05-23-2007 10:12 AM - edited 03-05-2019 04:15 PM
I have an internal network 192.168.10.0/24 on Ethernet0, DSL (Dialer1 interface) is dynamically assigned by ISP, Loopback0 has a static public IP address 66.1.1.25. Traffic originating from outside (Dialer1) is NAT'd from 66.1.1.27 to 192.168.10.34, but when a VPN client connects via PPTP, they are assigned an address of 192.168.11.2 and cannot reach 66.1.1.27 because of NAT issues.
QUESTION: How can I NAT 66.1.1.27->192.168.10.34 for traffic that comes over PPTP VPN?
Note that both the Eth0 and Virtual-Template2 interfaces are "ip nat inside" because PPTP traffic is routed back out to the internet if the destination is not a local network (192.168.10.* or 192.168.11.*)
CONFIG:
!
hostname GW1
!
no access-list 101
! except VPN Client traffic from NAT process
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
ip nat inside source list 101 interface Loopback0 overload
!
!!
!! Forward www (port 80)
ip nat inside source static tcp 192.168.10.34 80 66.1.1.27 80 extendable
!!
!! Forward https (port 443)
ip nat inside source static tcp 192.168.10.34 443 66.1.1.27 443 extendable
!!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
ip nat inside
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface Loopback0
ip address 66.x.x.x.255.255.248
!
aaa new-model
aaa session-id common
aaa authorization network default if-authenticated
aaa local authentication attempts max-fail 15
aaa authentication ppp default local
aaa authentication login default local-case
aaa authentication login aaaconsole none
aaa authentication username-prompt "Username: "
aaa authentication password-prompt "Password: "
aaa authentication fail-message "User authorization failure"
username XXX user-maxlinks 2 access-class 21 privilege 5 password 7 XXXXXXXXXXX
!
! PPTP: Point to Point Tunneling Protocol
vpdn enable
vpdn-group pptp
accept-dialin
protocol pptp
virtual-template 2
!
interface Virtual-Template 2
encapsulation ppp
ip address 192.168.11.1 255.255.255.0
ip nat inside
no keepalive
peer default ip address pool DIAL-IN
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool DIAL-IN 192.168.11.2 192.168.11.254
async-bootp dns-server 192.168.10.34
async-bootp nbns-server 192.168.10.34
!
ip subnet-zero
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip verify unicast reverse-path
ip nat outside
encapsulation ppp
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no ip mroute-cache
no ip unreachables
no ip mask-reply
no cdp enable
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname XXXX@bellsouth.net
ppp chap password 7 XXXXXXX
ppp pap sent-username XXXXX@bellsouth.net password 7 XXXXXX
ppp ipcp dns request
hold-queue 224 in
!
end
05-30-2007 06:02 AM
Cisco Secure PIX Firewall to allow a Point-to-Point Tunneling Protocol (PPTP) client to connect to a PPTP server through Network Address Translation (NAT).
If you want to know more please click following URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: