04-23-2024 03:28 AM
I have recently upgraded from a 887 router to the 1100 ISR, we have a third party client that uses this router to VPN into the local network and connect to some of the services on the LAN. They use PPTP and standard windows client however since being on the ISR they are able to connect to the VPN and get an IP address however they cannot ping anything on the LAN, not even the Virtual-Access interface.
I have tried all kinds of things to get this to work to no avail.
Software version Cisco IOS XE Software, Version 17.09.04a
License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
securityk9 (ISR_1100_4P_Security) 1 IN USE
Running Config: -
Current configuration : 9947 bytes
!
! Last configuration change at 09:54:35 UTC Tue Apr 23 2024 by manx.telecom
!
version 17.9
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname R1
!
boot-start-marker
boot system flash:c1100-universalk9.17.09.04a.SPA.bin
boot-end-marker
!
logging buffered 51200
!
ip name-server 8.8.8.8
ip domain name yourdomain.com
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.0.254
!
login on-success log
!
subscriber templating
!
vtp mode transparent
vtp version 1
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 2
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
no license feature hseck9
license boot level securityk9
memory free low-watermark processor 70154
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username XXXX password XXXX
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
no cdp run
!
interface Loopback0
ip address 10.255.255.255 255.255.255.255
!
interface Loopback2
ip address 192.168.255.254 255.255.255.0
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
no cdp enable
!
interface GigabitEthernet0/1/1
no cdp enable
!
interface GigabitEthernet0/1/2
no cdp enable
!
interface GigabitEthernet0/1/3
no cdp enable
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm ilmi-keepalive
hold-queue 224 in
!
interface ATM0/2/0.1 point-to-point
description WAN
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/2/0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback2
peer default ip address pool Remote
ppp authentication ms-chap-v2
!
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
!
interface Dialer0
mtu 1450
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXX
ppp chap password XXXXXXX
ppp ipcp dns request
hold-queue 224 in
!
ip local pool Remote 192.168.255.49 192.168.255.63
ip tcp synwait-time 10
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 50 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
!
logging trap debugging
ip access-list standard 1
10 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
end
I really do not know why this doesn't work, I get an IP address of 192.168.255.49 - 192.168.255.63 depending on when I login yet I am unable to ping 192.168.255.254.
sh ip int brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1/0 unassigned YES unset up up
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
ATM0/2/0 unassigned YES NVRAM up up
ATM0/2/0.1 unassigned YES unset up up
Ethernet0/2/0 unassigned YES NVRAM administratively down down
Dialer0 xxx.xxx.xxx.xxx YES IPCP up up
Loopback0 10.255.255.255 YES NVRAM up up
Loopback2 192.168.255.254 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset down down
Virtual-Access3 unassigned YES unset up up
Virtual-Access4 unassigned YES NVRAM up up
Virtual-Access5 unassigned YES unset up up
Virtual-Access5.1 192.168.255.254 YES unset up up
Virtual-Access6 unassigned YES unset down down
Virtual-Template1 192.168.255.254 YES unset down down
Vlan1 192.168.0.254 YES NVRAM up up
04-23-2024 03:38 AM
You need secuirty license active to ping LAN
MHM
04-23-2024 04:17 AM
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
securityk9 (ISR_1100_4P_Security) 1 IN USE
04-23-2024 04:22 AM
Further information: -
sh vpdn
%%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN Group
10875 estabd XXX.XXX.XXX.XXX 52372 1 2
LocID RemID TunID Intf Username State Last Chg Uniq ID
47980 59505 10875 Vi5.1 stuart estabd 00:00:33 23
sh vpdn session all
%%No active L2TP tunnels
PPTP Session Information Total tunnels 1 sessions 1
Call id 47980 is up on tunnel id 10875
Remote tunnel name is
Internet Address is XXX.XXX.XXX.XXX
Session username is stuart, state is estabd
Time since change 00:01:53, interface Vi5.1
Remote call id is 59505
126 packets sent, 855 received, 36 bytes sent, 147741 received
0 send packets dropped
0 receive packets dropped
Last clearing of "show vpdn" counters never
Ss 24, Sr 863, Remote Nr 23, peer RWS 64
0 out of order packets
Flow alarm is clear.
Unique ID is 23
sh ip int vi5.1
Virtual-Access5.1 is up, line protocol is up
Interface is unnumbered. Using address of Loopback2 (192.168.255.254)
Broadcast address is 255.255.255.255
Peer address is 192.168.255.51
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: iEdge, MCI Check
Output features: iEdge
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
IP Clear Dont Fragment is disabled
04-23-2024 04:25 AM
Hello,
the config looks good as far as I can tell. What if you make the pool part of the local network, e.g.:
ip dhcp excluded-address 192.168.0.240 192.168.0.253
ip local pool Remote 192.168.0.240 192.168.0.253
04-23-2024 04:38 AM
I have tried that with the line
ip local pool Remote 192.168.0.49 192.168.0.63
again I pick up and IP address but unable to ping anything, also changed the ip unnumbered interface in the virtual template to use vlan 1 and still no joy.
04-23-2024 05:04 AM
Hello,
which VPN type are your users selecting (using the standard built-in Windows 11 VPN client) ?
04-23-2024 05:12 AM
Yes I am using a standard PPTP Windows 11 VPN configuration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide