Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
8
Helpful
6
Replies

VPDN on Cisco 831

sudermaniak
Level 1
Level 1

‎07-21-2006 02:12 AM - edited ‎03-09-2019 03:39 PM

Hello !

it's a second time that I ask this question but first time I didn't get a satisfactory answer.

I'm using a vpdn connection from outside a company to Cisco 831 router which act as a end of a vpn tunnel.

generally speaking vpdn configuration looks like that:

- usernames and password are kept on the router locally

- for connection I use Windows built-in vpn client.

- when client is authenticated router assigns it ip address form local pool which is also kept on the router.

I'd like to achieve the following: depending on the ip address from which the remote client connects the router would assign it different local ip address. source addresses are configured in access lists.

Now remote clients always get the same local ip address irrespective of their source. The default VPDN group is always used for the connection.

This is the interesting part of the configuration:

----------

username qad password 7 <removed>

username admin password 7 <removed>

username dst password 7 <removed>

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network default local

vpdn enable

vpdn logging

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

source-ip <public ip of the router>

!

vpdn-group 2

accept-dialin

protocol pptp

virtual-template 2

source-ip <public ip of the router>

interface Ethernet1

ip address <public ip of the router> <mask>

ip access-group 150 in

ip nat outside

ip virtual-reassembly

service-policy output inbound-http

duplex auto

no cdp enable

interface Virtual-Template1

ip unnumbered Ethernet1

ip access-group local1 in

ip mroute-cache

peer default ip address pool local1

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template2

ip unnumbered Ethernet1

ip access-group local2 in

ip mroute-cache

peer default ip address pool local2

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

ip local pool local1 192.168.2.1 192.168.2.5

ip local pool local2 192.168.3.1 192.168.3.5

ip access-list extended local1

permit ip 192.168.2.1 0.0.0.5 log

ip access-list extended local2

permit ip 192.168.3.1 0.0.0.5 log

access-list 150 permit ip <client 1 ip address> <mask> <public ip of the router> <mask> log

access-list 150 permit ip <client 2 ip address> <mask> <public ip of the router> <mask> log

-----------------------

Thanks for any ideas.

Labels:
0 Helpful
6 Replies 6

attrgautam
Level 5
Level 5

‎07-21-2006 04:45 AM

Not sure how many tunnels you have. I can think of 2 things

a) If u want to do local authentication, then configure as many tunnels as they are 'ip's' and give them each a different hostname and a different virtual template each bound to a different local pool. It is quite cumbersome but the only thing i could think of for now.

b) Use a radius server to return these framed ip attribute depending the source ip or the user-id

Let me know if it helps

sudermaniak
Level 1
Level 1
In response to attrgautam

‎07-21-2006 06:00 AM

Big thanks for Your reply.

I think Your solutions are quite nice but can You give more detailed informations how to configure it ?

maybe some examples of statements in my conf .. :)

thanks in advance.

0 Helpful

sudermaniak
Level 1
Level 1
In response to attrgautam

‎07-24-2006 11:21 PM

Dear attrgautam can You provide me with a little more explanation on how to implement the solutions You wrote.

Nothing big just a few examples of statemets ...

Thanks.

0 Helpful

attrgautam
Level 5
Level 5
In response to sudermaniak

‎07-25-2006 12:15 AM

Hi there ,

solution 1 would be somewhat like this

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname1

vpdn-group 2

accept-dialin

protocol l2tp

virtual-template 2

terminate-from hostname2

Each virtual-template configured for a different ip pool. Not very good as it will need creating a new group for each user.

2) You can configure the radius server to return framed ip. In the radius server u need to map this user to the framed ip or u can set the ip depending on the source ip which is possible if iam correct. Just set aaa authentication ppp to radius and it should work. Iam not sure about the radius config. Other folks on this forum may be able to help you with that.

Let me know if you need any other info.

sudermaniak
Level 1
Level 1
In response to attrgautam

‎07-25-2006 01:10 AM

Thanks again for Your reply.

just one question:

hostname is a real full name of the hostname initiating connection set by some ISP like for example ?:

unregister123456.c28.msk.pl

0 Helpful

attrgautam
Level 5
Level 5
In response to sudermaniak

‎07-25-2006 02:09 AM

Yes the device which initiates the tunnel, the LNS if L2TP or the PC if PPTP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents