08-07-2012 06:15 AM
Hello,
I have a cisco 2621 router.
I could succesfully setup a PPTP remote access VPN.
I am using one only interface with a public IP Address and clients are assigned the same public IP addressess class.
This anyway makes me waste public IP Address. I would like to assign private IP Address to VPN clients
and allow them to go out with NAT. So i tryed to write a configuration for this purpose but it does not work for me.
Basically I would like to set up a PPTP VPN on a stick, the same for IPSEC on a Stick.
IP address are assigned to clients but it is impossible for clients to go out of the corportate network.
Any hints ?
thank you
Rick
here is my configuration:
version 12.3
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname morpheus
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$3sh/$14olv6mVwM5wKdSVi3.I21
!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip cef
!
ip domain name mydomain.org
ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
username riccardo privilege 15 secret 5 $1$m9q8$Pw9JMZsbVLtz9uxHwhg7l1
!
ip ssh authentication-retries 1
ip ssh logging events
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 131.x.y.t 255.255.255.0
ip nat outside
ip policy route-map VPN-PPTP
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool pptppool
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool pptppool 172.16.12.1 172.16.12.2
ip nat inside source list 111 interface FastEthernet0/1 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 131.x.y.g
!
!
access-list 111 permit ip 10.1.1.0 0.0.0.255 any
access-list 111 permit ip 172.16.12.0 0.0.0.255 any
access-list 144 permit ip 172.16.12.0 0.0.0.255 any
!
!
route-map VPN-PPTP permit 10
match ip address 144
set ip next-hop 10.1.1.2
!
line con 0
line aux 0
line vty 0 4
!
end
Solved! Go to Solution.
08-08-2012 12:49 AM
If you remove the PBR from all interfaces, and just have "ip nat inside" on virtual template interface, does it work?
can you check "sh ip nat translation" to see if it is actually initiating the translation for the ip pool subnet?
08-07-2012 08:56 AM
Assign the PBR to the virtual template instead:
interface Virtual-Template1
ip policy route-map VPN-PPTP
ip nat inside
08-07-2012 09:33 AM
thank you for your hint.
anyway I could not solve my problem
VPN hosts can connect to cisco 2600 using PPTP and a 172.16.12.1 IP address is assigned for example.
the client can ping the fastethernet 0/1 address 131.x.y.t but cannot ping any other host in the world.
it is like if the IP packets cannot go out of the fastethernet 0/1 interface for some reason.
is there something wrong maybe with my policy map configuration and loopback trick ?
with IPSEC it was working.
thank you
Rick
08-08-2012 12:49 AM
If you remove the PBR from all interfaces, and just have "ip nat inside" on virtual template interface, does it work?
can you check "sh ip nat translation" to see if it is actually initiating the translation for the ip pool subnet?
08-08-2012 04:33 AM
it works!!
I removed the Policy map and now it works perfectly.
What I do not undestand is why the policy map makes things not to work properly NAT in particular..
I have a identical configuration but with IPSec and without the policy based routing
on loopback interface the VPN on stick it is not working. I HAD to configure the policy map to make VPNt work with IPSec.
thank you very much!
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide