dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
26462
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

[Config] How do I assign default gateway for a PPTP VPN client

Hi, guys

I've config the PPTP VPN on my 2651xm router, everything is good, I can dialin, I can get the IP address, I can access all servers in the LAN, but I can't access the internet through the router, I notice there's no default gateway assigned to the client, even I put "async-bootp gateway xxx.xxx.xxx.xxx" the config, there's no use.

Any help will be appreciated!

vpdn enable
!
vpdn-group PPTP-Group
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
async-bootp gateway 10.123.3.1
async-bootp dns-server 206.13.28.12
 
interface Virtual-Template1
 ip address 10.123.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool PPTP
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2
 
ip local pool PPTP 10.123.3.100 10.123.3.200
 
 

kamikatze
join:2007-11-02

kamikatze

Member

Re: [Config] How do I assign default gateway for a PPTP VPN clie

Here it is,

»kc.forticare.com/admin/v ··· nfig.png

[ ] Use default gateway on remote network
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

Thank you so much for the prompt reply, but we do need the VPN client go surf via the VPN router. How do I config this?

Thanks

kamikatze
join:2007-11-02

1 edit

kamikatze

Member

Just make sure the above checkbox is ON and your local VPN pool,

ip local pool PPTP 10.123.3.100 10.123.3.200

is part of your NAT statement (ACL).

Basically what you're looking for is a non-split-tunnel configuration.
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

haha, how stupid I am.

I did forget to put the VPN client's IP range to NAT ACT

Now it works like a charm!
geneticx
join:2009-11-06

geneticx

Member

Hello, I'm also having the same problem do you mind if you explain to me how you added the range to your NAT ACL? Thank you very much
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

Sure

You have to put your VPN client's IP range into your NAT ACL
geneticx
join:2009-11-06

geneticx

Member

said by howlym:

Sure

You have to put your VPN client's IP range into your NAT ACL
Thanks for the reply, I been searching desperately for long hours.

Ok, so I have to enter my VPN client's IP range into my NAT ACL: but I don't know how to do this, can you please elaborate on this.. these are some of my NAT rules

ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber

is this ^ how I suppose to do it?

Your help is much appreciated.
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber

this is not ACL, ACL is something like
ip access-list extended NAT
 deny   ip 192.168.0.0 0.0.0.255 10.123.11.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.123.12.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.123.21.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.123.22.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.123.31.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 10.123.32.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.11.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.12.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.21.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.22.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.31.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.123.32.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
 
 

please post your config
geneticx
join:2009-11-06

geneticx

Member

Here is my pastebin: »pastebin.com/d64d8e432

Thanks..
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

first of all, have you put "ip nat outside" in your Ethernet1 session?
second, I saw you have this line
ip nat inside source static udp 192.168.1.105 20000 interface Dialer1
 
in the config file.

You should do it like this
ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000
 
or this will Nat the Dialer1 to your 192.168.1.105 only, not your whole LAN.
geneticx
join:2009-11-06

geneticx

Member

This is what I have for both of my interfaces:

interface Ethernet0
 description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.                       255.0$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0 secondary
 ip address 192.168.1.200 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
 

didn't notice that the ports got chopped off at the end of Dialer1, so yes they are like that already. Thanks..
howlym
join:2009-08-18
San Leandro, CA

howlym

Member

I didn't see "ip nat outside" under your interface Ethernet1 session
geneticx
join:2009-11-06

geneticx

Member

ip nat outside is assigned to Dialer1, correct me if Im wrong but I thought you can only have one ip nat outside and one ip nat inside.

this is my Dialer1 Interface:
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_in_100 out
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname something@something.com
 ppp chap password 7 234123sdf123
 ppp pap sent-username something@something.com password 7 075asdfsadf323
 ppp ipcp dns request
 ppp ipcp wins request
!
 
geneticx

geneticx to howlym

Member

to howlym
This is my full config with "nat oustide" on Ethernet1 as you suggested. Thanks in advance.

Current configuration : 5872 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco831
!
logging buffered 16384 informational
no logging console
no logging monitor
enable secret <removed>
!
username <removed> password <removed>
clock timezone GMT -5
clock summer-time CDT recurring
aaa new-model
!
!
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip domain name cisco.home
ip name-server 205.152.152.23
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.101
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.116
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.241 192.168.1.255
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.102 205.152.152.23
!
!
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
vpdn enable
!
vpdn-group Home-VPN
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
 class-map match-any test_class_map_for_sdm
  match  dscp default
  match protocol ip
!
!
!
interface Ethernet0
 description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0 secondary
 ip address 192.168.1.200 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 no ip address
 duplex auto
 ip nat outside
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 ip nat inside
 peer default ip address pool defaultpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect sdm_ins_in_100 out
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <removed>
 ppp chap password <removed>
 ppp pap sent-username <removed> password <removed>
 ppp ipcp dns request
 ppp ipcp wins request
!
ip local pool defaultpool 192.168.1.15 192.168.1.20
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000
ip nat inside source static udp 192.168.1.105 10000 interface Dialer1 10000
ip nat inside source static udp 192.168.1.105 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.1.102 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.102 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.102 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.101 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.101 2010 interface Dialer1 2010
ip nat inside source static tcp 192.168.1.101 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.101 5900 interface Dialer1 5900
ip nat inside source static udp 192.168.1.100 5100 interface Dialer1 5100
ip nat inside source static tcp 192.168.1.101 20 interface Dialer1 20
ip nat inside source static tcp 192.168.1.100 6346 interface Dialer1 6346
ip nat inside source static tcp 192.168.1.101 2000 interface Dialer1 2000
ip nat inside source static tcp 192.168.1.116 28097 interface Dialer1 28097
ip nat inside source static udp 192.168.1.116 28097 interface Dialer1 28097
ip nat inside source static tcp 192.168.1.100 62745 interface Dialer1 62745
ip nat inside source static udp 192.168.1.100 62745 interface Dialer1 62745
ip nat inside source static udp 192.168.1.105 5061 interface Dialer1 5061
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq 80
access-list 101 permit tcp any any eq 22
access-list 101 permit udp any any eq 5060
access-list 101 permit udp any any range 10000 20000
access-list 101 permit udp any any eq 5061
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community <removed> RO
snmp-server enable traps tty
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 length 0
 transport preferred ssh
 transport input ssh
!
scheduler max-task-time 5000
!
end