cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3193
Views
15
Helpful
11
Replies

allow pptp vpn clients on cisco router to access the internet

Majed Al-Masri
Level 1
Level 1

Hello,

I have a cisco router configured with pptp vpn.

I can connect to vpn on the router and establish connections to internal servers in the LAN.

on the other hand, the user connected to the vpn on the cisco router cant access the internet!

can anyone help?

regards,

Majed

11 Replies 11

Michael Muenz
Level 5
Level 5

In Windows VPN properties uncheck use default gateway for remote network

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Michael,

lets take this a little bit further into details.

this is a sample configuration of the router for the pptp configuration;

--------------------------------------------------------    

vpdn enable

!

vpdn-group PPTP

  Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1

peer default ip address pool PPTP

no keepalive

ppp authentication pap chap ms-chap

ppp ipcp route default

!

ip local pool PPTP 10.150.150.1 10.150.150.100

--------------------------------------------------------

how we connect;

We connect to the vpn from the mobile phone and we have a mobile application that registers to an internal PBX server for calls.

problem;

When the mobile phone is connected to the vpn, we can register to the PBX and establish calls to internal extensions, but the problem is that the mobile phone connected through vpn stops accessing the internet!

how can i make the mobile phone access the internet while connecting to vpn?

regards,

Majed

Can you post your complete config please?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Current configuration : 5698 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AARU-ROUTER

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$567Z$319wwITILMp9adol..vqT/

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

         mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

ip domain name yourdomain.com

ip name-server 212.118.14.82

ip name-server 212.118.0.2

vpdn enable

!

vpdn-group PPTP

  Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

voice-card 0

!

!

!

!

!

crypto pki trustpoint TP-self-signed-1863442040

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1863442040

revocation-check none

rsakeypair TP-self-signed-1863442040

!

!

crypto pki certificate chain TP-self-signed-1863442040

certificate self-signed 01

  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383633 34343230 3430301E 170D3039 30323137 30393134

  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363334

  34323034 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B953 52F5D06A 8E6385D6 675D6492 3788404C 1C108C6F E6395C66 3919AEDB

  3CF85596 75FC9183 D9BAF897 7AC06E67 520C7CF9 FDD76343 FD1DFEEA 69DABB20

  FC986220 322FDD89 042A0B7E DAE8B6A3 8A397A15 49D1AA2E A1CFB1E3 18D8BA6C

  C4670459 984A2162 2EB1C512 DE3F6CCE 7B8944BA 9834A184 ECD0C9A3 DE846778

  36C90203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

  551D1104 1E301C82 1A414152 552D524F 55544552 2E796F75 72646F6D 61696E2E

  636F6D30 1F060355 1D230418 30168014 926DEEA1 A8546AF9 F8440E3C E2550570

  98DD59B4 301D0603 551D0E04 16041492 6DEEA1A8 546AF9F8 440E3CE2 55057098

  DD59B430 0D06092A 864886F7 0D010104 05000381 8100B0F4 65B7CA25 77AD682C

  CCA048DE E0FBA253 7BC6D779 3D625F1C 82F82D70 90672C21 EE0EA385 7068B948

  083C28AD 61F3CC39 195CCEFF 673FEC89 4F2C231E A703FD7B DCA35A05 9129223A

  C566DD2A 51B102CA 90F830FF 44488A9E E853884F 799F2D82 376BEB51 E39AB380

  AFB598B8 3009007F 653F3CC7 0BC101A1 D0F99B37 8225

  quit

username cisco privilege 15 secret 5 $1$s2d5$lpnampHiI1XeNzsMgcozF.

username test password 0 *****

username sultan password 0 ******

!

interface FastEthernet0/0

description connected to outside ASA

ip address 212.118.13.57 255.255.255.248

speed 100

full-duplex

!

interface FastEthernet0/1

ip address 212.118.14.106 255.255.255.248

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1

peer default ip address pool PPTP

no keepalive

ppp authentication pap chap ms-chap

ppp ipcp route default

!

ip local pool PPTP 10.150.150.1 10.150.150.100

ip classless

ip route 0.0.0.0 0.0.0.0 212.118.14.105

ip route 172.16.16.40 255.255.255.255 212.118.13.58

ip route 172.16.16.41 255.255.255.255 212.118.13.58

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 23 permit 212.118.13.56 0.0.0.7

!

!

!

control-plane

!

line con 0

password cisco

login

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

password cisco

login

transport input telnet ssh

line vty 5 15

access-class 23 in

--More--                            privilege level 15

login local

transport input telnet ssh

!

end

You don't use NAT, the packets from your pool are private IP's and have to be natted.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

yes michael that what i thought of. but im trying to figure out how can the nat be done.

if i want to make the vpn users to be natted, then i should configure the following;

access-list 111 deny ip 10.150.150.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 111 permit ip 10.150.150.0 0.0.0.255 any

     // to match the vpn user traffic accessing the internet only and deny the vpn users accessint internal network

ip nat inside source list 111 interface fastethernet 0/1 overload

     // nat vpn users accessing the internet through interface f0/1

interface virtual-template 1

     ip nat inside

interface fastethernet 0/1

     ip nat outside

logically will this work, so the vpn users access internal network and at the same time access the internet by natting them on the internet interface f0/1?

regards,

Majed

Yes, looks good, try it!

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

sure i will give it a try.

but please can you stay in contact till i get the chance to do so.

and can you send me your email address, or send me an email on "mwmasri@gmail.com" please?

Majed

I'm here, will not run away

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

hahahahaaa

ok then will inform you with any update when i do this.

regards,

Majed

Majed Al-Masri
Level 1
Level 1

Michael,

I forgot to provide you with the update . I did the configuration discussed above, and it successfully worked :D

Thanks for the help


Sent from Cisco Technical Support Android App