Announcement

Collapse
No announcement yet.

PPTP VPN on Cisco 800 (877) - browsing internet VIA the VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PPTP VPN on Cisco 800 (877) - browsing internet VIA the VPN

    Hi all,

    Cisco 877, 12.4(24)T1

    My config is working fine for local access, webhosting, surfing thr web etc etc. It's also working fine for PPTP access, in that I can connect to the router from externally via PPTP VPN and gain access to my local devices. However, what I'd like to be able to do is this: be able to access the internet THROUGH the VPN connection.

    Let me explain. I have remote-desktop access to about a dozen systems, and for added security I've restricted the access to my own IP address. So, when I'm at home I can freely RDP to these systems. But when I'm out of course, I can't access them. So what I'd like to be able to do is connect to my VPN, and THEN connect to the remote systems. e.g. channel my traffic through my VPN and the out to the internet. Only my PPTP dialup connection I have "use default gateway" ticked, so all internet-based traffic gets directed to my VPN...but never gets any further.

    I suspect something on my firewall is blocking it, but I can't spot the problem. Can anyone assist please?

    Many thanks,


    Jim

    Code:
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Cisco877
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 52000
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time GMT recurring
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.200
    ip dhcp excluded-address 192.168.1.241 192.168.1.254
    !
    ip dhcp pool CLIENTS
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1 
       dns-server 192.168.1.1 192.168.1.254 
       lease 0 12
    !
    no ip cef
    ip domain name xxx.local
    ip name-server 195.74.113.58
    ip name-server 195.74.113.62
    ip name-server 195.74.102.146
    ip name-server 195.74.102.147
    ip inspect name fw tcp timeout 3600
    ip inspect name fw udp timeout 3600
    login block-for 180 attempts 2 within 120
    login on-failure log
    login on-success log
    no ipv6 cef
    ntp server 195.74.96.12
    !
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
     accept-dialin
      protocol pptp
      virtual-template 1
    !
    !
    !
    username XXX privilege 15 password 7 XXX
    username XXX password 7 XXX
    ! 
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log 
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
     ip unnumbered Vlan1
     peer default ip address pool VPNPOOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication ms-chap ms-chap-v2 chap
    !
    interface Vlan1
     description An Teallach LAN
     ip address 192.168.0.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
     ip address negotiated
     ip access-group 120 in
     ip access-group 121 out
     ip nat outside
     ip inspect fw out
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 XXXX
     ppp ipcp dns request
     ip rtp header-compression iphc-format
    !
    ip local pool VPNPOOL 192.168.1.251 192.168.1.253
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
    ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
    ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
    ip nat inside source list 102 interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
    !
    ip access-list standard SNMP-ALLOWED
     permit 192.168.1.50
     deny   any
    ip access-list standard SSH-ALLOWED
     permit 192.168.0.0 0.0.0.255
     permit 192.168.1.0 0.0.0.255
     deny   any
    !
    !
    logging 192.168.1.50
    access-list 120 remark Allow public services
    access-list 120 remark This ACL should match the ip nat inside source static tcp lines
    access-list 120 permit tcp any any eq smtp
    access-list 120 permit tcp any any eq www
    access-list 120 permit tcp any any eq 443
    access-list 120 permit tcp any any eq 995
    access-list 120 permit tcp any any eq 3389
    access-list 120 permit tcp any any eq ftp
    access-list 120 permit tcp any any eq ftp-data
    access-list 120 permit tcp any any eq 1723
    access-list 120 permit tcp any any range 50000 50050
    access-list 120 permit gre any any
    access-list 120 permit icmp any any echo
    access-list 120 permit icmp any any echo-reply
    access-list 120 permit icmp any any source-quench
    access-list 120 permit icmp any any packet-too-big
    access-list 120 permit icmp any any time-exceeded
    access-list 120 deny   icmp any any
    access-list 120 remark Allow unrestricted UDP traffic to the Entanet DNS Servers
    access-list 120 permit udp host 195.74.113.58 eq domain any
    access-list 120 permit udp host 195.74.113.62 eq domain any
    access-list 120 permit udp host 195.74.102.146 eq domain any
    access-list 120 permit udp host 195.74.102.147 eq domain any
    access-list 120 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
    access-list 120 permit tcp any any eq 22
    access-list 121 remark Allow all outbound IP
    access-list 121 permit ip any any
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community AnTeallach RW SNMP-ALLOWED
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     password 7 XXX
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     access-class SSH-ALLOWED in
     exec-timeout 0 0
     privilege level 15
     password 7 XXX
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 20000 1000
    time-range WEEKDAY
     periodic weekdays 8:00 to 18:00
    !
    end
    Last edited by jimwillsher; 16th September 2009, 10:06.

  • #2
    Re: PPTP VPN on Cisco 800 (877) - browsing internet VIA the VPN

    Surely this hasn't thrown everyone?


    Jim

    Comment


    • #3
      Re: PPTP VPN on Cisco 800 (877) - browsing internet VIA the VPN

      Easy when you know how....

      interface Virtual-Template1
      ip nat inside
      Now working...

      Jim

      Comment

      Working...
      X