10-30-2020 07:22 AM
Hello,
we have an ASR1002 router that's configured as pppoe server (with radius).
clients connect with pppoe to our ASR and get public ip addresses.
they all can reach the internet, however they all say that they cannot establish pptp sessions from their pc to some external servers.
Since there is no NAT on ASR, how is possible that PPTP sessions are blocked?
Can you help?
10-30-2020 09:35 AM
- For the particular traffic type and or source and destination(s) , check the ASA's logs, check if you can find any useful info's.
M.
10-30-2020 09:41 AM
Hello marce1000
ASA? I have just ASR1002 with no firewall involved
10-30-2020 10:20 AM
Sorry : s/ASA/ASR1002/g
M.
10-30-2020 09:43 AM
Hello,
--> they all can reach the internet, however they all say that they cannot establish pptp sessions from their pc to some external servers.
What exactly are the clients trying to do ? They get a public IP address from the ASR, and then they try to establish a PPTP session ?
Post the full running config of the ASR...
11-13-2020 01:43 AM
Hello,
this is the ASR config.
Customers want to connect from home to office or from office to other external servers with PPTP+GRE tunnel.
No problem if they change in L2TP tunnel but this workaround is not always acceptable.
Current configuration : 189421 bytes ! ! Last configuration change at 10:08:30 ITA Fri Nov 13 2020 by admin ! NVRAM config last updated at 10:08:30 ITA Fri Nov 13 2020 by admin ! version 15.5 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no platform punt-keepalive disable-kernel-core ! hostname ASR-OF-TO ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging buffered 10240 informational ! aaa new-model aaa session-mib disconnect ! ! aaa group server radius hal-radius server name hal-radius1 retransmit 2 timeout 120 ! aaa group server radius hal-accounting1 server name hal-accounting1 retransmit 2 timeout 120 ! aaa group server radius hal-accounting2 server name hal-accounting2 retransmit 2 timeout 120 ! aaa authentication login default local aaa authentication ppp default group hal-radius aaa authorization exec default local aaa authorization network default group hal-radius aaa authorization subscriber-service default local group hal-radius aaa accounting delay-start all aaa accounting update periodic 10 aaa accounting network default start-stop broadcast group hal-radius group hal-accounting1 group hal-accounting2 ! ! ! ! aaa server radius dynamic-author client 10.5.0.4 server-key AAAAAAAAAAAAAA server-key AAAAAAAAAAAAAA auth-type any ! aaa session-id common aaa policy interface-config allow-subinterface clock timezone ITA 1 0 clock summer-time ITA recurring last Sun Mar 2:00 last Sun Oct 2:00 ! ! ! ! ! ! ! ! ! ! ! ip name-server XXXXXXXXXXXX ip domain name XXXXXXXXXX ! ! ! ! ! ! ! ! ! ! subscriber templating ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! spanning-tree extend system-id ! username admin privilege 15 password 99999999999999999999 ! redundancy mode none ! ! ! ! ! cdp run ! lldp run ! policy-map 15MB class class-default police 18874000 1179648 2359296 conform-action transmit exceed-action drop policy-map 25MB class class-default police 31457000 1966080 3932160 conform-action transmit exceed-action drop policy-map 6MB class class-default police 7549500 471859 943718 conform-action transmit exceed-action drop policy-map 200MB class class-default police 251656000 15728640 31457280 conform-action transmit exceed-action drop policy-map 2MB class class-default police 2516500 157286 314572 conform-action transmit exceed-action drop policy-map 5MB class class-default police 6291000 393216 786432 conform-action transmit exceed-action drop policy-map 60MB class class-default police 75497000 4718592 9437184 conform-action transmit exceed-action drop policy-map 1MB class class-default police 1258000 78643 157286 conform-action transmit exceed-action drop policy-map 50MB class class-default police 62914500 3932160 7864320 conform-action transmit exceed-action drop policy-map 1000MB class class-default police 1258288000 78643200 157286400 conform-action transmit exceed-action drop policy-map 3MB class class-default police 3774500 235929 471859 conform-action transmit exceed-action drop policy-map 100MB class class-default police 125829000 7864320 15728640 conform-action transmit exceed-action drop policy-map 40MB class class-default police 50331500 3145728 6291456 conform-action transmit exceed-action drop policy-map 8MB class class-default police 10066000 629146 1258291 conform-action transmit exceed-action drop policy-map 4MB class class-default police 5033000 314572 629145 conform-action transmit exceed-action drop policy-map 10MB class class-default police 12582500 786432 1572864 conform-action transmit exceed-action drop policy-map 500MB class class-default police 629144000 39321600 78643200 conform-action transmit exceed-action drop policy-map 30MB class class-default police 37748500 2359296 4718592 conform-action transmit exceed-action drop policy-map 12MB class class-default police 15099000 943718 1887437 conform-action transmit exceed-action drop policy-map 20MB class class-default police 25165500 1572864 3145728 conform-action transmit exceed-action drop policy-map 7MB class class-default police 8808000 550502 1101004 conform-action transmit exceed-action drop policy-map 300MB class class-default police 377480000 23592960 47185920 conform-action transmit exceed-action drop ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! bba-group pppoe global virtual-template 1 sessions max limit 64000 sessions per-vc limit 64000 sessions per-mac limit 64000 sessions per-vlan limit 64000 inner 64000 sessions per-vc throttle 100 30 1800 sessions per-mac throttle 100 30 1800 sessions per-vlan throttle 100 30 1800 sessions auto cleanup ! bba-group pppoe test virtual-template 2 sessions per-vc limit 64000 sessions per-mac limit 64000 sessions per-vlan limit 64000 inner 64000 sessions per-vc throttle 100 30 1800 sessions per-mac throttle 100 30 1800 sessions per-vlan throttle 100 30 1800 sessions auto cleanup ! ! ! interface Loopback1 ip address CCCCCCCCCCC 255.255.255.0 ip ospf network point-to-point ! interface Loopback2 ip address 10.5.92.252 255.255.255.255 ip ospf 1 area 0 ! interface Loopback3 ip address 100.64.0.1 255.255.0.0 ip ospf network point-to-point ! interface Loopback4 ip address DDDDDDDDDDDD 255.255.255.0 ip ospf network point-to-point ! interface Port-channel1 no ip address no negotiation auto ! interface Port-channel1.11640002 encapsulation dot1Q 1614 second-dot1q 2 pppoe enable group global ! interface Port-channel1.101000011 encapsulation dot1Q 100 second-dot1q 11 pppoe enable group global ! interface Port-channel1.101000013 encapsulation dot1Q 100 second-dot1q 13 pppoe enable group global ! interface Port-channel1.101000019 encapsulation dot1Q 100 second-dot1q 19 pppoe enable group global ! interface Port-channel1.101000020 encapsulation dot1Q 100 second-dot1q 20 pppoe enable group global ! interface Port-channel1.101000021 encapsulation dot1Q 100 second-dot1q 21 pppoe enable group global ! interface Port-channel1.101000022 encapsulation dot1Q 100 second-dot1q 22 pppoe enable group global ! interface Port-channel1.101000027 encapsulation dot1Q 100 second-dot1q 27 pppoe enable group global ! interface Port-channel1.101000029 encapsulation dot1Q 100 second-dot1q 29 pppoe enable group global ! interface Port-channel1.101000030 encapsulation dot1Q 100 second-dot1q 30 pppoe enable group global ! interface Port-channel1.101000031 encapsulation dot1Q 100 second-dot1q 31 pppoe enable group global ! interface Port-channel1.101020012 encapsulation dot1Q 102 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101020017 encapsulation dot1Q 102 second-dot1q 17 pppoe enable group global ! interface Port-channel1.101020018 encapsulation dot1Q 102 second-dot1q 18 pppoe enable group global ! interface Port-channel1.101020019 encapsulation dot1Q 102 second-dot1q 19 pppoe enable group global ! interface Port-channel1.101070014 encapsulation dot1Q 107 second-dot1q 14 pppoe enable group global ! interface Port-channel1.101180010 encapsulation dot1Q 118 second-dot1q 10 pppoe enable group global ! interface Port-channel1.101240010 encapsulation dot1Q 124 second-dot1q 10 pppoe enable group global ! interface Port-channel1.101240011 encapsulation dot1Q 124 second-dot1q 11 pppoe enable group global ! interface Port-channel1.101240012 encapsulation dot1Q 124 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101240013 encapsulation dot1Q 124 second-dot1q 13 pppoe enable group global ! interface Port-channel1.101270011 encapsulation dot1Q 127 second-dot1q 11 pppoe enable group test ! interface Port-channel1.101270012 encapsulation dot1Q 127 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101300010 encapsulation dot1Q 130 second-dot1q 10 pppoe enable group global ! interface Port-channel1.101300011 encapsulation dot1Q 130 second-dot1q 11 pppoe enable group global ! interface Port-channel1.101300012 encapsulation dot1Q 130 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101300013 encapsulation dot1Q 130 second-dot1q 13 pppoe enable group global ! interface Port-channel1.101300014 encapsulation dot1Q 130 second-dot1q 14 pppoe enable group global ! interface Port-channel1.101300015 encapsulation dot1Q 130 second-dot1q 15 pppoe enable group global ! interface Port-channel1.101300016 encapsulation dot1Q 130 second-dot1q 16 pppoe enable group global ! interface Port-channel1.101300017 encapsulation dot1Q 130 second-dot1q 17 pppoe enable group global ! interface Port-channel1.101300018 encapsulation dot1Q 130 second-dot1q 18 pppoe enable group global ! interface Port-channel1.101300019 encapsulation dot1Q 130 second-dot1q 19 pppoe enable group global ! interface Port-channel1.101300020 encapsulation dot1Q 130 second-dot1q 20 pppoe enable group global ! interface Port-channel1.101300021 encapsulation dot1Q 130 second-dot1q 21 pppoe enable group global ! interface Port-channel1.101300022 encapsulation dot1Q 130 second-dot1q 22 pppoe enable group global ! interface Port-channel1.101300023 encapsulation dot1Q 130 second-dot1q 23 pppoe enable group global ! interface Port-channel1.101310010 encapsulation dot1Q 131 second-dot1q 10 pppoe enable group global ! interface Port-channel1.101310011 encapsulation dot1Q 131 second-dot1q 11 pppoe enable group global ! interface Port-channel1.101310012 encapsulation dot1Q 131 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101310013 encapsulation dot1Q 131 second-dot1q 13 pppoe enable group global ! interface Port-channel1.101310014 encapsulation dot1Q 131 second-dot1q 14 pppoe enable group global ! interface Port-channel1.101310015 encapsulation dot1Q 131 second-dot1q 15 pppoe enable group global ! interface Port-channel1.101310016 encapsulation dot1Q 131 second-dot1q 16 pppoe enable group global ! interface Port-channel1.101310017 encapsulation dot1Q 131 second-dot1q 17 pppoe enable group global ! interface Port-channel1.101310018 encapsulation dot1Q 131 second-dot1q 18 pppoe enable group global ! interface Port-channel1.101310019 encapsulation dot1Q 131 second-dot1q 19 pppoe enable group global ! interface Port-channel1.101310020 encapsulation dot1Q 131 second-dot1q 20 pppoe enable group global ! interface Port-channel1.101310021 encapsulation dot1Q 131 second-dot1q 21 pppoe enable group global ! interface Port-channel1.101310022 encapsulation dot1Q 131 second-dot1q 22 pppoe enable group global ! interface Port-channel1.101310023 encapsulation dot1Q 131 second-dot1q 23 pppoe enable group global ! interface Port-channel1.101310024 encapsulation dot1Q 131 second-dot1q 24 pppoe enable group global ! interface Port-channel1.101310025 encapsulation dot1Q 131 second-dot1q 25 pppoe enable group global ! interface Port-channel1.101310026 encapsulation dot1Q 131 second-dot1q 26 pppoe enable group global ! interface Port-channel1.101320010 encapsulation dot1Q 132 second-dot1q 10 pppoe enable group global ! interface Port-channel1.101320011 encapsulation dot1Q 132 second-dot1q 11 pppoe enable group global ! interface Port-channel1.101320012 encapsulation dot1Q 132 second-dot1q 12 pppoe enable group global ! interface Port-channel1.101320013 encapsulation dot1Q 132 second-dot1q 13 pppoe enable group global ! interface Port-channel2 no ip address no negotiation auto ! interface Port-channel2.1 description uplink encapsulation dot1Q 192 ip address 10.15.192.114 255.255.255.0 ip nat outside ! interface GigabitEthernet0/0/0 no ip address negotiation auto cdp enable channel-group 1 mode active ! interface GigabitEthernet0/0/1 no ip address negotiation auto cdp enable channel-group 1 mode active ! interface GigabitEthernet0/0/2 no ip address negotiation auto cdp enable channel-group 1 mode active ! interface GigabitEthernet0/0/3 no ip address negotiation auto cdp enable channel-group 1 mode active ! interface GigabitEthernet0/2/0 no ip address shutdown negotiation auto cdp enable ! interface GigabitEthernet0/2/1 no ip address shutdown negotiation auto cdp enable ! interface GigabitEthernet0/2/2 no ip address shutdown negotiation auto cdp enable ! interface GigabitEthernet0/2/3 no ip address shutdown negotiation auto cdp enable ! interface GigabitEthernet0/2/4 no ip address negotiation auto cdp enable channel-group 2 mode active ! interface GigabitEthernet0/2/5 no ip address negotiation auto cdp enable channel-group 2 mode active ! interface GigabitEthernet0/2/6 no ip address negotiation auto cdp enable channel-group 2 mode active ! interface GigabitEthernet0/2/7 no ip address negotiation auto cdp enable channel-group 2 mode active ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.255.1 255.255.255.240 negotiation auto ! interface Virtual-Template1 mtu 1480 ip unnumbered Loopback3 ip nat inside ip tcp adjust-mss 1440 no logging event link-status peer default ip address pool default-pool keepalive 60 ppp mtu adaptive ppp authentication chap eap ms-chap ms-chap-v2 pap ppp ipcp dns 8.8.8.8 ! interface Virtual-Template2 mtu 1492 bandwidth 1000000 ip unnumbered Loopback3 ip nat inside ip tcp adjust-mss 1452 no logging event link-status peer default ip address pool default-pool keepalive 60 ppp authentication chap eap ms-chap ms-chap-v2 pap ! router ospf 1 router-id 10.15.192.114 log-adjacency-changes detail summary-address 100.64.0.0 255.255.0.0 summary-address DDDDDDDDDDDDD 255.255.255.0 redistribute connected subnets redistribute static subnets network 10.15.192.0 0.0.0.255 area 0 network DDDDDDDDDDDDDD 0.0.0.255 area 0.0.0.37 network EEEEEEEEEEEEEE 0.0.0.255 area 0.0.0.37 ! ip local pool default-pool 100.64.0.2 100.64.127.254 ip local pool denat-pool DDDDDDDDDDDDD DDDDDDDDDDDDD ip local pool Route-Pool 100.64.128.2 100.64.255.254 ip nat settings mode cgn no ip nat settings support mapping outside ip nat pool of-natpool CCCCCCCCC CCCCCCCCCCCC netmask 255.255.255.248 ip nat inside source route-map nat-of pool of-natpool overload no ip classless ip forward-protocol nd ! no ip http server no ip http secure-server ip tftp source-interface GigabitEthernet0 ip ssh version 2 ! ip access-list standard ssh-access permit 10.0.0.0 0.255.255.255 deny any log ! ip radius source-interface Loopback2 access-list 155 permit ip 100.64.0.0 0.0.255.255 any log ! route-map nat-of permit 10 match ip address 155 ! snmp-server community pub19jin RW snmp-server location ITGate Corso Svizzera, 185, Torino, TO, 10149 ! ! radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 30 original-called-number radius-server attribute 4 10.15.192.114 radius-server attribute 31 mac format one-byte delimiter colon radius-server attribute 31 send nas-port-detail mac-only radius-server dead-criteria time 120 tries 3 radius-server deadtime 2 ! radius server hal-radius1 address ipv4 10.5.0.4 auth-port 1812 acct-port 1813 key 00000000000 ! radius server hal-accounting1 address ipv4 10.5.0.6 auth-port 1812 acct-port 1813 key 00000000000 ! radius server hal-accounting2 address ipv4 10.5.0.13 auth-port 1812 acct-port 1813 key 00000000000 ! radius server hal-test address ipv4 10.5.0.2 auth-port 1812 acct-port 1813 key 00000000000 ! ! control-plane ! ! ! ! ! ! ! ! ! banner ^C ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class ssh-access in transport preferred ssh line vty 5 15 access-class ssh-access in ! no network-clock synchronization automatic ntp server 193.204.114.105 source Loopback1 ! end
11-25-2020 10:47 AM
Hello,
any update on this? Still not working...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide