1801 VPN multiple clients

Discussion in 'Cisco' started by Steven Carr, Mar 10, 2008.

  1. Steven Carr

    Steven Carr Guest

    Having abit of a problem with my config, I've setup PPTP VPN on my 1801
    and pointed it at my local DHCP server for one of the private address
    ranges. The problem is I can only get a single client to connect, it
    seems to be sending the same MAC address to the DHCP server so only one
    address is being used. Do I need to use an address pool setup on the
    router itself?

    Below is the config:

    !
    service nagle
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname net-gw
    !
    ip name-server x.x.x.x
    ip name-server x.x.x.x
    ip domain name x.x.x
    !
    ip cef
    ip flow-top-talkers
    top 10
    sort-by bytes
    !
    clock timezone GMT 0
    ntp server x.x.x.x
    !
    boot-start-marker
    boot-end-marker
    !
    aaa new-model
    aaa authentication ppp default local
    !
    enable secret xxx
    no enable password
    username xxx privilege 15 secret xxx
    !
    ! VPN usernames
    username xxx password 0 xxx
    !
    ! VPN config
    vpdn enable
    !
    vpdn-group 1
    !
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    logging x.x.x.x
    no logging console
    archive
    log config
    logging enable
    logging size 500
    notify syslog
    hidekeys
    !
    ip subnet-zero
    ip classless
    no service pad
    no ip source-route
    no ip finger
    no ip bootp server
    no ip domain-lookup
    !
    interface FastEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    no ip route-cache
    shutdown
    !
    interface FastEthernet1
    spanning-tree portfast
    description trunk link to loft-sw01 fa0/24 (vlan 2)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,2,1002-1005
    switchport mode trunk
    duplex auto
    speed auto
    !
    interface FastEthernet2
    spanning-tree portfast
    description trunk link to loft-sw01 fa0/23 (vlan 3,4,5)
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,3-5,1002-1005
    switchport mode trunk
    duplex auto
    speed auto
    !
    interface FastEthernet3
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet5
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet6
    spanning-tree portfast
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet7
    spanning-tree portfast
    switchport mode access
    switchport access vlan 1
    duplex auto
    speed auto
    !
    interface FastEthernet8
    spanning-tree portfast
    description link to wireless ap
    switchport mode access
    switchport access vlan 3
    duplex auto
    speed auto
    !
    ! ATM config
    interface ATM0
    no ip address
    no ip route-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    no ip route-cache
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    ! Vitrual template for VPN
    interface Virtual-Template1
    ip unnumbered vlan 3
    peer default ip address dhcp
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    ! VLANS
    interface Vlan1
    description Management VLAN
    ip address 192.168.255.1 255.255.255.0
    !
    interface Vlan2
    description Public VLAN
    ip address x.x.x.x 255.255.255.240
    !
    interface Vlan3
    description Private VLAN
    ip address 172.16.0.1 255.255.255.0
    ip helper-address x.x.x.x
    ip nat inside
    !
    interface Vlan4
    description Work VLAN
    ip address 10.0.10.1 255.255.255.0
    ip helper-address x.x.x.x
    ip nat inside
    !
    interface Vlan5
    description Uni Live VLAN
    ip address 192.168.100.1 255.255.255.0
    ip helper-address x.x.x.x
    ip nat inside
    !
    ! PPoA
    interface Dialer0
    description outside world
    ip address negotiated
    ip nat outside
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    no ip mask-reply
    ip access-group inbound_firewall in
    ip access-group outbound_firewall out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname xxx@xxx
    ppp chap password 0 xxxxxx
    no cdp enable
    !
    ! default route
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ! NAT access list - allow any local addresses
    dialer-list 1 protocol ip permit
    access-list 1 permit 172.16.0.0 0.15.255.255
    access-list 1 permit 10.0.10.0 0.255.255.255
    access-list 1 permit 192.168.100.0 0.0.255.255
    ip nat inside source list 1 interface Dialer0 overload
    !
    no ip access-list extended inbound_firewall
    ip access-list extended inbound_firewall
    !
    ! filter out the crud
    remark deny own range
    deny ip x.x.x.x 0.0.0.15 any
    remark deny spoof addresses
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    remark deny non-routables
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    !
    remark icmp traffic
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    deny icmp any any
    remark allow established
    permit tcp any x.x.x.x 0.0.0.15 established
    permit udp any range 1 1023 x.x.x.x 0.0.0.15 gt 1023
    permit udp any gt 1023 x.x.x.x 0.0.0.15 gt 1023
    !
    deny ip any any
    !
    !
    no ip access-list extended outbound_firewall
    ip access-list extended outbound_firewall
    !
    remark allow own range
    permit ip x.x.x.x 0.0.0.15 any
    !
    remark block any other traffic
    deny ip any any
    !
    !
    no ip http server
    no ip http secure-server
    !
    snmp-server community xxx RW
    snmp-server community xxx RO
    snmp-server location Loft Cab
    snmp-server contact Steven Carr <>
    !
    banner login ^

    Unauthorised access prohibited - all access and commands are logged.

    ^
    !
    line con 0
    login local
    session-timeout 10
    line vty 0 4
    login local
    session-timeout 10
    transport input ssh
    !
    end

    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkfVmREACgkQg6K71gPSyTB0vQCeOlD8TXdzYLyta247zRDjOGFB
    VXwAn10FXnlCyU5zB6map7l6/b+E2ghi
    =3xaE
    -----END PGP SIGNATURE-----
     
    Steven Carr, Mar 10, 2008
    #1
    1. Advertising

  2. Steven Carr

    Merv Guest

    use local pool
     
    Merv, Mar 10, 2008
    #2
    1. Advertising

  3. Steven Carr

    Steven Carr Guest

    Steven Carr wrote:
    > Having abit of a problem with my config, I've setup PPTP VPN on my 1801
    > and pointed it at my local DHCP server for one of the private address
    > ranges. The problem is I can only get a single client to connect, it
    > seems to be sending the same MAC address to the DHCP server so only one
    > address is being used. Do I need to use an address pool setup on the
    > router itself?


    OK I've tried with a local pool but if I create a new VLAN, give it an
    IP address and point the virtual template to it nothing happens, the
    VLAN itself doesn't appear to come active, I cant ping the VLANs gateway
    and the "show int status" shows it as down.

    The second thing is I cant seem to get it to work through the firewall,
    well that is the connection comes up and I can access anything on the
    networks behind the router so all of my private addresses etc. but I
    cant get anything from the internet, so I am unable to come in over the
    VPN and route externally. The client has the gateway set as the VLAN's
    IP address, but there is no subnet mask set? not sure if that is needed.

    Below is the firewall config can anyone see anything wrong?

    no ip access-list extended inbound_firewall
    ip access-list extended inbound_firewall
    !
    ! filter out the crud
    remark deny own range
    deny ip 82.71.110.224 0.0.0.15 any
    remark deny spoof addresses
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 224.0.0.0 31.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any
    remark deny non-routables
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    !
    remark icmp traffic
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    deny icmp any any
    remark allow established
    permit tcp any 82.71.110.224 0.0.0.15 established
    permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
    permit udp any gt 1023 82.71.110.224 0.0.0.15 gt 1023
    !
    remark net-gw.dunelm.gpf.me.uk
    remark PPTP VPN
    permit tcp any host 82.71.110.238 eq 1723
    permit gre any host 82.71.110.238
    !
    remark block any other traffic
    deny udp any any eq 53
    deny tcp any any eq 53
    deny ip any any
    !
    !
    no ip access-list extended outbound_firewall
    ip access-list extended outbound_firewall
    !
    remark allow own range
    permit ip 82.71.110.224 0.0.0.15 any
    !
    remark block any other traffic
    deny ip any any
    !
    !

    Ste



    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkfbqaAACgkQg6K71gPSyTAldQCeIbyWzIPzIoo0xhWGyE7rgEU9
    y9kAoITVK6gKCSUlm2VsUlY+WZxMJMJM
    =Pz8M
    -----END PGP SIGNATURE-----
     
    Steven Carr, Mar 15, 2008
    #3
  4. Steven Carr

    Brian V Guest

    "Steven Carr" <> wrote in message
    news:47dba9a2$0$32057$...

    Steve,
    Dump the HTML posting. You'll get a lot more help. Most of the regulars
    won't open them.
     
    Brian V, Mar 15, 2008
    #4
  5. Steven Carr

    Steven Carr Guest

    Brian V wrote:
    > Steve,
    > Dump the HTML posting. You'll get a lot more help. Most of the regulars
    > won't open them.


    Not sure where you get the idea that I use HTML email from? My emails
    are OpenPGP signed. Check the raw message content in future.

    Steve

    --
    Steve Carr
    http://gpf.me.uk


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkfdnY8ACgkQg6K71gPSyTDr6wCfQiXHzFQb6AIo3oCXg9KWpwyV
    50IAn0m6en4M79gPMNn3eEc2bV5GRq/Q
    =bv9r
    -----END PGP SIGNATURE-----
     
    Steven Carr, Mar 16, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gerhard Dresch

    Multiple VPN clients - How?

    Gerhard Dresch, Jan 30, 2004, in forum: Cisco
    Replies:
    1
    Views:
    619
    Peter
    Jan 30, 2004
  2. Rodney
    Replies:
    3
    Views:
    5,144
    CISCORUBS
    Aug 17, 2004
  3. Adam
    Replies:
    0
    Views:
    500
  4. Mark McWilliams

    VPN Client 3.5.2/Multiple Clients

    Mark McWilliams, Jan 17, 2005, in forum: Cisco
    Replies:
    2
    Views:
    3,983
    Eric Sorenson
    Jan 19, 2005
  5. Andy

    Multiple Cisco VPN Clients

    Andy, Feb 8, 2005, in forum: Cisco
    Replies:
    1
    Views:
    627
    Martin Bilgrav
    Feb 8, 2005
Loading...

Share This Page