Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.
I have a 871 router setup as a vpdn host. I can connect to it with a windows xp client (which is behind another router PATing it's address, if that helps), can ping inside interface of router, but no other LAN hosts. traffic is making it to the hosts, but not returning (so no ping replys, etc). I have attached what should be the interesting config. any ideas greatly appreciated.
Solved! Go to Solution.
Can you post your full configuration file here ? i feel the one you have posted here is incomplete ?
Here is another config i just setup in a lab. this is with two 1811 routers, no access lists or firewalls. a windows vpn client is connecting to the pptp router from behind it's own router (to simulate nat). same issue as before. client connects, can ping inside interface of remote router, but cannot ping a host on its internal network. have tried other services besides ping also.
what am i missing that allows access to internal networks?
Also tested without the windows client behind a router. connected client directly to the same switch as the public interface of the router, connected VPN, ping'd inside interface, but cannot ping other internal hosts.
I think I've found it! After enabling 'ip proxy-arp' on the internal vlan interface, it started working immediately.
any ideas why this is so? should I just leave proxy-arp enabled?
Do refer this link for more info on proxy arp, I have replied to your mail too.
So the pptp pool should be a different network than the local LAN? i.e. LAN 192.168.10.0/24 and vpdn pool 192.168.20.0/24?
I had never thought of that. if i were to change it, and wanted to enable split tunneling in the future, would i then have to add a static route on the workstation for it to find the LAN segment?
Yeah ideally it should be different pools or else the LAN would be 'arping' for the IP in the LAN assuming it is connected instead of fwding it to the router. That is why proxy arp worked.
I have worked with split-tunneling only in IPSec and in which the IPsec server injects routes dynamically into the workstation so you wouldnt have to worry about the routing.