10-30-2006 08:13 PM - edited 03-09-2019 04:43 PM
I have a 871 router setup as a vpdn host. I can connect to it with a windows xp client (which is behind another router PATing it's address, if that helps), can ping inside interface of router, but no other LAN hosts. traffic is making it to the hosts, but not returning (so no ping replys, etc). I have attached what should be the interesting config. any ideas greatly appreciated.
Solved! Go to Solution.
11-02-2006 02:31 AM
looks logical actually, both the pptp pool and the local lAN are on the same segment, hence enabling proxy arp solved the issue. Not a good practice thogh ,ideal thing will be to change the vpdn pool.
10-31-2006 03:49 AM
Hi
Can you post your full configuration file here ? i feel the one you have posted here is incomplete ?
regds
10-31-2006 09:02 AM
10-31-2006 11:11 AM
Here is another config i just setup in a lab. this is with two 1811 routers, no access lists or firewalls. a windows vpn client is connecting to the pptp router from behind it's own router (to simulate nat). same issue as before. client connects, can ping inside interface of remote router, but cannot ping a host on its internal network. have tried other services besides ping also.
what am i missing that allows access to internal networks?
11-01-2006 09:26 AM
Also tested without the windows client behind a router. connected client directly to the same switch as the public interface of the router, connected VPN, ping'd inside interface, but cannot ping other internal hosts.
11-01-2006 10:33 AM
I think I've found it! After enabling 'ip proxy-arp' on the internal vlan interface, it started working immediately.
any ideas why this is so? should I just leave proxy-arp enabled?
11-02-2006 01:51 AM
Hi Craig
Do refer this link for more info on proxy arp, I have replied to your mail too.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml
regds
11-02-2006 02:31 AM
looks logical actually, both the pptp pool and the local lAN are on the same segment, hence enabling proxy arp solved the issue. Not a good practice thogh ,ideal thing will be to change the vpdn pool.
11-02-2006 09:18 AM
So the pptp pool should be a different network than the local LAN? i.e. LAN 192.168.10.0/24 and vpdn pool 192.168.20.0/24?
I had never thought of that. if i were to change it, and wanted to enable split tunneling in the future, would i then have to add a static route on the workstation for it to find the LAN segment?
11-02-2006 08:28 PM
Yeah ideally it should be different pools or else the LAN would be 'arping' for the IP in the LAN assuming it is connected instead of fwding it to the router. That is why proxy arp worked.
I have worked with split-tunneling only in IPSec and in which the IPsec server injects routes dynamically into the workstation so you wouldnt have to worry about the routing.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: