Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PPTP client not able to browse internet without split tunneling

Hi all,

I want to configure a 871 router to act as a PPTP server, but the PPTP client (win xp) should be able to access the Internet through the tunnel, and not with "split tunneling" (it means all traffic coming out from the windows client should be tunneled).

In the PPTP client, I have checked the option "use default gateway on remote network" in TCP/IP properties, because the client should NOT access the Internet directly. I am able to establish the PPTP connection and access computers behind the 871, but it is not possible to browse Internet.

I have configured the router like this :

vpdn-group 1

accept-dialin

protocol pptp

virtual-template 1

...

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

...

interface Virtual-Template1

ip address 192.168.2.1 255.255.255.0

peer default ip address pool Pool-For-Vpn-Client

ppp authentication chap ms-chap

...

ip local pool Pool-For-Vpn-Client 192.168.2.10 192.168.2.20

...

ip nat inside source list 100 interface FastEthernet4 overload

...

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

The target is to tunnel all the traffic as if the PPTP client is in the LAN behind the 871. Unfortunately, the only solution is to do the split tunneling by allowing the PPTP client to uncheck the "use default gateway on remote network" option, which is not what I want :-)

Any ideas? I saw a lot of things of some newsgroups but they all want the opposite (VPN access, and internet access but not through the VPN tunnel).

Thanks,

Jason

1 REPLY
New Member

Re: PPTP client not able to browse internet without split tunnel

Ok, I found the solution myself :

Because the client is connected to Virtual-Template1, I also have to add "ip nat inside" to Virtual-Template1, and "access-list 100 permit ip 192.168.2.0 0.0.0.255 any" to enable the NAT translation for packets comings from the VPN clients :-)

It was so obvious!

Jason

368
Views
0
Helpful
1
Replies
CreatePlease to create content