- Posts: 25
- Thank you received: 0
Cisco vpdn templates
18 years 6 months ago #14342
by suderman
Cisco vpdn templates was created by suderman
Hello !
We're using a vpdn connection from outside a company to Cisco 800 series router which act as a end of a vpn tunnel.
generally speaking vpdn configuration looks like that:
- usernames and passwords are kept on the router
- for connection I use Windows built-in vpn client.
- when client is authenticated router assign it ip address from local pool which is also kept on the router.
I'd like to achieve the following:
depending on the ip address from which the remote client is connecting the router will assign it different local ip address. source addresses are configured in access lists.
So I'd like to use different vpdn template depending of the source ip address of the remote client.
we have only one public ip address
Now remote clients always get the same local ip address.
This is the interesting part of the configuration:
[code:1]vpdn enable
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
source-ip <public_ip-eth1>
!
vpdn-group 2
description VPDN Group for DST Windows VPN clients
accept-dialin
protocol pptp
virtual-template 2
source-ip <public_ip-eth1>
!
public interface
interface Ethernet1
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
service-policy output inbound-http
duplex auto
no cdp enable
!
virtual interface
interface Virtual-Template1
ip unnumbered Ethernet1
ip access-group 150 in
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Ethernet1
ip access-group 151 in
ip mroute-cache
peer default ip address pool vpn-local2
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip local pool vpn-local2 yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy
access lists
access-list 150 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 150 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 150 deny tcp any eq 1723 any
access-list 150 deny gre any any
access-list 150 permit tcp any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list 151 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 151 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 151 deny tcp any eq 1723 any
access-list 151 deny gre any any
end
[/code:1]
Thanks for any help.
We're using a vpdn connection from outside a company to Cisco 800 series router which act as a end of a vpn tunnel.
generally speaking vpdn configuration looks like that:
- usernames and passwords are kept on the router
- for connection I use Windows built-in vpn client.
- when client is authenticated router assign it ip address from local pool which is also kept on the router.
I'd like to achieve the following:
depending on the ip address from which the remote client is connecting the router will assign it different local ip address. source addresses are configured in access lists.
So I'd like to use different vpdn template depending of the source ip address of the remote client.
we have only one public ip address
Now remote clients always get the same local ip address.
This is the interesting part of the configuration:
[code:1]vpdn enable
vpdn logging
vpdn logging user
vpdn logging tunnel-drop
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
source-ip <public_ip-eth1>
!
vpdn-group 2
description VPDN Group for DST Windows VPN clients
accept-dialin
protocol pptp
virtual-template 2
source-ip <public_ip-eth1>
!
public interface
interface Ethernet1
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
service-policy output inbound-http
duplex auto
no cdp enable
!
virtual interface
interface Virtual-Template1
ip unnumbered Ethernet1
ip access-group 150 in
ip mroute-cache
peer default ip address pool vpn-local
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template2
ip unnumbered Ethernet1
ip access-group 151 in
ip mroute-cache
peer default ip address pool vpn-local2
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-local xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip local pool vpn-local2 yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy
access lists
access-list 150 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 150 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 150 deny tcp any eq 1723 any
access-list 150 deny gre any any
access-list 150 permit tcp any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
access-list 151 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx log
access-list 151 permit ip yyy.yyy.yyy.yyy yyy.yyy.yyy.yyy log
access-list 151 deny tcp any eq 1723 any
access-list 151 deny gre any any
end
[/code:1]
Thanks for any help.
18 years 6 months ago #14347
by suderman
Replied by suderman on topic Re: Cisco vpdn templates
Sorry small mistake !
I meant not to have a multiple vpdn-templates but to have multiple vpdn groups with assigned for each group different virtual-template interface.
the problem is that when remote client connects it's always using default vpdn group and template assingned to it.
So my goal is to have a groups of source ip addresses or users each assigned to different vpdn group.
I meant not to have a multiple vpdn-templates but to have multiple vpdn groups with assigned for each group different virtual-template interface.
the problem is that when remote client connects it's always using default vpdn group and template assingned to it.
So my goal is to have a groups of source ip addresses or users each assigned to different vpdn group.
Time to create page: 0.153 seconds