NAT config over PPTP VPN

ryan.chapman · ‎05-23-2007

I have an internal network 192.168.10.0/24 on Ethernet0, DSL (Dialer1 interface) is dynamically assigned by ISP, Loopback0 has a static public IP address 66.1.1.25. Traffic originating from outside (Dialer1) is NAT'd from 66.1.1.27 to 192.168.10.34, but when a VPN client connects via PPTP, they are assigned an address of 192.168.11.2 and cannot reach 66.1.1.27 because of NAT issues.

QUESTION: How can I NAT 66.1.1.27->192.168.10.34 for traffic that comes over PPTP VPN?

Note that both the Eth0 and Virtual-Template2 interfaces are "ip nat inside" because PPTP traffic is routed back out to the internet if the destination is not a local network (192.168.10.* or 192.168.11.*)

CONFIG:

!

hostname GW1

!

no access-list 101

! except VPN Client traffic from NAT process

access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.11.0 0.0.0.255 any

ip nat inside source list 101 interface Loopback0 overload

!

!!

!! Forward www (port 80)

ip nat inside source static tcp 192.168.10.34 80 66.1.1.27 80 extendable

!!

!! Forward https (port 443)

ip nat inside source static tcp 192.168.10.34 443 66.1.1.27 443 extendable

!!

interface Ethernet0

ip address 192.168.10.1 255.255.255.0

ip nat inside

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no ip route-cache

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface Loopback0

ip address 66.x.x.x.255.255.248

!

aaa new-model

aaa session-id common

aaa authorization network default if-authenticated

aaa local authentication attempts max-fail 15

aaa authentication ppp default local

aaa authentication login default local-case

aaa authentication login aaaconsole none

aaa authentication username-prompt "Username: "

aaa authentication password-prompt "Password: "

aaa authentication fail-message "User authorization failure"

username XXX user-maxlinks 2 access-class 21 privilege 5 password 7 XXXXXXXXXXX

!

! PPTP: Point to Point Tunneling Protocol

vpdn enable

vpdn-group pptp

accept-dialin

protocol pptp

virtual-template 2

!

interface Virtual-Template 2

encapsulation ppp

ip address 192.168.11.1 255.255.255.0

ip nat inside

no keepalive

peer default ip address pool DIAL-IN

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool DIAL-IN 192.168.11.2 192.168.11.254

async-bootp dns-server 192.168.10.34

async-bootp nbns-server 192.168.10.34

!

ip subnet-zero

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

dsl operating-mode auto

!

interface Dialer0

no ip address

!

interface Dialer1

ip address negotiated

ip verify unicast reverse-path

ip nat outside

encapsulation ppp

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no ip mroute-cache

no ip unreachables

no ip mask-reply

no cdp enable

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname XXXX@bellsouth.net

ppp chap password 7 XXXXXXX

ppp pap sent-username XXXXX@bellsouth.net password 7 XXXXXX

ppp ipcp dns request

hold-queue 224 in

!

end

irisrios · ‎05-30-2007

Cisco Secure PIX Firewall to allow a Point-to-Point Tunneling Protocol (PPTP) client to connect to a PPTP server through Network Address Translation (NAT).

If you want to know more please click following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a