cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1609
Views
0
Helpful
1
Replies

Cisco vpn & nat subnet to subnet

piermark84
Level 1
Level 1

Hi,

I have a cisco router with 2 Fastethernet:

- on 0/0 is my lan with address 192.168.0.1 (is gateway for lan with 192.168.0.X)

- on 0/1 is my adsl modem with IP 192.168.1.240 (this modem is connected to any PC on subnet 192.168.1.X)

Now i have a simple PPTP VPN with IP 172.16.0.0 but i can't ping to subnet with 192.168.1.X, also on VPN  i don't have a gateway (192.168.0.1 or 192.168.1.1)

Thank you

Mark

Current configuration : 4327 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec=

no service password-encryption

!

hostname Router

!

boot-start-marker

boot system slot0:c3725-adventerprisek9-mz.124-15.T14.bin

boot-end-marker

!

enable secret 5 $1$OR3K$bCknqjvtrHv.gdXKgP0AQ.

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization exec default local

!

aaa session-id common

no ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.0 192.168.0.200

!

ip dhcp pool mypool

network 192.168.0.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.0.1

lease 7

!

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip ddns update method dyndns

HTTP

add

http://xxxxx:xxxx@members.dyndns.org/ni ... &hostname=

<h>&myip=<a>

interval maximum 0 2 0 0

interval minimum 0 2 0 0

!

vpdn enable

!

vpdn-group PPTP

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

!

!

!

!

username xxxx password 0 xxxxxxx

archive

log config

hidekeys

!

!

ip ssh version 1

!

!

!

bba-group pppoe global

!

!

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

speed 100

full-duplex

no cdp enable

!

interface Serial0/0

no ip address

shutdown

clock rate 2000000

no cdp enable

!

interface FastEthernet0/1

description ADSL WAN Interface

ip address 192.168.1.240 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip tcp adjust-mss 1452

no ip mroute-cache

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

no cdp enable

!

interface Virtual-Template2

ip unnumbered FastEthernet0/0

peer default ip address pool poolipnetconfig

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

interface Dialer1

description ADSL WAN Dialer

bandwidth 100000

ip ddns update hostname xxxxxxxxxx

ip ddns update dyndns

ip address negotiated

ip access-group 101 in

no ip unreachables

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp header-compression

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname aliceadsl@aliceadsl

ppp chap password 0 aliceadsl

ppp pap sent-username aliceadsl@aliceadsl password 0 aliceadsl

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

ip local pool poolipnetconfig 172.16.0.0 172.16.0.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.0.0 255.255.255.248 Dialer1

!

no ip http server

no ip http secure-server

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static udp 192.168.0.100 40028 interface Dialer1 40028

ip nat inside source static tcp 192.168.0.100 40028 interface Dialer1 40028

ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23

ip nat inside source static tcp 192.168.0.100 9091 interface Dialer1 9091

ip nat inside source static tcp 192.168.0.100 445 interface Dialer1 445

ip nat inside source static tcp 192.168.0.100 139 interface Dialer1 139

ip nat inside source static tcp 192.168.0.100 22 interface Dialer1 22

ip nat inside source static tcp 192.168.0.100 3306 interface Dialer1 3306

ip nat inside source static tcp 192.168.0.100 21 interface Dialer1 21

ip nat inside source static tcp 192.168.0.100 80 interface Dialer1 80

ip nat inside source static udp 192.168.0.100 1194 interface Dialer1 1194

ip nat inside source static tcp 192.168.0.100 3333 interface Dialer1 3333

!

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 100 permit tcp any any eq 1723

access-list 100 permit udp any eq isakmp any eq isakmp

access-list 100 permit gre any any

access-list 101 deny   icmp any any echo

access-list 101 permit ip any any

access-list 101 permit tcp host 204.13.248.112 eq www any log

dialer-list 1 protocol ip permit

no cdp run

!

!

control-plane

!

!

!

1 Reply 1

Neeraj Arora
Level 3
Level 3

Hi Marco,

I am not a VPN expert so I cannot say if PPTP vpn config is set correctly or not but I do know that traffic going across VPN should not be NATed, which as per the config is happening at your end.

I would suggest the following change in NAT:

no ip nat inside source list 10 interface Dialer1 overload

no access-list 10 permit 192.168.0.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.7

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 110 interface Dialer1 overload

If this does not fix the connectivity issue, I guess then VPN experts out there would have to jump in

Hope it helps

Neeraj