I
I
istokin2017-07-23 09:14:05
Cisco
istokin, 2017-07-23 09:14:05

How to configure client routing through a router to a PPTP network over PPPoE on a Cisco 877?

Configuration file:

spoiler
Building configuration...
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
service internal
!
hostname 877
!
boot-start-marker
boot system flash c870-advsecurityk9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
dot11 syslog
!
dot11 ssid wifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 pass
!
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool home-net
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server x.x.x.x x.x.x.x
lease 0 2
!
!
!
ip cef
ip inspect WAAS flush-timeout 10
ip domain name home.local
ip name-server x.x.x.x
!
!
vpdn enable
!
vpdn-group PPTP_CLIENT
request-dialin
protocol pptp
pool-member 20
initiate-to ip x.x.x.x
!
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
!
bridge irb
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl bitswap both
!
interface ATM0.1 point-to-point
description ADSL-PPPOE
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface ATM0.2 point-to-point
description ADSL-IPTV
bridge-group 2
bridge-group 2 spanning-disabled
pvc 8/36
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
description ADSL-IPTV
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
broadcast-key vlan 1 change 45
!
!
ssid wifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
rts threshold 2312
!
interface Dot11Radio0.1
description WiFi
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description LAN-Network
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description ADSL-IPTV
no ip address
bridge-group 2
bridge-group 2 spanning-disabled
!
interface Dialer0
description ADSL-PPPOE
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp chap hostname user
ppp chap password 0 pass
no cdp enable
!
interface Dialer1
description VPN
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 20
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp chap hostname user
ppp chap password 0 pass
no cdp enable
!
interface BVI1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface BVI2
no ip address
ip igmp version 3
!
ip forward-protocol nd
!
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.18.0.0 255.255.0.0 Dialer1
!
access-list 100 permit ip any any
no cdp run
!
!
control-plane
!
bridge 1 route ip
!
end

With the current config, the network is pinged for PPTP from the router, but not from clients from vlan1.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
I
istokin, 2017-07-23
@istokin

The rest of the config remained unchanged, this is how the critical part now looks like:

spoiler
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source list 135 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.18.0.0 255.255.0.0 Dialer1
!
access-list 100 deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 135 permit ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.255.255
!

Comment:
Since Dialer1 receives a dynamic address, there is no way to set a reverse route, it follows that there will be NAT. NAT will be on the condition that traffic of interest to us will be at least to another interface (Dialer1), which means that we must not let traffic into the default interface (Dialer0).
Do not forget to reset the NAT translation table when checking - clear ip na tr *

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question