dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1416
share rss forum feed

samuelthan

join:2013-01-11
australia

VPN - Can't ping next-hop

Next some advise... i've configured a VPN for client to site... using pptp as a starting test. Client computer can connect and established a connection to router. I can ping from client to router (192.168.5.1) but can't ping 192.168.5.2 or 192.168.10.X

What i'm trying to achieve is to access the internal network (192.168.10.X) which is from the layer 3 switch's end

any help/extra eye would be good.

Here are my network design and config below:

Client Computer ----> Internet ----> (1.1.1.1) Cisco Router 881 (192.168.5.1) ----> Dell Powerconnect 6248 switch (192.168.5.2) ---> Servers/Workstation (192.168.10.x)

Cisco 881 Router

aaa new-model
!
aaa authentication ppp default local
!
vpdn enable
!
!
vpdn-group PPTP-VPDN
!
accept-dialin
protocol pptp
virtual-template 1
!

interface FastEthernet0
description Link to Switch
switchport access vlan 5
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 70
no ip address
!
interface FastEthernet4
description INTERNET WAN PORT
ip address [EXTERNAL IP]
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map VPN1
!
interface Vlan1
no ip address
!
interface Vlan5
description $ES_LAN$
ip address 192.168.5.1 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
!
interface Vlan70
ip address [EXTERNAL IP]
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
!
!
interface Virtual-Template1
ip unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
!
ip local pool defaultpool 192.168.10.200 192.168.10.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list NO-NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 [EXTERNAL IP]
ip route 192.168.0.0 255.255.0.0 192.168.5.2
!
ip access-list extended NO-NAT
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VLAN70
permit ip [EXTERNAL IP] 0.0.0.15 192.168.10.0 0.0.1.255
permit tcp [EXTERNAL IP] 0.0.0.15 any eq smtp
permit tcp [EXTERNAL IP] 0.0.0.15 any eq www
permit tcp [EXTERNAL IP] 0.0.0.15 any eq 443
permit tcp [EXTERNAL IP] 0.0.0.15 any eq domain
permit udp [EXTERNAL IP] 0.0.0.15 any eq domain
ip access-list extended VPN
permit ip 192.168.10.0 0.0.1.255 10.1.0.0 0.0.1.255
permit ip [EXTERNAL IP] 0.0.0.15 10.1.0.0 0.0.1.255
ip access-list extended WAN
!

Layer 3 Switch - Dell Powerconnect 6224
!
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "Connect to Cisco Router"
routing
ip address 192.168.5.2 255.255.255.248
exit
!
interface vlan 10
name "internal network"
routing
ip address 192.168.10.1 255.255.255.0
exit
!
interface ethernet 1/g12
switchport mode acesss vlan 5
exit
!
interface ethernet 1/g29
switchport mode access vlan 10
exit
!


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

You cannot set the vpn address pool to something to which the router is not directly connected. (well, you could, but it's a bloody mess) PPTP does not do "split tunnel" -- it doesn't tell the client anything about routes -- so it won't know about 10.x unless it's given an address in that network. (as you attempted to do, but because the router isn't IN that network, the hosts there have no way of finding the VPN peers.) If you created a network just for VPN clients, then they won't know about any other network, and thus won't be able to get to 5 OR 10.

(In other words, PPTP f'ing sucks! IPSec doesn't have this failing, but it's A LOT more work to setup.)


markysharkey
Premium
join:2012-12-20
united kingd

PPTP also doesn't work on 1142 access points unless (according to my Cisco reseller) you buy a SmartNet contract which will then give you (me) rights to whatever it is they do to make it work!
Cisco EasyVPN is probably a better bet.


samuelthan

join:2013-01-11
australia
reply to samuelthan

hm.. i took a different approach and manage to get it to work.

Cisco 881 Router

aaa new-model
!
aaa authentication ppp default local
!
vpdn enable
!
!
vpdn-group PPTP-VPDN
!
accept-dialin
protocol pptp
virtual-template 1
!

interface Loopback0
ip address 192.168.99.1 255.255.255.0
!

interface FastEthernet0
description Link to Switch
switchport access vlan 5
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 70
no ip address
!
interface FastEthernet4
description INTERNET WAN PORT
ip address [EXTERNAL IP]
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map VPN1
!
interface Vlan1
no ip address
!
interface Vlan5
description $ES_LAN$
ip address 192.168.5.1 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
!
interface Vlan70
ip address [EXTERNAL IP]
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
!
!
interface Virtual-Template1
ip unnumbered Loopback0
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
!
ip local pool PPTP-Pool 192.168.99.200 192.168.99.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list NO-NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 [EXTERNAL IP]
ip route 192.168.0.0 255.255.0.0 192.168.5.2
!
ip access-list extended NO-NAT
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VLAN70
permit ip [EXTERNAL IP] 0.0.0.15 192.168.10.0 0.0.1.255
permit tcp [EXTERNAL IP] 0.0.0.15 any eq smtp
permit tcp [EXTERNAL IP] 0.0.0.15 any eq www
permit tcp [EXTERNAL IP] 0.0.0.15 any eq 443
permit tcp [EXTERNAL IP] 0.0.0.15 any eq domain
permit udp [EXTERNAL IP] 0.0.0.15 any eq domain
ip access-list extended VPN
permit ip 192.168.10.0 0.0.1.255 10.1.0.0 0.0.1.255
permit ip [EXTERNAL IP] 0.0.0.15 10.1.0.0 0.0.1.255
ip access-list extended WAN
!