cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3791
Views
0
Helpful
9
Replies

PPTP: Cant reach remote networks from PPTP Client PC when i enable internet

Ariq Ibne Aziz
Level 1
Level 1

HI

I have configured PPTP in my router cisco 2901.

When I connect to to PPTP from my windows PC, I am getting internet connection. but I cant reach to the Remote networks connected to the firewall.

 (Remote PC)======PPTPconnection ----Router-----Firewall(ASA)---192.168.100.20(Host)

But When I enable the "USE default Gateway on remote networks" then I lost my internet connection and can reach the remote networks(192.168.100.20)

Here are my config:

vpdn enable
!
vpdn-group 1
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1

interface Tunnel1
 ip address 10.12.10.1 255.255.255.252
 tunnel source GigabitEthernet0/0
 tunnel destination 49.0.43.50
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description **WAN CONNECTION**
 ip address 49.0.43.51 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description ** CONNECTED TO FIREWALL **
 ip address 10.10.10.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip mtu 1400
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 peer default ip address pool PPTP-Pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 no ip address
!
ip local pool PPTP-Pool 192.168.80.20 192.168.80.50
ip forward-protocol nd

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.250 88 49.0.43.52 88 extendable
ip nat inside source static 192.168.100.20 49.0.43.53
ip route 0.0.0.0 0.0.0.0 49.0.43.49
ip route 10.10.10.8 255.255.255.248 10.10.10.2
ip route 10.10.20.0 255.255.255.0 10.12.10.2
ip route 192.168.0.0 255.255.254.0 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.12.10.2
ip route 192.168.4.0 255.255.254.0 10.10.10.2
ip route 192.168.6.0 255.255.254.0 10.12.10.2
ip route 192.168.10.0 255.255.255.0 10.10.10.2
ip route 192.168.20.0 255.255.255.0 10.12.10.2
ip route 192.168.30.0 255.255.255.0 10.10.10.2
ip route 192.168.40.0 255.255.255.0 10.12.10.2
ip route 192.168.100.0 255.255.255.0 10.10.10.2--- My required Remote network (Server) which is under Firewall
!

access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.4.0 0.0.1.255
access-list 10 permit 192.168.6.0 0.0.1.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.15.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.1.255
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.1.255
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 10 permit 10.10.10.8 0.0.0.7
access-list 10 permit 192.168.80.0 0.0.0.255 ------PPTP VPN POOL
!

Can someone please guide me to sovle the issue ?

I need both internet connection and reachability to other network(Server network 192.168.100.0/24) from my PPTP client PC.

Best Regards

ARIQ

1 Accepted Solution

Accepted Solutions

Hello,

the router configuration looks good now. What VPN client are you using ? 'Use default gateway on remote networks' should be disabled, but you might need to add a route to the remote networks locally, depending in your client, as described below:

Configuring Split-tunnel Client VPN

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

View solution in original post

9 Replies 9

Hello,

you need to deny NAT for the VPN clients connecting to the server network, and allow all other traffic to be NATted. You cannot do that with a standard access list, you need the extended list below (assuming that your server network is 192.168.100.0/24):

ip nat inside source list 100 interface GigabitEthernet0/0 overload

access-list 100 remark Deny NAT for VPN Clients
access-list 100 deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 remark Allow NAT for VPN Clients
access-list 100 permit ip 192.168.80.0 0.0.0.255 any

HI

Im still facing the same problem.

When I enable the "USE default Gateway on remote networks"[VPN adapter settings] then I lost my internet connection and can reach the remote networks(192.168.100.20)

And when I disable the "USE default Gateway on remote networks" [VPN adapter settings] i get internet access but it disconnects the reach-ability to 192.168.100.0/24 networks .

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.250 88 49.0.43.52 88 extendable
ip nat inside source static 192.168.100.20 49.0.43.53

access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.4.0 0.0.1.255
access-list 10 permit 192.168.6.0 0.0.1.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.15.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.1.255
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.1.255
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 10 permit 10.10.10.8 0.0.0.7
access-list 10 permit 192.168.80.0 0.0.0.255

access-list 100 remark Deny NAT for VPN Clients
access-list 100 deny   ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 remark Allow NAT for VPN Clients
access-list 100 permit ip 192.168.80.0 0.0.0.255 any

Thank you in advance.

Note: Please let me know if you need full configuration.

Hello,

did you remove this line from your configuration ?

ip nat inside source list 10 interface GigabitEthernet0/0 overload

HI,

Thanks for your quick response.

I didnt remove the line. I need this for my local LAN network's PAT

Do i have to remove the line ?

Hello,

remove the line to check if that enables your VPN clients to access both the Internet and your servers. If that works, incorporate all the other lines into access list 100.

hello

Still Have the same problem.

I have deleted the line

ip nat inside source list 10 interface GigabitEthernet0/0 overload

checked and found that PPTP clients get internet but cant reach the remote network.

Please let me know what setting should i use in my PPTP Adapter ?

Should I enable "USE default Gateway on remote networks"

or

Disable "USE default Gateway on remote networks"

I have attached the configuration after deleting the line as you mentioned. please check the configuration file attached.

Hello,

the router configuration looks good now. What VPN client are you using ? 'Use default gateway on remote networks' should be disabled, but you might need to add a route to the remote networks locally, depending in your client, as described below:

Configuring Split-tunnel Client VPN

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

Thanks Its working right now.

i had to configure the below settings in my windows OS[cmd].

netsh interface ipv4 add route 192.168.100.0/24 "my-ppp-adapter_name"

I will post an update if I face any difficulties after this configuration.

Good to know that you got it resolved...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco