Hi to all... After sloving the problem of encryption and compression on my pptp tunnel (thanks to Chad Mahoney!), i have another trouble to slove. My router has 2 eth cards, one vlan (192.168.200.254) and one fe0 (192.168.1.200) On the vlan int there is a local dhcp and pool for clients, the other interface is connected to my local network, that has a w2ke acting as a dhcp server. Now the pptp clients get the ip address from the local cisco pool (simpler case) and it work good, but i need that the pptp clients get an address compatible with the local network (ip 192.168.1.x), given by the w2k3 server. I've tryed the ip helper address on the virtual-temp, but it not work.
Using the 'peer default ip address dhcp' on the virtual-temp interface, and issuing the commands: ip address-pool dhcp-proxy-client ip dhcp-server x.x.x.x it get a correct ip (also logged by the w2k3 server, released to the router ip), but the pptp client get a subnet of 255.255.255.255, not allowing me to reach anything. Debugging the DHCP events, it show that it receive the right subnet option (255.255.255.0) from the w2k3 server, but it not apply that subnet to the pptp client...
Really thanks Chad for the time that you spent with my (probably silly) problems... So, the complete config (ripped of useless things...):
version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxx ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret Pass ! aaa new-model ! ! aaa group server radius VPNDialIn ! aaa authentication attempts login 5 aaa authentication login console none aaa authentication login telnet local aaa authentication ppp VPNDialIn group VPNDialIn aaa authorization exec default local aaa authorization network default group VPNDialIn ! aaa session-id common ! resource policy ! clock timezone Here 1 clock summer-time Here recurring last Sun Mar 2:00 last Sun Oct 3:00 clock calendar-valid no ip source-route ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.200.1 192.168.200.9 ip dhcp excluded-address 192.168.200.201 192.168.200.254 ! ip dhcp pool sdm-pool1 import all network 192.168.200.0 255.255.255.0 default-router 192.168.200.254 dns-server 192.168.200.254 ! ! ip tcp synwait-time 10 no ip bootp server ip domain name mydomain.it ip name-server x.x.x.x ip ssh time-out 60 ip ssh authentication-retries 2
ip address-pool dhcp-proxy-client ip dhcp-server 192.168.1.1 vpdn enable ! vpdn-group VPNDialIn ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! isdn switch-type basic-net3 ! username router privilege 15 secret xxx ! ! ! bridge irb ! ! ! interface Null0 no ip unreachables ! interface Vif1 no ip address ! interface FastEthernet0 ip address 192.168.1.200 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation ppp ip route-cache flow isdn switch-type basic-net3 isdn point-to-point-setup ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface ATM0 mtu 1492 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode itu-dmt ! interface ATM0.1 point-to-point #int connected to internet ! ! interface Virtual-Template1 description $FW_OUTSIDE$ ip unnumbered FastEthernet0 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow peer default ip address dhcp no keepalive compress mppc ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2 callin VPNDialIn !
interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$ ip address 192.168.200.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 !
! ip route 0.0.0.0 0.0.0.0 ATM0.1 ! ip dns server !
dialer-list 1 protocol ip permit no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 105 ! ! ! radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key sharedkey
radius-server vsa send authentication ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login authentication console transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 101 in login authentication telnet transport input telnet ssh ! ! end
The key of the previous problem was the following line: aaa authorization network default group radius
But why it not work with: aaa authorization network VPNDialIn group VPNDialIn
Seem that it not use the group VPNDialIn for author, while it work for authentication. It work only if i set it at default group...
In any case... Why i get a subnet 255.255.255.255?
I get the same subnet when connecting to my VPN as well,
If you are connected to the VPN try and ping something on the local LAN and see what the debug messages say.
One thing I am unclear on is where the 192.168.1.1 address comes into play? The router is on the 192.168.200.x subnet? Is that on another VLAN segment? Is it reachable from the router? Do you have a layout of how the network is connected?
I am mainly a firewall guy, not a router guru, but in the firewall world the range of IP address that you are using for the VPN has to be excluded from the NAT process, my thinking is that when you connect to the VPN and try to connect to hosts on the LAN, the router is trying to perform NAT back out to the internet, which is why you are failing to connect to those devices... In the firewall world, if you exclude the range of IP address from NAT, the request from the VPN client are not NAT'd and directly connected to the LAN. This is what I would expect the log messages to be saying. Perhaps one of the other router guru's in here could give us their thoughts?
So, the config is a bit strange... There is a DMZ (192.168.200.x) and there is a local network (192.168.1.x) The server is a w2k3 isa server, so the customer wanted to ise it for filtering the connections (block msn, etc). It want this and not the cisco because it know hot to lock and unlock things with isa without callung us. So, the w2k3 server has a second interface connected to the local network, that is the same as the 2nd lan of the cisco is connected (192.168.1.x). I've done in this way because there is a site2site ipsec tunnel with a branch office, and the traffic coming from the other site must go directly on the local network, but internet navigation must go trough the dmz, then to internet... This config has cost to me a lot of troubles... So, in the dmz there are connected some pc's, that are out of the local network. Now, the same router must act as a vpn dialin client, and the remote users must connect to the internal network (192.168.1.x), to get access to the server...
That interface doesn't see the 192.168.1.1 address, and on that interface (vlan1) there is a dhcp server for the dmz. Before posting i've also tryed removing the dhcp proxy confing, and using the ip helper on the virtual-template, but the problem was the same...