Announcement

Collapse
No announcement yet.

PPTP Connect in cisco VPN but n'working internet access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PPTP Connect in cisco VPN but n'working internet access

    what's wrong with my configuration but my device not' connected internet i use ubuntu LTS 12.04 cisco 1841

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot system flash c1841-ipbasek9-mz.124-24.T.bin
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 $1$eb9Q$7kMUF5Am0kVn/QXwssfrD/
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization network default local
    !
    !
    aaa session-id common
    dot11 syslog
    no ip source-route
    !
    !
    !
    !
    ip cef
    ip name-server 202.134.1.10
    ip name-server 202.134.0.155
    multilink bundle-name authenticated
    !
    vpdn enable
    !
    vpdn-group PPTP
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    !
    username ala***n password 7 051B131C2A4343
    username fa***ul privilege 15 password 7 03520B59565F701C16594B51
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 222.124.152.181 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    description ====LOCAL=====
    ip address 192.168.100.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    !
    interface Virtual-Template1
    description ##PPTP TUNNEL##
    ip unnumbered FastEthernet0/0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    peer default ip address pool PPTP_POOL
    no keepalive
    ppp authentication pap chap ms-chap
    ppp timeout idle 360
    !
    ip local pool PPTP_POOL 192.168.101.110 192.168.101.125
    ip default-gateway 222.124.152.x
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 222.124.152.161
    !
    no ip http server
    no ip http secure-server
    !
    ip nat pool fahrul 222.124.152.181 222.124.152.181 prefix-length 29
    ip nat inside source list 77 pool fahrul overload
    !
    access-list 23 permit 10.10.20.0 0.0.0.255
    access-list 77 permit 192.168.2.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip 192.168.100.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit udp host 203.197.12.30 eq domain host 121.243.96.154
    access-list 101 permit ip 10.10.20.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 101 deny ip 192.168.100.0 0.0.0.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 060506324F41

  • #2
    Re: PPTP Connect in cisco VPN but n'working internet access

    I see your "internet" facing interface has ip nat inside. If that interface is your internet facing interface it needs to be ip nat outside


    interface FastEthernet0/0
    ip address 222.124.152.181 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside (should be ip nat outside)
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled


    Your nat acl specifies that any traffic sourced from 192.168.2.0/24 is to be natted. Your inside interface is on the 192.168.100/24 network? If 192.168.100.0/24 is your internal network for hosts the nat acl needs to be changed.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: PPTP Connect in cisco VPN but n'working internet access

      So according to you, what should I change in order to run smoothly

      Comment


      • #4
        Re: PPTP Connect in cisco VPN but n'working internet access

        You would make the change to ip nat outside on the internet facing interface and change your nat acl to match your internal traffic
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: PPTP Connect in cisco VPN but n'working internet access

          i change nat n connect but no internet acces

          what do you thing this my config can if this solves the problem
          confg :
          router rip
          network 192.168.100.0
          network 222.124.152.0
          !
          !
          ip nat inside source list fahrul pool firstpool overload
          !
          ip access-list extended fakhrul
          deny ip 192.168.100.0 0.0.0.255 10.10.20.0 0.0.0.255
          deny ip 192.168.100.0 0.0.0.255 222.124.152.21 0.0.0.224
          deny ip 192.168.100.0 0.0.0.255 222.124.152.1 0.0.0.224
          deny ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
          permit ip 192.168.100.0 0.0.0.255 any
          remark SDM_ACL Category=18
          !

          Comment


          • #6
            Re: PPTP Connect in cisco VPN but n'working internet access

            Need to see the full config.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: PPTP Connect in cisco VPN but n'working internet access

              my new config
              version 12.4
              no service pad
              service tcp-keepalives-in
              service tcp-keepalives-out
              service timestamps debug datetime msec
              service timestamps log datetime msec
              no service password-encryption
              !
              hostname Router
              !
              boot-start-marker
              boot system flash c1841-ipbasek9-mz.124-24.T.bin
              boot-end-marker
              !
              logging message-counter syslog
              enable secret 5 $1$eb9Q$7kMUF5Am0kVn/QXwssfrD/
              !
              aaa new-model
              !
              !
              aaa authentication login default local
              aaa authentication ppp default local
              aaa authorization network default local
              !
              !
              aaa session-id common
              dot11 syslog
              no ip source-route
              !
              !
              !
              !
              no ip cef
              ip domain lookup source-interface FastEthernet0/0
              ip name-server 202.134.1.10
              ip name-server 202.134.0.155
              multilink bundle-name authenticated
              !
              vpdn enable
              !
              vpdn-group PPTP
              ! Default PPTP VPDN group
              accept-dialin
              protocol pptp
              virtual-template 1
              !
              !

              archive
              log config
              hidekeys
              !
              !
              !
              !
              !
              interface FastEthernet0/0
              ip address 222.124.152.181 255.255.255.224
              no ip redirects
              no ip unreachables
              no ip proxy-arp
              ip flow ingress
              ip nat outside
              ip virtual-reassembly
              duplex auto
              speed auto
              no mop enabled
              !
              interface FastEthernet0/1
              description ===LOCAL===
              ip address 192.168.100.1 255.255.255.0
              ip access-group 100 in
              no ip redirects
              no ip unreachables
              no ip proxy-arp
              ip flow ingress
              ip nat inside
              ip virtual-reassembly
              duplex auto
              speed auto
              no mop enabled
              !
              interface Virtual-Template1
              description ##PPTP TUNNEL##
              ip unnumbered FastEthernet0/0
              no ip redirects
              no ip unreachables
              no ip proxy-arp
              ip flow ingress
              ip nat inside
              ip virtual-reassembly
              peer default ip address pool PPTP_POOL
              no keepalive
              ppp authentication pap ms-chap ms-chap-v2
              !
              ip local pool PPTP_POOL 192.168.101.110 192.168.101.125
              ip forward-protocol nd
              ip route 0.0.0.0 0.0.0.0 222.124.152.161
              !
              no ip http server
              ip http access-class 23
              ip http authentication local
              no ip http secure-server
              !
              ip nat inside source list fahrul pool firstpool overload
              !
              ip access-list extended fakhrul
              deny ip 192.168.100.0 0.0.0.255 10.10.20.0 0.0.0.255
              deny ip 192.168.100.0 0.0.0.255 222.124.152.21 0.0.0.224
              deny ip 192.168.100.0 0.0.0.255 222.124.152.1 0.0.0.224
              deny ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
              permit ip 192.168.100.0 0.0.0.255 any
              remark SDM_ACL Category=18

              Comment


              • #8
                Re: PPTP Connect in cisco VPN but n'working internet access

                I dont see your nat pool defined


                ip nat pool firstpool
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: PPTP Connect in cisco VPN but n'working internet access

                  how about this bro
                  ip nat pool no-overload 222.124.152.161 222.124.152.181 prefix-length 27
                  ip nat inside source list 7 pool no-overload

                  Comment


                  • #10
                    Re: PPTP Connect in cisco VPN but n'working internet access

                    Okay that looks good but is it working now? I need to see the full config on every change you make, so I can see if the configuration will work.

                    I also dont see your routes in the config.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: PPTP Connect in cisco VPN but n'working internet access

                      My full config
                      version 12.4
                      no service pad
                      service tcp-keepalives-in
                      service tcp-keepalives-out
                      service timestamps debug datetime msec
                      service timestamps log datetime msec
                      no service password-encryption
                      !
                      hostname Router
                      !
                      boot-start-marker
                      boot system flash c1841-ipbasek9-mz.124-24.T.bin
                      boot-end-marker
                      !
                      logging message-counter syslog
                      enable secret 5 $1$eb9Q$7kMUF5Am0kVn/QXwssfrD/
                      !
                      aaa new-model
                      !
                      !
                      aaa authentication login default local
                      aaa authentication ppp default local
                      aaa authorization network default local
                      !
                      !
                      aaa session-id common
                      dot11 syslog
                      no ip source-route
                      !
                      !
                      !
                      !
                      no ip cef
                      ip domain lookup source-interface FastEthernet0/0
                      ip name-server 202.134.1.10
                      ip name-server 202.134.0.155
                      multilink bundle-name authenticated
                      !
                      vpdn enable
                      !
                      vpdn-group PPTP
                      ! Default PPTP VPDN group
                      accept-dialin
                      protocol pptp
                      virtual-template 1
                      !
                      !
                      !
                      !
                      !
                      username alauddin privilege 15 secret 5 $1$G03q$UwzLwisLrlanVnh6VCVZE.
                      username fakhrul privilege 15 secret 5 $1$gOx9$FrpywAJZISgjnwBfs2nyj/
                      archive
                      log config
                      hidekeys
                      !
                      !
                      !
                      !
                      !
                      interface FastEthernet0/0
                      ip address 222.124.152.181 255.255.255.224
                      no ip redirects
                      no ip unreachables
                      no ip proxy-arp
                      ip flow ingress
                      ip nat outside
                      ip virtual-reassembly
                      duplex auto
                      speed auto
                      no mop enabled
                      !
                      interface FastEthernet0/1
                      description ===LOCAL===
                      ip address 192.168.100.1 255.255.255.0
                      ip access-group 100 in
                      no ip redirects
                      no ip unreachables
                      no ip proxy-arp
                      ip flow ingress
                      ip nat inside
                      ip virtual-reassembly
                      duplex auto
                      speed auto
                      no mop enabled
                      !
                      interface Virtual-Template1
                      description ##PPTP TUNNEL##
                      ip unnumbered FastEthernet0/0
                      no ip redirects
                      no ip unreachables
                      no ip proxy-arp
                      ip flow ingress
                      ip nat inside
                      ip virtual-reassembly
                      peer default ip address pool PPTP_POOL
                      no keepalive
                      ppp authentication pap ms-chap ms-chap-v2
                      !
                      router rip
                      network 192.168.100.0
                      network 222.124.152.0
                      !
                      ip local pool PPTP_POOL 192.168.101.110 192.168.101.125
                      ip forward-protocol nd
                      ip route 0.0.0.0 0.0.0.0 222.124.152.161
                      !
                      no ip http server
                      ip http access-class 23
                      ip http authentication local
                      no ip http secure-server
                      !
                      ip nat pool no-overload 222.124.152.161 222.124.152.181 prefix-length 27
                      ip nat inside source list 7 pool no-overload
                      ip nat inside source list fakhrul pool firstpool overload
                      !
                      ip access-list extended fakhrul
                      deny ip 192.168.100.0 0.0.0.255 10.10.20.0 0.0.0.255
                      deny ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
                      permit ip 192.168.100.0 0.0.0.255 any
                      remark SDM_ACL Category=18

                      Comment


                      • #12
                        Re: PPTP Connect in cisco VPN but n'working internet access

                        Okay I see your nat pool no-overload but then I see


                        ip nat inside source list 7 pool no-overload
                        ip nat inside source list fakhrul pool firstpool overload


                        I dont see access list 7 in the config. If its an old configuration, clean it out as it doesnt need to be there.


                        Do you see the translation taking place?

                        show ip nat translations


                        Also you should start out your config small then add stuff as you go. What I mean is get internet access up and running first then work on the vpn config etc. If you piece it together like that then when something doesn't work then you know the last change you made probably caused the issue. To many times do I see people setting up NAT and vpn access at the same time without testing each piece as they go.
                        Last edited by auglan; 5th February 2013, 18:49.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: PPTP Connect in cisco VPN but n'working internet access

                          no ip nat translation

                          Comment


                          • #14
                            Re: PPTP Connect in cisco VPN but n'working internet access

                            Your nat statement mentions firstpool but I dont see firstpool in your config

                            Change to this:


                            no ip nat inside source list fakhrul pool firstpool overload


                            ip nat inside source list fakhrul pool no-overload
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment

                            Working...
                            X