I'm having trouble connecting to external pptp vpn servers from my LAN. I'm using a Cisco 2610XM router running IOS adventerprise 12.4.7
I know that the pptp vpn servers is working correctly. I have also tried running access-lists with "permit ip any any" on all interfaces.
What can be the problem? I have simular setups that DO work. Hosts on the DMZ network (same router, but no NAT) can connect successfully. So I think it is a NAT problem.
relevant (and some not relevant) config below:
!
aaa new-model
!
!
aaa authentication login network local
aaa authorization network easyvpn local
aaa authorization network easyvpn2 local
!
aaa session-id common
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.79
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
vpdn enable
interface FastEthernet0/0
no ip address
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.2 255.255.255.0
ip nat inside
ip access-group full in
ip access-group full out
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 213.xxx.xxx.33 255.255.255.224
ip access-group full in
ip access-group dmzout out
ip accounting output-packets
no snmp trap link-status
!
interface FastEthernet0/0.10
bandwidth 4200
encapsulation dot1Q 10
ip address xx.xx.xx.18 255.255.255.192
ip flow ingress
ip flow egress
ip access-group full in
ip access-group full out
ip nat outside
ip virtual-reassembly
no snmp trap link-status
router rip
version 2
network 192.168.0.0
network 192.168.50.0
network 192.168.66.0
network 192.168.70.0
no auto-summary
ip local pool pptp2 192.168.4.1 192.168.4.10
ip local pool easypool 192.168.99.1 192.168.99.254
ip local pool easypool2 192.168.98.1 192.168.98.254
ip local pool pptp 192.168.2.100
ip route 0.0.0.0 0.0.0.0 83.243.132.1
ip route 10.0.0.0 255.252.0.0 192.168.50.2
ip route 10.0.0.0 255.255.255.0 192.168.50.2
ip route 10.1.8.0 255.255.255.0 192.168.50.2
ip route 192.168.100.0 255.255.255.0 192.168.50.2
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 192.168.0.60 9996
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
ip nat pool overload xx.xx.xx.18 xx.xx.xx.18 prefix-length 24
ip nat inside source list 150 pool overload overload
ip nat inside source static tcp 192.168.0.1 3389 interface FastEthernet0/0.10 3389
ip nat inside source static tcp 192.168.0.1 80 interface FastEthernet0/0.10 80
ip nat inside source static tcp 192.168.0.1 143 interface FastEthernet0/0.10 143
ip nat inside source static tcp 192.168.0.1 110 interface FastEthernet0/0.10 110
ip nat inside source static tcp 192.168.0.1 25 interface FastEthernet0/0.10 25
ip nat inside source static tcp 192.168.0.3 22 interface FastEthernet0/0.10 22
ip nat inside source static tcp 192.168.0.3 5060 interface FastEthernet0/0.10 5060
ip nat inside source static tcp 192.168.0.3 4589 interface FastEthernet0/0.10 4589
ip access-list extended dmzout
permit ip any any
ip access-list extended full
permit ip any any
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.98.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip 192.168.99.0 0.0.0.255 any
access-list 150 permit ip 192.168.98.0 0.0.0.255 any
I know that the pptp vpn servers is working correctly. I have also tried running access-lists with "permit ip any any" on all interfaces.
What can be the problem? I have simular setups that DO work. Hosts on the DMZ network (same router, but no NAT) can connect successfully. So I think it is a NAT problem.
relevant (and some not relevant) config below:
!
aaa new-model
!
!
aaa authentication login network local
aaa authorization network easyvpn local
aaa authorization network easyvpn2 local
!
aaa session-id common
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.79
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
vpdn enable
interface FastEthernet0/0
no ip address
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.0.2 255.255.255.0
ip nat inside
ip access-group full in
ip access-group full out
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 213.xxx.xxx.33 255.255.255.224
ip access-group full in
ip access-group dmzout out
ip accounting output-packets
no snmp trap link-status
!
interface FastEthernet0/0.10
bandwidth 4200
encapsulation dot1Q 10
ip address xx.xx.xx.18 255.255.255.192
ip flow ingress
ip flow egress
ip access-group full in
ip access-group full out
ip nat outside
ip virtual-reassembly
no snmp trap link-status
router rip
version 2
network 192.168.0.0
network 192.168.50.0
network 192.168.66.0
network 192.168.70.0
no auto-summary
ip local pool pptp2 192.168.4.1 192.168.4.10
ip local pool easypool 192.168.99.1 192.168.99.254
ip local pool easypool2 192.168.98.1 192.168.98.254
ip local pool pptp 192.168.2.100
ip route 0.0.0.0 0.0.0.0 83.243.132.1
ip route 10.0.0.0 255.252.0.0 192.168.50.2
ip route 10.0.0.0 255.255.255.0 192.168.50.2
ip route 10.1.8.0 255.255.255.0 192.168.50.2
ip route 192.168.100.0 255.255.255.0 192.168.50.2
!
ip flow-export source FastEthernet0/0.1
ip flow-export version 5
ip flow-export destination 192.168.0.60 9996
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
ip nat pool overload xx.xx.xx.18 xx.xx.xx.18 prefix-length 24
ip nat inside source list 150 pool overload overload
ip nat inside source static tcp 192.168.0.1 3389 interface FastEthernet0/0.10 3389
ip nat inside source static tcp 192.168.0.1 80 interface FastEthernet0/0.10 80
ip nat inside source static tcp 192.168.0.1 143 interface FastEthernet0/0.10 143
ip nat inside source static tcp 192.168.0.1 110 interface FastEthernet0/0.10 110
ip nat inside source static tcp 192.168.0.1 25 interface FastEthernet0/0.10 25
ip nat inside source static tcp 192.168.0.3 22 interface FastEthernet0/0.10 22
ip nat inside source static tcp 192.168.0.3 5060 interface FastEthernet0/0.10 5060
ip nat inside source static tcp 192.168.0.3 4589 interface FastEthernet0/0.10 4589
ip access-list extended dmzout
permit ip any any
ip access-list extended full
permit ip any any
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.98.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 150 permit ip 192.168.99.0 0.0.0.255 any
access-list 150 permit ip 192.168.98.0 0.0.0.255 any
