one ip nat inside. this is my Dialer1 Interface: interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables ip mtu 1492 ip nat outside ip inspect sdm_ins_in_100 in ip inspect sdm_ins_in_100 out encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname something@something.com ppp chap password 7 234123sdf123 ppp pap sent-username something@something.com password 7 075asdfsadf323 ppp ipcp dns request ppp ipcp wins request !
	to forum · permalink · · 2009-11-06 01:02:51 ·
geneticx join:2009-11-06	reply to howlym This is my full config with "nat oustide" on Ethernet1 as you suggested. Thanks in advance. Current configuration : 5872 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname cisco831 ! logging buffered 16384 informational no logging console no logging monitor enable secret <removed> ! username <removed> password <removed> clock timezone GMT -5 clock summer-time CDT recurring aaa new-model ! ! aaa authentication ppp default local aaa session-id common ip subnet-zero ip domain name cisco.home ip name-server 205.152.152.23 ip dhcp excluded-address 192.168.1.1 ip dhcp excluded-address 192.168.1.101 ip dhcp excluded-address 192.168.1.100 ip dhcp excluded-address 192.168.1.116 ip dhcp excluded-address 192.168.1.1 192.168.1.199 ip dhcp excluded-address 192.168.1.241 192.168.1.255 ! ip dhcp pool 192.168.1.0/24 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.1.102 205.152.152.23 ! ! ip inspect name sdm_ins_in_100 cuseeme ip inspect name sdm_ins_in_100 ftp ip inspect name sdm_ins_in_100 h323 ip inspect name sdm_ins_in_100 icmp ip inspect name sdm_ins_in_100 netshow ip inspect name sdm_ins_in_100 rcmd ip inspect name sdm_ins_in_100 realaudio ip inspect name sdm_ins_in_100 rtsp ip inspect name sdm_ins_in_100 sqlnet ip inspect name sdm_ins_in_100 streamworks ip inspect name sdm_ins_in_100 tftp ip inspect name sdm_ins_in_100 tcp ip inspect name sdm_ins_in_100 udp ip inspect name sdm_ins_in_100 vdolive ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 5 vpdn enable ! vpdn-group Home-VPN ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! no ftp-server write-enable ! ! ! ! ! ! class-map match-any test_class_map_for_sdm match dscp default match protocol ip ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 secondary ip address 192.168.1.200 255.255.255.0 secondary ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip tcp adjust-mss 1452 no cdp enable hold-queue 32 in ! interface Ethernet1 no ip address duplex auto ip nat outside pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface Virtual-Template1 ip unnumbered Ethernet0 ip nat inside peer default ip address pool defaultpool ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in no ip redirects no ip unreachables ip mtu 1492 ip nat outside ip inspect sdm_ins_in_100 in ip inspect sdm_ins_in_100 out encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname <removed> ppp chap password <removed> ppp pap sent-username <removed> password <removed> ppp ipcp dns request ppp ipcp wins request ! ip local pool defaultpool 192.168.1.15 192.168.1.20 ip nat inside source list 102 interface Dialer1 overload ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000 ip nat inside source static udp 192.168.1.105 10000 interface Dialer1 10000 ip nat inside source static udp 192.168.1.105 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.1.102 22 interface Dialer1 22 ip nat inside source static udp 192.168.1.102 80 interface Dialer1 80 ip nat inside source static tcp 192.168.1.102 80 interface Dialer1 80 ip nat inside source static tcp 192.168.1.101 21 interface Dialer1 21 ip nat inside source static tcp 192.168.1.101 2010 interface Dialer1 2010 ip nat inside source static tcp 192.168.1.101 3389 interface Dialer1 3389 ip nat inside source static tcp 192.168.1.101 5900 interface Dialer1 5900 ip nat inside source static udp 192.168.1.100 5100 interface Dialer1 5100 ip nat inside source static tcp 192.168.1.101 20 interface Dialer1 20 ip nat inside source static tcp 192.168.1.100 6346 interface Dialer1 6346 ip nat inside source static tcp 192.168.1.101 2000 interface Dialer1 2000 ip nat inside source static tcp 192.168.1.116 28097 interface Dialer1 28097 ip nat inside source static udp 192.168.1.116 28097 interface Dialer1 28097 ip nat inside source static tcp 192.168.1.100 62745 interface Dialer1 62745 ip nat inside source static udp 192.168.1.100 62745 interface Dialer1 62745 ip nat inside source static udp 192.168.1.105 5061 interface Dialer1 5061 ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! access-list 23 permit 192.168.1.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=0 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit tcp any any eq www access-list 101 permit udp any any eq 80 access-list 101 permit tcp any any eq 22 access-list 101 permit udp any any eq 5060 access-list 101 permit udp any any range 10000 20000 access-list 101 permit udp any any eq 5061 access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 102 permit ip 192.168.1.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server community <removed> RO snmp-server enable traps tty ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 access-class 23 in exec-timeout 120 0 length 0 transport preferred ssh transport input ssh ! scheduler max-task-time 5000 ! end
	to forum · permalink · · 2009-11-06 11:18:09 ·


Sunday, 06-Dec 01:56:35	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF