jimwillsher
Technical User
Hi all,
Cisco 877, 12.4(24)T1
My config is working fine for local access, webhosting, surfing the web etc etc. It's also working fine for VPN access, in that I can connect to the router from externally via PPTP VPN and gain access to my local devices. However, what I'd like to be able to do is this: be able to access the internet THROUGH the VPN connection.
Let me explain. I have remote-desktop access to about a dozen systems, and for added security I've restricted the access to my own IP address. So, when I'm at home I can freely RDP to these systems. But when I'm out of course, I can't access them, as the firewalls at the remote sites block me becuase I'm not coming from my own IP. So what I'd like to be able to do is connect to my VPN, and THEN connect to the remote systems. e.g. channel my traffic through my VPN and the out to the internet. On my PPTP dialup connection I have "use default gateway" ticked, so all internet-based traffic gets directed to my VPN...but never gets any further.
I suspect something on my firewall is blocking it (or perhaps something needs to be enabled), but I can't spot the problem. Can anyone assist please?
Many thanks,
Jim
!
! Last configuration change at 11:05:33 GMT Wed Sep 16 2009 by jim
! NVRAM config last updated at 18:35:07 GMT Wed Sep 16 2009 by jim
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.241 192.168.1.254
!
ip dhcp pool CLIENTS
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
lease 0 12
!
no ip cef
ip domain name home.local
ip inspect name fw tcp timeout 3600
ip inspect name fw udp timeout 3600
login block-for 180 attempts 2 within 120
login on-failure log
login on-success log
no ipv6 cef
ntp server 195.74.96.12
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username xxx privilege 15 password 7 XXX
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl enable-training-log
hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap
!
interface Vlan1
description My LAN
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip access-group 120 in
ip access-group 121 out
ip nat outside
ip inspect fw out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxx@myISP.co.uk
ppp chap password 7 xxxxx
ppp ipcp dns request
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source list 102 interface Dialer0 overload
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.50
deny any
ip access-list standard SSH-ALLOWED
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
!
!
logging 192.168.1.50
access-list 102 remark Define NAT internal ranges
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 remark Allow public services
access-list 120 remark This ACL should match the ip nat inside source
static tcp lines
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 995
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 1723
access-list 120 permit tcp any any range 50000 50050
access-list 120 permit gre any any
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any source-quench
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any time-exceeded
access-list 120 deny icmp any any
access-list 120 remark Allow unrestricted UDP traffic to the Entanet
DNS Servers
access-list 120 remark Any new ports opened in the IP NAT INSIDE
SOURCE STATIC lines should also be added here
access-list 120 permit tcp any any eq 22
access-list 121 remark Allow all outbound IP
access-list 121 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community Home RW SNMP-ALLOWED
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXX
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 0 0
privilege level 15
password 7 XXX
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
periodic weekdays 8:00 to 18:00
!
end
Cisco 877, 12.4(24)T1
My config is working fine for local access, webhosting, surfing the web etc etc. It's also working fine for VPN access, in that I can connect to the router from externally via PPTP VPN and gain access to my local devices. However, what I'd like to be able to do is this: be able to access the internet THROUGH the VPN connection.
Let me explain. I have remote-desktop access to about a dozen systems, and for added security I've restricted the access to my own IP address. So, when I'm at home I can freely RDP to these systems. But when I'm out of course, I can't access them, as the firewalls at the remote sites block me becuase I'm not coming from my own IP. So what I'd like to be able to do is connect to my VPN, and THEN connect to the remote systems. e.g. channel my traffic through my VPN and the out to the internet. On my PPTP dialup connection I have "use default gateway" ticked, so all internet-based traffic gets directed to my VPN...but never gets any further.
I suspect something on my firewall is blocking it (or perhaps something needs to be enabled), but I can't spot the problem. Can anyone assist please?
Many thanks,
Jim
!
! Last configuration change at 11:05:33 GMT Wed Sep 16 2009 by jim
! NVRAM config last updated at 18:35:07 GMT Wed Sep 16 2009 by jim
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Cisco877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.241 192.168.1.254
!
ip dhcp pool CLIENTS
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
lease 0 12
!
no ip cef
ip domain name home.local
ip inspect name fw tcp timeout 3600
ip inspect name fw udp timeout 3600
login block-for 180 attempts 2 within 120
login on-failure log
login on-success log
no ipv6 cef
ntp server 195.74.96.12
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username xxx privilege 15 password 7 XXX
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl enable-training-log
hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 chap
!
interface Vlan1
description My LAN
ip address 192.168.0.254 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip access-group 120 in
ip access-group 121 out
ip nat outside
ip inspect fw out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxx@myISP.co.uk
ppp chap password 7 xxxxx
ppp ipcp dns request
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source list 102 interface Dialer0 overload
!
ip access-list standard SNMP-ALLOWED
permit 192.168.1.50
deny any
ip access-list standard SSH-ALLOWED
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
deny any
!
!
logging 192.168.1.50
access-list 102 remark Define NAT internal ranges
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 remark Allow public services
access-list 120 remark This ACL should match the ip nat inside source
static tcp lines
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 995
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 1723
access-list 120 permit tcp any any range 50000 50050
access-list 120 permit gre any any
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any source-quench
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any time-exceeded
access-list 120 deny icmp any any
access-list 120 remark Allow unrestricted UDP traffic to the Entanet
DNS Servers
access-list 120 remark Any new ports opened in the IP NAT INSIDE
SOURCE STATIC lines should also be added here
access-list 120 permit tcp any any eq 22
access-list 121 remark Allow all outbound IP
access-list 121 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community Home RW SNMP-ALLOWED
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 XXX
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class SSH-ALLOWED in
exec-timeout 0 0
privilege level 15
password 7 XXX
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
time-range WEEKDAY
periodic weekdays 8:00 to 18:00
!
end