01-19-2012 08:04 PM - edited 03-04-2019 02:58 PM
Would it be possible to have a Cisco router running ios act as a vpn client?
I'd like it to connect to a remote vpn server, receive an ip address using pptp,
setup some kind of nat and do selective routing, say only addresses in the
subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel, leaving the
rest of outbound traffic going directly through the wan connection.
Solved! Go to Solution.
01-20-2012 11:16 AM
Hello Holbrook,
Alright, the configuration should be modified as follows (all commands are performed exactly against the configuration you have posted):
route-map Di0 permit 10
match ip address 1
match interface Dialer0
!
route-map Fa0/0 permit 10
match ip address 1
match interface FastEthernet0/0
!
! Pasting the following lines will cause the router to prompt you
! if you want to delete the NAT entries - permit it
!
no ip nat inside source list 1 interface FastEthernet0/0 overload
no ip nat inside source list 3 interface Dialer0 overload
!
ip nat inside source route-map Di0 interface Dialer0 overload
ip nat inside source route-map Fa0/0 interface Fa0/0 overload
!
interface Dialer0
ip tcp adjust-mss 1420
This configuration should be paste-able directly to your global config mode. However, the no ip nat ... commands need to be entered manually and individually, as the router will expect a response from you (yes/no).
This configuration should make sure that packets routed via Di0 will be NATted using the Di0 interface address, packets routed via Fa0/0 interface will be NATted using the Fa0/0 interface address, and TCP sessions carried through the PPTP will have their MSS decreased to prevent unnecessary IP packet fragmentation.
You may delete the ACL 3 - it is not used anymore.
Best regards,
Peter
01-20-2012 01:26 AM
Hi Holbrook,
This should be possible. The rough configuration would be as follows:
service internal
!
vpdn enable
vpdn-group PPTP
request-dialin
protocol pptp
pool-member 1
initiate-to X.X.X.X
!
interface Dialer0
encapsulation ppp
ppp chap hostname YourLogin
ppp chap password YourPassword
ppp encrypt mppe auto
ppp mtu adaptive
dialer pool 1
dialer string 123
dialer vpdn
dialer persistent
ip mtu 1460
ip address negotiated
The service internal command is necessary to make the protocol pptp command available in the VPDN group. Otherwise, it is hidden. I am not sure why is it hidden - probably to discourage people from using IOS routers as PPTP clients (L2TP is better suited for that). Note that the service internal command is hidden itself and must be typed in its entirety, otherwise it will not be accepted.
The VPDN group PPTP is what basically encapsulates your elementary PPTP configuration. The only configuration to modify there is the X.X.X.X - replace that with the IP address of your remote VPN server.
On the Dialer0 interface, be sure to replace YourLogin and YourPassword with your VPN username/password. The dialer string 123 is a command that originally specified phone numbers to dial out - here, its value is largely irrelevant but it still needs to be present in order for the Dialer interface to consider its configuration complete.
After entering this configuration, the interface Dialer0 should come up after a few seconds and be assigned the IP address by the remote VPN server. No further routing via this Dialer0 interface will happen yet, so testing this configuration should be fairly safe.
setup some kind of nat and do selective routing, say only addresses in the
subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel
Are these addresses source addresses in your internal network, or are they destination addresses that should be reachable via the PPTP?
What kind of NAT do you need? What are the internal addresses used inside your network?
Best regards,
Peter
01-20-2012 09:13 AM
Peter Paluch wrote:
setup some kind of nat and do selective routing, say only addresses in the
subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel
Are these addresses source addresses in your internal network, or are they destination addresses that should be reachable via the PPTP?
What kind of NAT do you need? What are the internal addresses used inside your network?
Best regards,
Peter
Hi Peter,
They are destination addresses. Currently I have nat setup, outside on fastethernet0/0 and inside on fastethernet0/1, using overload. The internal addresses on my network are 10.0.0.0/24.
Basically with the dialer interface you gave me, I want all internal traffic (as seen from fa0/1) with the destination of say 24.0.0.0/8 or say 24.1.2.3 to go through the vpn connection. Everyone on ther internal network will share the one ip address given via the pptp. Anything else meant for the outside world, let it traverse thru the wan interface as if there were no vpn connection.
Thanks!
Holbrook
01-20-2012 10:26 AM
Hello Holbrook,
Can you please post your configuration (removing sensitive information of course)? I would like to adapt my suggested modifications to your existing configuration so that there are no conflicts.
The easiest way to configure this, by the way, will be simply to define the routes towards 24.0.0.0/8 via the Dialer interface. While this will make all packets (from anyone) to be routed via the Dialer through the PPTP connection, I also assume that you do not have several internal networks, from which only selected networks are to be using the PPTP connection. Otherwise, we would have to set up Policy Based Routing which is not complicated per se but it does add to the complexity of the solution.
Have you tried adding the Dialer interface configuration? Did it connect successfully?
Best regards,
Peter
01-20-2012 10:59 AM
Hi Peter,
I added the dialer interface and while I was awaiting a reply tried adding the:
ip route 123.123.123.0 255.255.255.0 Dialer0
line. I was able to talk to that subnet thru the dialer interface, but not from any hosts on the internal
side. I tried adding (as you can see) ip nat outside on the dialer interface and adding an access-list, nat inside to see
if that might work. I've found if I remove the nat inside source for fastethernet0/0 it will route traffic bound for the above subnet but nothing else (makes sense). But when I have both of them in there at the same time (as is the case in the config below) all traffic except for traffic bound for 123.123.123.0/24 traverses.
!
! Last configuration change at 09:56:41 PST Fri Jan 20 2012
! NVRAM config last updated at 09:56:43 PST Fri Jan 20 2012
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname border
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXX
!
no aaa new-model
memory-size iomem 25
clock timezone PST -8
clock summer-time PDT recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.100
ip dhcp excluded-address 10.0.0.200 10.0.0.254
!
ip dhcp pool main
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.10 8.8.8.8 8.8.4.4
domain-name home.local
option 4 ip 10.0.0.10
option 150 ip 10.0.0.5
default-router 10.0.0.1
!
ip dhcp pool ape
host 10.0.0.4 255.255.255.0
client-identifier 0100.1ff3.040f.06
default-router 10.0.0.1
dns-server 10.0.0.10
domain-name home.local
option 4 ip 10.0.0.10
!
ip dhcp pool printer1
host 10.0.0.20 255.255.255.0
client-identifier 0100.1e0b.f50e.8f
dns-server 10.0.0.10
domain-name home.local
default-router 10.0.0.1
option 4 ip 10.0.0.10
!
!
ip domain name home.local
ip name-server 10.0.0.10
vpdn enable
!
vpdn-group PPTP
request-dialin
protocol pptp
pool-member 1
initiate-to ip ...
!
!
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool ipv6
dns-server 2620:0:CCC::2
dns-server 2620:0:CCD::2
!
!
interface Tunnel0
description HE IPV6 Tunnel
no ip address
ipv6 address :::::/64
ipv6 enable
ipv6 virtual-reassembly
tunnel source FastEthernet0/0
tunnel destination ...
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address :::::/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server ipv6
!
interface Dialer0
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
no cdp enable
ppp encrypt mppe auto
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxx
!
!
ip route 123.123.123.0 255.255.255.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.10 22 interface FastEthernet0/0 9774
ip nat inside source static tcp 10.0.0.10 9999 interface FastEthernet0/0 9999
ip nat inside source static tcp 10.0.0.10 8765 interface FastEthernet0/0 8765
ip nat inside source static udp 10.0.0.10 5060 interface FastEthernet0/0 5060
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit any
access-list 3 permit 10.0.0.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 23 deny any
snmp-server community xxxxx RO
snmp-server enable traps tty
no cdp run
ipv6 route ::/0 Tunnel0
!
!
ipv6 access-list telnet
permit ipv6 :::::/64 any
deny ipv6 any any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
password 7 0356491F022311
ipv6 access-class telnet in
login
!
!
end
Thanks again,
Holbrook
01-20-2012 11:16 AM
Hello Holbrook,
Alright, the configuration should be modified as follows (all commands are performed exactly against the configuration you have posted):
route-map Di0 permit 10
match ip address 1
match interface Dialer0
!
route-map Fa0/0 permit 10
match ip address 1
match interface FastEthernet0/0
!
! Pasting the following lines will cause the router to prompt you
! if you want to delete the NAT entries - permit it
!
no ip nat inside source list 1 interface FastEthernet0/0 overload
no ip nat inside source list 3 interface Dialer0 overload
!
ip nat inside source route-map Di0 interface Dialer0 overload
ip nat inside source route-map Fa0/0 interface Fa0/0 overload
!
interface Dialer0
ip tcp adjust-mss 1420
This configuration should be paste-able directly to your global config mode. However, the no ip nat ... commands need to be entered manually and individually, as the router will expect a response from you (yes/no).
This configuration should make sure that packets routed via Di0 will be NATted using the Di0 interface address, packets routed via Fa0/0 interface will be NATted using the Fa0/0 interface address, and TCP sessions carried through the PPTP will have their MSS decreased to prevent unnecessary IP packet fragmentation.
You may delete the ACL 3 - it is not used anymore.
Best regards,
Peter
01-20-2012 11:50 AM
I'm getting the same results with the new config. Dunno if this will help any, but I'll send you the route map and nat stats
Gateway of last resort is 70.187.168.1 to network 0.0.0.0
S 123.123.123.0/24 is directly connected, Dialer0
70.0.0.0/21 is subnetted, 1 subnets
C 70.187.168.0 is directly connected, FastEthernet0/0
172.19.0.0/32 is subnetted, 1 subnets
S 172.19.89.19 [254/0] via 70.187.168.1, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.0.0/24 is directly connected, FastEthernet0/1
C 10.41.0.1/32 is directly connected, Dialer0
C 10.41.0.8/32 is directly connected, Dialer0
S* 0.0.0.0/0 [254/0] via 70.187.168.1
Total active translations: 90 (0 static, 90 dynamic; 90 extended)
Outside interfaces:
FastEthernet0/0, Virtual-Access1, Dialer0
Inside interfaces:
FastEthernet0/1
Hits: 26058450 Misses: 112759
CEF Translated packets: 25687651, CEF Punted packets: 937723
Expired translations: 301284
Dynamic mappings:
-- Inside Source
[Id: 4] route-map di0 interface Dialer0 refcount 0
[Id: 5] route-map fa0/0 interface FastEthernet0/0 refcount 82
Queued Packets: 0
longest chain in local hash: 0, average length 0, chains 0/2048
01-20-2012 11:53 AM
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 70.187.175.168 YES DHCP up up
FastEthernet0/1 10.0.0.1 YES NVRAM up up
NVI0 unassigned NO unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset down down
Dialer0 10.41.0.8 YES IPCP up up
Tunnel0 unassigned YES NVRAM up up
01-20-2012 12:09 PM
I've found the problem, I had:
ip nat inside source route-map di0 interface Dialer0 overload
instead of
ip nat inside source route-map Di0 interace Dialer0 overload
Thanks again for your help!
01-20-2012 12:20 PM
Holbrook,
Is everything now working according to your requirements? I was glad to help.
Best regards,
Peter
01-20-2012 03:06 PM
Hi Peter,
Yes, everything is working how I was wanting it setup to do. Thanks again for your help!
Holbrook
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide