Re: Cisco router as PPTP Client, unable to browse internet

ikorzha · ‎12-01-2017

Hi to all, I have the following issue:.

I have a cisco 1921 that I am planning to use as PPTP client to connect to PPTP server that has internet connectivity.

I get PPTP tunnel established, but clients on local segment of PPTP client cisco router 192.168.15.0/24 are unable to reach internet.

My current config below:

Any suggestions how to fix this simple problem would be greatly appreciated

------------------ show version ------------------

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.5(3)M6a, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Mon 25-Sep-17 06:12 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

papan uptime is 9 minutes
System returned to ROM by power-on
System image file is "flash:c1900-universalk9-mz.SPA.155-3.M6a.bin"
Last reload type: Normal Reload
Last reload reason: power-on

Building configuration...

Current configuration : 2708 bytes
!
! Last configuration change at 01:48:04 UTC Sat Dec 2 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname papan
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot system usbflash0:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.15.1
!
ip dhcp pool 1
network 192.168.15.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.15.1
lease 1 6
!
!
!
ip domain name home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.2
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pptp
request-dialin
protocol pptp
pool-member 1
initiate-to ip 100.100.100.50
!
cts logging verbose
!
!
license accept end user agreement
!
!
username network privilege 15 secret 5 <removed>
!
redundancy
notification-timer 120000
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INSIDE NETWORK
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer remote-name pptp-Igor
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp authentication ms-chap ms-chap-v2 optional
ppp chap hostname administrator
ppp chap password 0 <removed>
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map DIALER0_PRIMARY interface Dialer0 overload
ip nat inside source route-map ISP_SECONDARY interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 100.100.100.50 255.255.255.255 GigabitEthernet0/0 dhcp
ip ssh version 2
!
dialer-list 1 protocol ip permit
!
route-map DIALER0_PRIMARY permit 10
match ip address 100
match interface Dialer0
!
route-map ISP_SECONDARY permit 10
match ip address 100
match interface GigabitEthernet0/0
!
!
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input ssh
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎12-02-2017

Hello,

at first glance, it looks like your static routing is reversed. I have made some changes (in bold), see if that makes a difference:

Current configuration : 2708 bytes
!
! Last configuration change at 01:48:04 UTC Sat Dec 2 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
service internal
!
hostname papan
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot system usbflash0:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 192.168.15.1
!
ip dhcp pool 1
network 192.168.15.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.15.1
lease 1 6
!
ip domain name home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.2
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pptp
request-dialin
protocol pptp
rotary-group 1
initiate-to ip 100.100.100.50
!
cts logging verbose
!
license accept end user agreement
!
username network privilege 15 secret 5 <removed>
!
redundancy
notification-timer 120000
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INSIDE NETWORK
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer-group 1
dialer remote-name pptp-Igor
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp authentication ms-chap ms-chap-v2 optional
ppp chap hostname administrator
ppp chap password 0 <removed>
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

ip classless

!
ip nat inside source route-map DIALER1_PRIMARY interface Dialer1 overload
ip nat inside source route-map ISP_SECONDARY interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip route 100.100.100.50 255.255.255.255 Dialer1
ip ssh version 2
!
dialer-list 1 protocol ip permit
!
route-map DIALER1_PRIMARY permit 10
match ip address 100
match interface Dialer1
!
route-map ISP_SECONDARY permit 10
match ip address 100
match interface GigabitEthernet0/0
!
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input ssh
!
scheduler allocate 20000 1000
!

ikorzha · ‎12-02-2017

Thank you for your response, I tested the proposed solution, unfortunately something is missing in it.

Since PPTP tunnel doesnt come up currently "Virtual-Access" interface doesn't come up..due to rotary-group 1

When I remove rotary-group 1, tunnel comes up, local users can browse the internet but NOT thru the dialer1 interface..

Looking for further suggestions from you, thank you in advance :)

papan#sh int dialer 1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:14:34
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes
     0 packets output, 0 bytes

NVI0 is up, line protocol is up
Hardware is NVI
MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Posting current config for reference

! Last configuration change at 13:46:11 UTC Sat Dec 2 2017
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname papan
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot system usbflash0:c1900-universalk9-mz.SPA.155-3.M6a.bin
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.15.1
!
ip dhcp pool 1
network 192.168.15.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.15.1
lease 1 6
!
!
!
ip domain name home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 4.2.2.2
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group pptp
request-dialin
protocol pptp
rotary-group 1
initiate-to ip 100.100.100.50
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn FJC2011L0EA
license accept end user agreement
!
!
!
redundancy
notification-timer 120000
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INSIDE NETWORK
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer remote-name pptp-Igor
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp authentication ms-chap ms-chap-v2 optional
ppp chap hostname administrator
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map DIALER1_PRIMARY interface Dialer1 overload
ip nat inside source route-map ISP_SECONDARY interface GigabitEthernet0/0 overload
ip route 100.100.100.50 255.255.255.255 Dialer1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip ssh version 2
!
dialer-list 1 protocol ip permit
!
route-map DIALER1_PRIMARY permit 10
match ip address 100
match interface Dialer1
!
route-map ISP_SECONDARY permit 10
match ip address 100
match interface GigabitEthernet0/0
!
!
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input ssh
!
scheduler allocate 20000 1000
ntp server pool.ntp.org
!
end

papan#

Georg Pauwen · ‎12-02-2017

Hello,

try your original routing again:

ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 100.100.100.50 255.255.255.255 GigabitEthernet0/0 dhcp