howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Aug-31 3:30 pm
[Config] How do I assign default gateway for a PPTP VPN clientHi, guys I've config the PPTP VPN on my 2651xm router, everything is good, I can dialin, I can get the IP address, I can access all servers in the LAN, but I can't access the internet through the router, I notice there's no default gateway assigned to the client, even I put "async-bootp gateway xxx.xxx.xxx.xxx" the config, there's no use. Any help will be appreciated! vpdn enable
!
vpdn-group PPTP-Group
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
async-bootp gateway 10.123.3.1
async-bootp dns-server 206.13.28.12
interface Virtual-Template1
ip address 10.123.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
peer default ip address pool PPTP
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
ip local pool PPTP 10.123.3.100 10.123.3.200
|
|
|
Re: [Config] How do I assign default gateway for a PPTP VPN clieHere it is, » kc.forticare.com/admin/v ··· nfig.png[ ] Use default gateway on remote network |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Aug-31 3:44 pm
Thank you so much for the prompt reply, but we do need the VPN client go surf via the VPN router. How do I config this?
Thanks |
|
1 edit |
Just make sure the above checkbox is ON and your local VPN pool,
ip local pool PPTP 10.123.3.100 10.123.3.200
is part of your NAT statement (ACL).
Basically what you're looking for is a non-split-tunnel configuration. |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Aug-31 3:57 pm
haha, how stupid I am.
I did forget to put the VPN client's IP range to NAT ACT
Now it works like a charm! |
|
|
Hello, I'm also having the same problem do you mind if you explain to me how you added the range to your NAT ACL? Thank you very much |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Nov-6 12:07 am
Sure
You have to put your VPN client's IP range into your NAT ACL |
|
|
said by howlym:Sure You have to put your VPN client's IP range into your NAT ACL Thanks for the reply, I been searching desperately for long hours. Ok, so I have to enter my VPN client's IP range into my NAT ACL: but I don't know how to do this, can you please elaborate on this.. these are some of my NAT rules ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber is this ^ how I suppose to do it? Your help is much appreciated. |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Nov-6 12:20 am
ip nat inside source static tcp 192.168.1.100 portnumber interface Dialer1 portnumber this is not ACL, ACL is something like ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 10.123.11.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.123.12.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.123.21.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.123.22.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.123.31.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.123.32.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.11.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.12.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.21.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.22.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.31.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.123.32.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
please post your config |
|
|
|
Here is my pastebin: » pastebin.com/d64d8e432Thanks.. |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Nov-6 12:43 am
first of all, have you put "ip nat outside" in your Ethernet1 session? second, I saw you have this line ip nat inside source static udp 192.168.1.105 20000 interface Dialer1
in the config file. You should do it like this ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000
or this will Nat the Dialer1 to your 192.168.1.105 only, not your whole LAN. |
|
|
This is what I have for both of my interfaces: interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.1.1-255.255. 255.0$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.1.200 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
didn't notice that the ports got chopped off at the end of Dialer1, so yes they are like that already. Thanks.. |
|
howlym join:2009-08-18 San Leandro, CA |
howlym
Member
2009-Nov-6 12:55 am
I didn't see "ip nat outside" under your interface Ethernet1 session |
|
|
ip nat outside is assigned to Dialer1, correct me if Im wrong but I thought you can only have one ip nat outside and one ip nat inside. this is my Dialer1 Interface: interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_in_100 out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname something@something.com
ppp chap password 7 234123sdf123
ppp pap sent-username something@something.com password 7 075asdfsadf323
ppp ipcp dns request
ppp ipcp wins request
!
|
|
geneticx |
to howlym
This is my full config with "nat oustide" on Ethernet1 as you suggested. Thanks in advance. Current configuration : 5872 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco831
!
logging buffered 16384 informational
no logging console
no logging monitor
enable secret <removed>
!
username <removed> password <removed>
clock timezone GMT -5
clock summer-time CDT recurring
aaa new-model
!
!
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip domain name cisco.home
ip name-server 205.152.152.23
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.101
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.116
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 192.168.1.241 192.168.1.255
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.102 205.152.152.23
!
!
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 5
vpdn enable
!
vpdn-group Home-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
class-map match-any test_class_map_for_sdm
match dscp default
match protocol ip
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.1.200 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
!
interface Ethernet1
no ip address
duplex auto
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-Template1
ip unnumbered Ethernet0
ip nat inside
peer default ip address pool defaultpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect sdm_ins_in_100 out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <removed>
ppp chap password <removed>
ppp pap sent-username <removed> password <removed>
ppp ipcp dns request
ppp ipcp wins request
!
ip local pool defaultpool 192.168.1.15 192.168.1.20
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static udp 192.168.1.105 20000 interface Dialer1 20000
ip nat inside source static udp 192.168.1.105 10000 interface Dialer1 10000
ip nat inside source static udp 192.168.1.105 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.1.102 22 interface Dialer1 22
ip nat inside source static udp 192.168.1.102 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.102 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.101 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.101 2010 interface Dialer1 2010
ip nat inside source static tcp 192.168.1.101 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.101 5900 interface Dialer1 5900
ip nat inside source static udp 192.168.1.100 5100 interface Dialer1 5100
ip nat inside source static tcp 192.168.1.101 20 interface Dialer1 20
ip nat inside source static tcp 192.168.1.100 6346 interface Dialer1 6346
ip nat inside source static tcp 192.168.1.101 2000 interface Dialer1 2000
ip nat inside source static tcp 192.168.1.116 28097 interface Dialer1 28097
ip nat inside source static udp 192.168.1.116 28097 interface Dialer1 28097
ip nat inside source static tcp 192.168.1.100 62745 interface Dialer1 62745
ip nat inside source static udp 192.168.1.100 62745 interface Dialer1 62745
ip nat inside source static udp 192.168.1.105 5061 interface Dialer1 5061
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq 80
access-list 101 permit tcp any any eq 22
access-list 101 permit udp any any eq 5060
access-list 101 permit udp any any range 10000 20000
access-list 101 permit udp any any eq 5061
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community <removed> RO
snmp-server enable traps tty
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
!
end
|
|