ご返信送れまして申し訳ございません。
configですが、当初は下記を参考に行いました。
http://www.cisco.com/cisco/web/support/JP/100/1003/1003714_pptp-ios.html
ご教示いただいた通り、virtual-templateにip nat insideの設定を入れたところ、正常にインターネットにも出れるようになりました。
また、VPN設定の確認後にファイアウォール等の設定も入れました。
下記に修正したコンフィグを載せさせていただきます。
もしおかしな設定等ございましたらご教示いただけますでしょうか。
よろしくお願いいたします。
======================================================
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HOST_NAME
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
ethernet lmi ce
clock timezone GMT 9 0
!
crypto pki trustpoint TP-self-signed-3829022291
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3829022291
revocation-check none
rsakeypair TP-self-signed-3829022291
!
!
crypto pki certificate chain TP-self-signed-3829022291
certificate self-signed 01 nvram:IOS-Self-Sig#4.cer
!
!
!
ip dhcp excluded-address 172.16.200.254
!
ip dhcp pool ccp-pool
network 172.16.200.0 255.255.255.0
default-router 172.16.200.254
dns-server 172.16.200.254
lease 0 2
!
!
!
ip domain name DOMAIN.LOCAL
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
license udi pid C841M-4X-JSEC/K9 sn XXXXXXXXXX
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network local_cws_net
!
object-group network local_lan_subnets
10.10.10.0 255.255.255.128
any
!
object-group network vpn_remote_subnets
any
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
username user password 0 password
!
redundancy
!
!
!
!
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
!
policy-map type inspect WAN-LAN-POLICY
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface GigabitEthernet0/3
no ip address
!
interface GigabitEthernet0/4
description PrimaryWANDesc_
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/5
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly in
peer default ip address pool TEST_POOL
no keepalive
ppp encrypt mppe auto
ppp authentication pap ms-chap-v2 chap
!
interface Vlan1
description $ETH_LAN$
ip address 172.16.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer1
mtu 1454
ip address negotiated
ip access-group WAN_ACL in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1412
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication chap callin
ppp chap hostname isp@aaa.ne.jp
ppp chap password 0 isppassword
ppp ipcp dns request
no cdp enable
!
ip local pool TEST_POOL 172.16.200.2 172.16.200.250
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended WAN_ACL
deny ip 0.0.0.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny tcp any any eq telnet
deny tcp any any eq 22
deny tcp any any eq www
permit ip any any
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
dialer-list 1 protocol ip permit
!
!
!
banner exec �
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
�
banner login �
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
�
!
line con 0
login local
no modem enable
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
