Solved: Re: Configuring the Cisco 1000 Series Integrated Services Routers and VPN Clients Using PPTP

YaraslauKireyeu64366 · ‎11-04-2020

Greetings of the day. Need help Configuring the Cisco 1000 Series Integrated Services Routers and VPN Clients Using PPTP.

With standard PPTP Router Configuration users can connect, but they don't have access nowhere. Maybe there are some special features in settings of this equipment?

Georg Pauwen · ‎11-04-2020

Hello,

on a side note, this is from the ISR 1000 FAQ:

What VPN technologies are supported on the ISR 1000 Series?
The 1000 Series supports the following VPN technologies: FlexVPN, Dynamic Multipoint VPN (DMVPN), and Group Encrypted Transport
VPN (GETVPN).

The ASR 1000 does not support PPTP either.

View solution in original post

balaji.bandi · ‎11-04-2020

With standard PPTP Router Configuration users can connect, but they don't have access nowhere. Maybe there are some special features in settings of this equipment?

we need to hear more about above statement ? is this POOL have enough ACL to allow to access the resource ?

you mentioned no access, what is that no access internet ? LAN or any other ?

it would be nice to have configuraiton to look what is configured to tweak to work as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

YaraslauKireyeu64366 · ‎11-04-2020

version 16.12
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname Mogilev_Cheluskincev
!
boot-start-marker
boot-end-marker
!
!
logging monitor notifications
enable secret 9 $14$LBHd$kiTSTwWgio6J1.$TvuZgDMl7l.M.3mg/VvHxBa5QPZoVZrS52ne7sSgEUQ
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent webui WebUI
server
secure-server
!
clock timezone EEST 3 0
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name mintrud
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group TCSON
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 100
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3009285482
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3009285482
revocation-check none
rsakeypair TP-self-signed-3009285482
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01 nvram:CiscoLicensi#1CA.cer
crypto pki certificate chain TP-self-signed-3009285482
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
license udi pid C1111-8P sn FCZ234790H0
memory free low-watermark processor 71721
!
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username user1 password 7 1139391604055B1E007B
username user2 password 7 097C6E1A0A1247000F5E
username user3 password 7 15222B1F173D7B362C60
username user4 password 7 053B261C325B1E1B1D51
username user5 password 7 15222B1F173D7B362C66
username user6 password 7 13353701181B54382F72
username user7 password 7 142732181F137A39207F
username user8 password 7 142732181F137A392070
username user9 password 7 08116C5D1A0E55051652
username user10 password 7 06362F325F59590B014642
username user11 password 7 01232617481C561D251D1F
username user12 password 7 15222B1F173D7B362C6267
username user13 password 7 107E290A16004219085579
username user14 password 7 15222B1F173D7B362C6261
username user15 password 7 08116C5D1A0E5505165A59
username user16 password 7 1139391604055B1E007B7D
username user17 password 7 03347B181518715E4A584E
username user18 password 7 13353701181B54382F7570
username user19 password 7 073F015F5D1E4917134352
username user20 password 7 142732181F137A39207A63
username cisco privilege 15 secret 9 $9$q3vE2fNb5miqfE$.1wRbKAXCecHu1gr6PknGyohTCASCHR8xoBsIO8sTgE
username c!sco privilege 15 password 7 130656010803
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
interface Loopback10
ip address 10.118.1.128 255.255.255.255
!
interface Tunnel37
description to_Gorod
bandwidth 64
ip address 10.6.37.2 255.255.255.0
tunnel source GigabitEthernet0/0/0
tunnel destination 172.21.223.4
!
interface GigabitEthernet0/0/0
description to_Gorod
ip address 172.21.223.241 255.255.255.248
ip tcp adjust-mss 1452
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN
ip address 172.21.183.129 255.255.255.128
ip tcp adjust-mss 1452
negotiation auto
ntp broadcast
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Virtual-Template100
ip unnumbered Loopback10
peer default ip address pool Pptp_Users_Pool
no keepalive
ppp authentication ms-chap chap pap
ppp ipcp dns 172.21.160.3 172.21.160.4
!
interface Vlan1
no ip address
!
!
router eigrp 100
network 10.6.0.0 0.0.255.255
network 172.21.183.128 0.0.0.127
redistribute static route-map static_to_eigrp
!
ip local pool Pptp_Users_Pool 10.118.1.129 10.118.1.190
no ip classless
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 10.100.97.0 255.255.255.0 172.21.223.244
ip route 10.117.48.0 255.255.252.0 172.21.223.244
ip route 10.117.145.0 255.255.255.0 172.21.223.244
ip route 10.118.1.128 255.255.255.192 GigabitEthernet0/0/0
ip route 10.118.1.128 255.255.255.192 Loopback10
ip route 10.156.64.134 255.255.255.255 172.21.160.1 tag 18 name BOT
ip route 112.112.112.82 255.255.255.255 172.21.160.1
ip route 172.16.16.99 255.255.255.255 172.21.160.1
ip route 172.16.16.201 255.255.255.255 172.21.160.1
ip route 172.16.64.72 255.255.255.248 172.21.160.1
ip route 172.16.221.36 255.255.255.255 172.21.160.1
ip route 172.16.221.36 255.255.255.255 10.64.48.1
ip route 172.16.221.66 255.255.255.255 172.21.160.1 tag 25 name ASU_ZAN
ip route 172.20.192.96 255.255.255.248 172.21.223.244
ip route 172.20.192.208 255.255.255.248 172.21.223.244
ip route 172.21.223.0 255.255.255.248 172.21.223.244
ip route 192.168.160.0 255.255.255.0 172.21.223.244
ip route 192.168.183.0 255.255.255.0 172.21.183.200 tag 15 name MogilevGISSZ
ip route 192.168.188.0 255.255.255.0 172.21.183.136 tag 14 name MogilevRikZan
!
!
ip access-list standard PPTP_net
10 permit 10.118.1.128 0.0.0.63
!
!
ip access-list extended 104
10 permit udp 172.21.183.0 0.0.0.255 eq ntp any
20 permit udp 192.168.183.0 0.0.0.255 eq ntp any
30 permit udp 192.168.188.0 0.0.0.255 eq ntp any
!
!
route-map static_to_eigrp permit 10
match ip address PPTP_net
!
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 60 0
password 7 060506324F41
logging synchronous
transport input ssh
line vty 5 15
password 7 060506324F41
!
transport type persistent webui input WebUI
!
ntp master 3
ntp server 172.21.160.1 prefer
!
!
!
!
!
end

paul driver · ‎11-04-2020

Hello

@YaraslauKireyeu64366 wrote:

With standard PPTP Router Configuration users can connect, but they don't have access nowhere

On each pppoe client
int dialer xx
ppp ipcp route default

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

YaraslauKireyeu64366 · ‎11-04-2020

Prescribed. Did't help. Thanks.

paul driver · ‎11-04-2020

Hello

Did you reset the client?
From the client
show pppoe session
show ip int brief
show ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

YaraslauKireyeu64366 · ‎11-05-2020

sho vpdn session

PPTP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Intf Username State Last Chg Uniq ID
54307 40899 26528 Vi2.1 user5 estabd 00:03:26 1

show ip int brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 172.21.223.241 YES NVRAM up up
GigabitEthernet0/0/1 172.21.183.129 YES NVRAM up up
GigabitEthernet0/1/0 unassigned YES unset down down
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
GigabitEthernet0/1/4 unassigned YES unset down down
GigabitEthernet0/1/5 unassigned YES unset down down
GigabitEthernet0/1/6 unassigned YES unset down down
GigabitEthernet0/1/7 unassigned YES unset down down
Loopback10 10.118.1.128 YES NVRAM up up
Tunnel37 10.6.37.2 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access2.1 10.118.1.128 YES unset up up
Virtual-Template100 10.118.1.128 YES unset down down
Vlan1 unassigned YES unset up down

show ip route

Gateway of last resort is 10.118.1.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.118.1.129
D 10.118.1.0/26 [90/54208000] via 10.6.37.1, 00:17:58, Tunnel37
D 10.118.1.0/32 [90/54208000] via 10.6.37.1, 00:17:58, Tunnel37
D 10.118.1.1/32 [90/56640000] via 10.6.37.1, 00:17:57, Tunnel37
D 10.118.1.64/26 [90/54208000] via 10.6.37.1, 00:17:58, Tunnel37
D 10.118.1.64/32 [90/54208000] via 10.6.37.1, 00:17:58, Tunnel37
D 10.118.1.68/32 [90/56640000] via 10.6.37.1, 00:17:57, Tunnel37
S 10.118.1.128/26 is directly connected, Loopback10
C 10.118.1.128/32 is directly connected, Loopback10
C 10.118.1.129/32 is directly connected, Virtual-Access2.1
D EX 10.118.1.192/26 [170/54208000] via 10.6.37.1, 00:17:57, Tunnel37

YaraslauKireyeu64366 · ‎11-04-2020

Access is not available in LAN and WAN (to_Gorod) networks.

Georg Pauwen · ‎11-04-2020

Hello,

on a side note, this is from the ISR 1000 FAQ:

What VPN technologies are supported on the ISR 1000 Series?
The 1000 Series supports the following VPN technologies: FlexVPN, Dynamic Multipoint VPN (DMVPN), and Group Encrypted Transport
VPN (GETVPN).

The ASR 1000 does not support PPTP either.

paul driver · ‎11-05-2020

Hello
This client is receiving an ip address and default gateway, You have an eigrp tunnel 37 running eigrp with eigrp routes in the rib table.
So for lan reachability I am assuming its is via the tunnel and for internet via default gateway?

For tha lan subnets , can you trace route from the client and post the output and for internet is the upstream router 10.118.1.129 performing NAT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul