07-21-2006 02:12 AM - edited 03-09-2019 03:39 PM
Hello !
it's a second time that I ask this question but first time I didn't get a satisfactory answer.
I'm using a vpdn connection from outside a company to Cisco 831 router which act as a end of a vpn tunnel.
generally speaking vpdn configuration looks like that:
- usernames and password are kept on the router locally
- for connection I use Windows built-in vpn client.
- when client is authenticated router assigns it ip address form local pool which is also kept on the router.
I'd like to achieve the following: depending on the ip address from which the remote client connects the router would assign it different local ip address. source addresses are configured in access lists.
Now remote clients always get the same local ip address irrespective of their source. The default VPDN group is always used for the connection.
This is the interesting part of the configuration:
----------
username qad password 7 <removed>
username admin password 7 <removed>
username dst password 7 <removed>
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
vpdn enable
vpdn logging
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
source-ip <public ip of the router>
!
vpdn-group 2
accept-dialin
protocol pptp
virtual-template 2
source-ip <public ip of the router>
interface Ethernet1
ip address <public ip of the router> <mask>
ip access-group 150 in
ip nat outside
ip virtual-reassembly
service-policy output inbound-http
duplex auto
no cdp enable
interface Virtual-Template1
ip unnumbered Ethernet1
ip access-group local1 in
ip mroute-cache
peer default ip address pool local1
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Ethernet1
ip access-group local2 in
ip mroute-cache
peer default ip address pool local2
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool local1 192.168.2.1 192.168.2.5
ip local pool local2 192.168.3.1 192.168.3.5
ip access-list extended local1
permit ip 192.168.2.1 0.0.0.5 log
ip access-list extended local2
permit ip 192.168.3.1 0.0.0.5 log
access-list 150 permit ip <client 1 ip address> <mask> <public ip of the router> <mask> log
access-list 150 permit ip <client 2 ip address> <mask> <public ip of the router> <mask> log
-----------------------
Thanks for any ideas.
07-21-2006 04:45 AM
Not sure how many tunnels you have. I can think of 2 things
a) If u want to do local authentication, then configure as many tunnels as they are 'ip's' and give them each a different hostname and a different virtual template each bound to a different local pool. It is quite cumbersome but the only thing i could think of for now.
b) Use a radius server to return these framed ip attribute depending the source ip or the user-id
Let me know if it helps
07-21-2006 06:00 AM
Big thanks for Your reply.
I think Your solutions are quite nice but can You give more detailed informations how to configure it ?
maybe some examples of statements in my conf .. :)
thanks in advance.
07-24-2006 11:21 PM
Dear attrgautam can You provide me with a little more explanation on how to implement the solutions You wrote.
Nothing big just a few examples of statemets ...
Thanks.
07-25-2006 12:15 AM
Hi there ,
solution 1 would be somewhat like this
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname1
vpdn-group 2
accept-dialin
protocol l2tp
virtual-template 2
terminate-from hostname2
Each virtual-template configured for a different ip pool. Not very good as it will need creating a new group for each user.
2) You can configure the radius server to return framed ip. In the radius server u need to map this user to the framed ip or u can set the ip depending on the source ip which is possible if iam correct. Just set aaa authentication ppp to radius and it should work. Iam not sure about the radius config. Other folks on this forum may be able to help you with that.
Let me know if you need any other info.
07-25-2006 01:10 AM
Thanks again for Your reply.
just one question:
hostname is a real full name of the hostname initiating connection set by some ISP like for example ?:
unregister123456.c28.msk.pl
07-25-2006 02:09 AM
Yes the device which initiates the tunnel, the LNS if L2TP or the PC if PPTP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: