Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1983
Views
0
Helpful
4
Replies

PPTP on a stick VPN with cisco 2600

Go to solution
Riccardo Veraldi
Level 1
Level 1

‎08-07-2012 06:15 AM

Hello,

I have a cisco 2621 router.

I could succesfully setup a PPTP remote access VPN.

I am using one only interface with a public IP Address and clients are assigned the same public IP addressess class.

This anyway makes me waste public IP Address. I would like to assign private IP Address to VPN clients

and allow them to go out with NAT. So i tryed to write a configuration for this purpose but it does not work for me.

Basically I would like to set up a PPTP VPN on a stick, the same for IPSEC on a Stick.

IP address are assigned to clients but it is impossible for clients to go out of the corportate network.

Any hints ?

thank you

Rick

here is my configuration:

version 12.3

service timestamps debug uptime

service timestamps log datetime

service password-encryption

!

hostname morpheus

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 $1$3sh/$14olv6mVwM5wKdSVi3.I21

!

clock timezone CEST 1

clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

aaa session-id common

ip subnet-zero

ip cef

!

ip domain name mydomain.org

ip name-server 131.x.y.z

!

ip audit po max-events 100

vpdn enable

vpdn logging

vpdn logging local

vpdn logging user

!

vpdn-group pptpcnaf

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

username riccardo privilege 15 secret 5 $1$m9q8$Pw9JMZsbVLtz9uxHwhg7l1

!

ip ssh authentication-retries 1

ip ssh logging events

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!        

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 131.x.y.t 255.255.255.0

ip nat outside

ip policy route-map VPN-PPTP

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet0/1

peer default ip address pool pptppool

ppp encrypt mppe 128 required

ppp authentication ms-chap ms-chap-v2

!

ip local pool pptppool 172.16.12.1 172.16.12.2

ip nat inside source list 111 interface FastEthernet0/1 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 131.x.y.g

!

!

access-list 111 permit ip 10.1.1.0 0.0.0.255 any

access-list 111 permit ip 172.16.12.0 0.0.0.255 any

access-list 144 permit ip 172.16.12.0 0.0.0.255 any

!

!

route-map VPN-PPTP permit 10

match ip address 144

set ip next-hop 10.1.1.2

!

line con 0

line aux 0

line vty 0 4

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Riccardo Veraldi

‎08-08-2012 12:49 AM

If you remove the PBR from all interfaces, and just have "ip nat inside" on virtual template interface, does it work?

can you check "sh ip nat translation" to see if it is actually initiating the translation for the ip pool subnet?

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-07-2012 08:56 AM

Assign the PBR to the virtual template instead:

interface Virtual-Template1

  ip policy route-map VPN-PPTP

  ip nat inside

0 Helpful

Go to solution
Riccardo Veraldi
Level 1
Level 1
In response to Jennifer Halim

‎08-07-2012 09:33 AM

thank you for your hint.

anyway I could not solve my problem

VPN  hosts can connect to cisco 2600 using PPTP and a 172.16.12.1 IP address is assigned for example.

the client can ping the fastethernet 0/1 address 131.x.y.t  but  cannot ping any other host in the world.

it is like if the IP packets cannot go out of the fastethernet 0/1 interface for some reason.

is there something wrong maybe with my policy map configuration and loopback trick ?

with IPSEC it was working.

thank you

Rick

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Riccardo Veraldi

‎08-08-2012 12:49 AM

If you remove the PBR from all interfaces, and just have "ip nat inside" on virtual template interface, does it work?

can you check "sh ip nat translation" to see if it is actually initiating the translation for the ip pool subnet?

0 Helpful

Go to solution
Riccardo Veraldi
Level 1
Level 1
In response to Jennifer Halim

‎08-08-2012 04:33 AM

it works!!

I removed the Policy map and now it works perfectly.

What I do not undestand is why the policy map makes things not to work properly NAT in particular..

I have a identical configuration but with IPSec and without the policy based routing

on loopback interface the VPN on stick it is not working. I HAD to configure the policy map to make VPNt work with IPSec.

thank you very much!

Rick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents