Re: PPTP Routing Cisco 1841

---

• From: "Al" <ajsburns@xxxxxxxxx>
• Date: 28 Mar 2007 13:31:21 -0700

---

On Mar 26, 6:00 pm, "johnedwardh...@xxxxxxxxx"
<johnedwardh...@xxxxxxxxx> wrote:

Hi,

Can some one tell me where i've gone wrong here i've a PPTP connecion
for my windows laptops working they connect and authenticate they even
pick up an IP

They can also ping the LAN address of the router but they can't see
anything else on the LAN not printer or server i can't ping anything
other than the router any ideas?

aaa new-model
!
!
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall pptp
ip inspect name firewall rtsp
ip inspect name firewall skinny
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.80.1 10.0.80.99
ip dhcp excluded-address 10.0.80.201 10.0.80.254
!
ip dhcp pool COMPANYPOOL
network 10.0.80.0 255.255.255.0
default-router 10.0.80.254
domain-name arbiter2.local
dns-server 10.0.80.1 195.184.229.229
netbios-name-server 10.0.80.1
netbios-node-type h-node
lease 1 4
!
!
no ip ips deny-action ips-interface
ip domain name vsure.net
ip sla monitor 1
type echo protocol ipIcmpEcho 135.196.64.132
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
!
vpdn enable
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
vpdn ip udp ignore checksum
!
vpdn-group PPTPGroup
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 10
!
!
!
!
!
!
!
track 123 rtr 1 reachability
!
!
!
!
interface FastEthernet0/0
description VSure Server LAN
ip address 10.0.80.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
duplex auto
speed auto
hold-queue 100 out
!
interface FastEthernet0/1
description connected to Network
ip address 10.0.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
shutdown
duplex auto
speed auto
hold-queue 100 out
!
interface ATM0/0/0
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
ip nat outside
ip virtual-reassembly
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
ip nat outside
ip virtual-reassembly
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Virtual-Template10
ip unnumbered FastEthernet0/0
ip virtual-reassembly
ip mroute-cache
peer default ip address pool vpnpool
ppp encrypt mppe 128 passive
ppp authentication ms-chap ms-chap-v2
!
interface Dialer0
description primary-link
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer remote-name redback
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
hold-queue 224 in
!
interface Dialer1
description backup-link
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
!
!
ip local policy route-map MY-LOCAL-POLICY
ip local pool vpnpool 10.0.80.230 10.0.80.250
ip classless
ip route 0.0.0.0 0.0.0.0 135.196.xxx.xxx track 123
ip route 0.0.0.0 0.0.0.0 82.153.xxx.xxx 254
ip route 10.0.80.0 255.255.255.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source list 106 interface Dialer1 overload
!
!
access-list 103 permit icmp any host 135.196.xxx.xxx echo
access-list 105 remark Traffic to NAT
access-list 105 deny ip 10.0.80.0 0.0.0.255 10.0.80.0 0.0.0.255
access-list 105 permit ip 10.0.80.0 0.0.0.255 any
access-list 106 deny ip 10.0.80.0 0.0.0.255 10.0.80.0 0.0.0.255
access-list 106 permit ip 10.0.80.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
snmp-server enable traps tty
!
radius-server host 10.0.80.1 auth-port 1812 acct-port 1813 key 7
0505071B2040470C
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!

I don't understand why you have the following route:

ip route 10.0.80.0 255.255.255.0 FastEthernet0/0

That is the local connected subnet isn't it? I could understand that
you may need routes for the vpnpool addresses to the WAN, but not the
above.

On the whole isn't it better to use a pool of addresses that is
different to the local LAN?

I am thinking it may be an arp issue ... if you try to ping a vpn
client from a server/pc on the LAN & while debugging arp on the
router, do you see the request & does the router reply? If you do an
'arp -a' on the server on the LAN does the mac address for the client
address correspond to that of Fa0/0?

Also, I don't think it is doing any harm, but you appear to have 'ip
nat inside' on the physical ATM interfaces, and then the outside on
the sub-interfaces which could be confusing. I'm not sure you need it
on the atm interface at all - being on the dialer alone may suffice.

.

---

• References:
  • PPTP Routing Cisco 1841
    • From: johnedwardhall@xxxxxxxxx

• Prev by Date: Re: VTP info is not passing from switch1 to switch2
• Next by Date: Re: Using Object-Groups in ACLs?
• Previous by thread: PPTP Routing Cisco 1841
• Next by thread: Loggin in & Enable mode ..
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: PPPOE for DSL ... with an ethernet interface and ppoe. ... ip nat outside ... configuration for Spoke1 router using PPPOE ... !-enable vpdn to allow creation of dialer interface to support pppoe ... (comp.dcom.sys.cisco) Static & Dynamic NAT ... I am trying to give a PC on our network a Static NAT address and the other ... crypto pki trustpoint TP-self-signed-549921670 ... interface BRI0 ... encapsulation aal5mux ppp dialer ... (comp.dcom.sys.cisco) PPTP Routing Cisco 1841 ... aaa authentication ppp default group radius local ... ip inspect name firewall tcp ... ip nat inside ... encapsulation aal5mux ppp dialer ... (comp.dcom.sys.cisco) Re: NAT question ... I would prefer not to use NAT as it is not ... Nat IP addresses of hosts living behind an interface marked as ... encapsulation aal5mux ppp dialer ... ip http authentication local ... (comp.dcom.sys.cisco) Re: IP Addressing ... firewall and router). ... On the firewall create a static NAT entry as I wrote ... !we 're doing NAT to publish my Exchange server on the Internet ... external or any physical / logical interface. ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)