Hello !
I'm using a vpdn connection from outside a company to Cisco 800 series router which act as a end of a vpn tunnel.
generally speaking vpdn configuration looks like that:
- usernames and password are kept on the router
- for connection I use Windows built-in vpn client.
- when client is authenticated router assign it ip address from local pool which is also kept on the router.
I'd like to achieve the following:
depending on the ip address from which the remote client connects the router would assign it different local ip address. source addresses are configured in access lists.
Now remote clients always get the same local ip address.
This is the interesting part of the configuration:
----------
vpdn enable
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
source-ip xxx.xxx.xxx.xxx
!
vpdn-group 2
description VPDN Group for DST Windows VPN clients
accept-dialin
protocol pptp
virtual-template 2
source-ip xxx.xxx.xxx.xxx
!
-------public interface-----------
interface Ethernet1
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
service-policy output inbound-http
duplex auto
no cdp enable
!
-------virtual interface-----------
interface Virtual-Template1
ip unnumbered Ethernet1
ip access-group 150 in
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Ethernet1
ip access-group 151 in
ip mroute-cache
peer default ip address pool vpn-local2
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip local pool vpn-local2 yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy
-----------access lists----------
ccess-list 150 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 150 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 150 deny tcp any eq 1723 any
access-list 150 deny gre any any
access-list 150 permit tcp any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list 151 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 151 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 151 deny tcp any eq 1723 any
access-list 151 deny gre any any
Thanks for any help.
I'm using a vpdn connection from outside a company to Cisco 800 series router which act as a end of a vpn tunnel.
generally speaking vpdn configuration looks like that:
- usernames and password are kept on the router
- for connection I use Windows built-in vpn client.
- when client is authenticated router assign it ip address from local pool which is also kept on the router.
I'd like to achieve the following:
depending on the ip address from which the remote client connects the router would assign it different local ip address. source addresses are configured in access lists.
Now remote clients always get the same local ip address.
This is the interesting part of the configuration:
----------
vpdn enable
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
source-ip xxx.xxx.xxx.xxx
!
vpdn-group 2
description VPDN Group for DST Windows VPN clients
accept-dialin
protocol pptp
virtual-template 2
source-ip xxx.xxx.xxx.xxx
!
-------public interface-----------
interface Ethernet1
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
service-policy output inbound-http
duplex auto
no cdp enable
!
-------virtual interface-----------
interface Virtual-Template1
ip unnumbered Ethernet1
ip access-group 150 in
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Ethernet1
ip access-group 151 in
ip mroute-cache
peer default ip address pool vpn-local2
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip local pool vpn-local2 yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy
-----------access lists----------
ccess-list 150 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 150 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 150 deny tcp any eq 1723 any
access-list 150 deny gre any any
access-list 150 permit tcp any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list 151 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 151 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 151 deny tcp any eq 1723 any
access-list 151 deny gre any any
Thanks for any help.
