Here you go.

Here is another config i just setup in a lab. this is with two 1811 routers, no access lists or firewalls. a windows vpn client is connecting to the pptp router from behind it's own router (to simulate nat). same issue as before. client connects, can ping inside interface of remote router, but cannot ping a host on its internal network. have tried other services besides ping also.

what am i missing that allows access to internal networks?

Also tested without the windows client behind a router. connected client directly to the same switch as the public interface of the router, connected VPN, ping'd inside interface, but cannot ping other internal hosts.

I think I've found it! After enabling 'ip proxy-arp' on the internal vlan interface, it started working immediately.

any ideas why this is so? should I just leave proxy-arp enabled?

Hi Craig

Do refer this link for more info on proxy arp, I have replied to your mail too.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

regds

So the pptp pool should be a different network than the local LAN? i.e. LAN 192.168.10.0/24 and vpdn pool 192.168.20.0/24?

I had never thought of that. if i were to change it, and wanted to enable split tunneling in the future, would i then have to add a static route on the workstation for it to find the LAN segment?

Yeah ideally it should be different pools or else the LAN would be 'arping' for the IP in the LAN assuming it is connected instead of fwding it to the router. That is why proxy arp worked.

I have worked with split-tunneling only in IPSec and in which the IPsec server injects routes dynamically into the workstation so you wouldnt have to worry about the routing.