Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Arg! What is wrong with my super simple dial-in VPN config?

I have a very simple dial-in VPN test, which ALMOST works, but not quite

I can connect up with my "testvpn" user just fine, my workstation gets a address from the VPDN pool

but I cannot PING the router or another device that I've got connected on my router's internal 4-port


I don't have any access lists (except for the one that defines my inside NAT range)

I suspect that I'm missing one stupid thing...any ideas?



version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname temp192168





enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx


no aaa new-model

ip cef



ip domain name


vpdn enable


vpdn-group 1

! Default PPTP VPDN group


protocol pptp

virtual-template 1

local name CIS

l2tp tunnel password 7

ip mtu adjust



username myuser secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

username testvpn password 7 xxxxxxxxxxxxxxxxxxxxxxx


interface Loopback0

description just for internal PING & Telnet test

ip address


interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3


interface FastEthernet4

description WAN link to Internet

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto


interface Virtual-Template1

ip unnumbered FastEthernet0

ip nat inside

ip virtual-reassembly

peer default ip address pool VPDN

ppp encrypt mppe auto

ppp authentication ms-chap


interface Vlan1

description inside LAN address

ip address

ip nat inside

ip virtual-reassembly


ip local pool VPDN

ip route


no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload


access-list 1 permit







line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

login local

transport input telnet ssh


scheduler max-task-time 5000


New Member

Re: Arg! What is wrong with my super simple dial-in VPN config?

FYI: here's the Cisco CLI output from a PING of my locally connected device, a PING of my VPN connected workstation, the output from the "show vpdn tunnel" command, the output from the "show caller ip" command, and finally the output of the "show ip route" command. Everything seems normal, so why can't I PING between my VPN-connected workstation and anything on my 192.168.1.x net?


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 0 percent (0/5)

temp192168#show vpdn tunnel all

%No active L2TP tunnels

PPTP Tunnel Information Total tunnels 1 sessions 1

Tunnel id 7, 1 active sessions

Tunnel state is estabd, time since change 00:00:43

Remote tunnel name is

Internet Address, port 2199

Local tunnel name is CIS

Internet Address, port 1723

VPDN group: 1

72 packets sent, 96 received, 3741 bytes sent, 5224 received

Last clearing of "show vpdn" counters never

temp192168#show caller ip

Line User IP Address Local Number Remote Number <->

Vi3 testvpn - - in

temp192168#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is to network is subnetted, 1 subnets

C is directly connected, FastEthernet4

C is directly connected, Loopback0 is variably subnetted, 2 subnets, 2 masks

C is directly connected, Vlan1

C is directly connected, Virtual-Access3

S* [1/0] via


New Member

Re: Arg! What is wrong with my super simple dial-in VPN config?

Nevermind... I found my error.

Earlier in the day I was working on a different model router (with different interface names) and I put the wrong interface name into my Virtual-Template1 config.

Instead of "ip unnumbered FastEthernet0"

I used "ip unnumbered Vlan1" and it started working!

Too bad I can't rate my own replies, eh?