Solved: PPTP: Cant reach remote networks from PPTP Client PC when i enable internet

Ariq Ibne Aziz · ‎05-20-2017

HI

I have configured PPTP in my router cisco 2901.

When I connect to to PPTP from my windows PC, I am getting internet connection. but I cant reach to the Remote networks connected to the firewall.

(Remote PC)======PPTPconnection ----Router-----Firewall(ASA)---192.168.100.20(Host)

But When I enable the "USE default Gateway on remote networks" then I lost my internet connection and can reach the remote networks(192.168.100.20)

Here are my config:

vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1

interface Tunnel1
ip address 10.12.10.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 49.0.43.50
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description **WAN CONNECTION**
ip address 49.0.43.51 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ** CONNECTED TO FIREWALL **
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
peer default ip address pool PPTP-Pool
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
!
ip local pool PPTP-Pool 192.168.80.20 192.168.80.50
ip forward-protocol nd

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.250 88 49.0.43.52 88 extendable
ip nat inside source static 192.168.100.20 49.0.43.53
ip route 0.0.0.0 0.0.0.0 49.0.43.49
ip route 10.10.10.8 255.255.255.248 10.10.10.2
ip route 10.10.20.0 255.255.255.0 10.12.10.2
ip route 192.168.0.0 255.255.254.0 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.12.10.2
ip route 192.168.4.0 255.255.254.0 10.10.10.2
ip route 192.168.6.0 255.255.254.0 10.12.10.2
ip route 192.168.10.0 255.255.255.0 10.10.10.2
ip route 192.168.20.0 255.255.255.0 10.12.10.2
ip route 192.168.30.0 255.255.255.0 10.10.10.2
ip route 192.168.40.0 255.255.255.0 10.12.10.2
ip route 192.168.100.0 255.255.255.0 10.10.10.2--- My required Remote network (Server) which is under Firewall
!

access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.4.0 0.0.1.255
access-list 10 permit 192.168.6.0 0.0.1.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.15.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.1.255
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.1.255
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 10 permit 10.10.10.8 0.0.0.7
access-list 10 permit 192.168.80.0 0.0.0.255 ------PPTP VPN POOL
!

Can someone please guide me to sovle the issue ?

I need both internet connection and reachability to other network(Server network 192.168.100.0/24) from my PPTP client PC.

Best Regards

ARIQ

Georg Pauwen · ‎05-21-2017

Hello,

the router configuration looks good now. What VPN client are you using ? 'Use default gateway on remote networks' should be disabled, but you might need to add a route to the remote networks locally, depending in your client, as described below:

Configuring Split-tunnel Client VPN

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

View solution in original post

Georg Pauwen · ‎05-20-2017

Hello,

you need to deny NAT for the VPN clients connecting to the server network, and allow all other traffic to be NATted. You cannot do that with a standard access list, you need the extended list below (assuming that your server network is 192.168.100.0/24):

ip nat inside source list 100 interface GigabitEthernet0/0 overload

access-list 100 remark Deny NAT for VPN Clients
access-list 100 deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 remark Allow NAT for VPN Clients
access-list 100 permit ip 192.168.80.0 0.0.0.255 any

Ariq Ibne Aziz · ‎05-20-2017

HI

Im still facing the same problem.

When I enable the "USE default Gateway on remote networks"[VPN adapter settings] then I lost my internet connection and can reach the remote networks(192.168.100.20)

And when I disable the "USE default Gateway on remote networks" [VPN adapter settings] i get internet access but it disconnects the reach-ability to 192.168.100.0/24 networks .

ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.250 88 49.0.43.52 88 extendable
ip nat inside source static 192.168.100.20 49.0.43.53

access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 permit 192.168.4.0 0.0.1.255
access-list 10 permit 192.168.6.0 0.0.1.255
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.15.0 0.0.0.255
access-list 10 permit 192.168.20.0 0.0.1.255
access-list 10 permit 192.168.30.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.1.255
access-list 10 permit 10.10.10.0 0.0.0.7
access-list 10 permit 10.10.10.8 0.0.0.7
access-list 10 permit 192.168.80.0 0.0.0.255

access-list 100 remark Deny NAT for VPN Clients
access-list 100 deny ip 192.168.80.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 remark Allow NAT for VPN Clients
access-list 100 permit ip 192.168.80.0 0.0.0.255 any

Thank you in advance.

Note: Please let me know if you need full configuration.

Georg Pauwen · ‎05-20-2017

Hello,

did you remove this line from your configuration ?

ip nat inside source list 10 interface GigabitEthernet0/0 overload

Ariq Ibne Aziz · ‎05-21-2017

HI,

Thanks for your quick response.

I didnt remove the line. I need this for my local LAN network's PAT

Do i have to remove the line ?

Georg Pauwen · ‎05-21-2017

Hello,

remove the line to check if that enables your VPN clients to access both the Internet and your servers. If that works, incorporate all the other lines into access list 100.

Ariq Ibne Aziz · ‎05-21-2017

hello

Still Have the same problem.

I have deleted the line

ip nat inside source list 10 interface GigabitEthernet0/0 overload

checked and found that PPTP clients get internet but cant reach the remote network.

Please let me know what setting should i use in my PPTP Adapter ?

Should I enable "USE default Gateway on remote networks"

or

Disable "USE default Gateway on remote networks"

I have attached the configuration after deleting the line as you mentioned. please check the configuration file attached.

Georg Pauwen · ‎05-21-2017

Hello,

the router configuration looks good now. What VPN client are you using ? 'Use default gateway on remote networks' should be disabled, but you might need to add a route to the remote networks locally, depending in your client, as described below:

Configuring Split-tunnel Client VPN

https://documentation.meraki.com/MX-Z/Client_VPN/Configuring_Split-tunnel_Client_VPN

Ariq Ibne Aziz · ‎05-21-2017

Thanks Its working right now.

i had to configure the below settings in my windows OS[cmd].

netsh interface ipv4 add route 192.168.100.0/24 "my-ppp-adapter_name"

I will post an update if I face any difficulties after this configuration.

Georg Pauwen · ‎05-21-2017

Good to know that you got it resolved...