Intermittent VPN connection - newbie

Unanswered Question
Jul 7th, 2010

My comany has a secure VPN connection with a customer that has recently become unstable.  It seems that only one workstation on our LAN can use this connection at a time, where, in the past, everyone on the LAN could connect concurrently.  At times, no one can connect.  I would greatly appreciate someone looking at the below config to see if there is a problem with the routing or NAT.

Our internal subnets are 10.0.0.0 and 10.5.0.0

The internal e0 address on the Cisco 1721 is 10.2.0.1 (which connects directly to a SonicWall router/firewall with an address of 10.2.0.2 - the 10.2 subnet is passed to the other internal subnets)

The config file is below...............................

Building configuration...

Current configuration : 1837 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname amk_rtr_01
!
logging queue-limit 100
logging buffered 4096 debugging
logging console informational
enable secret 5 XXXXXX
enable password XXXXX
!
ip subnet-zero
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXX address 15.195.201.201
!
!
crypto ipsec transform-set CPQTRANSsha esp-3des esp-sha-hmac
!
crypto map CPQ 10 ipsec-isakmp
description Remote Partner Side - Amkotron
set peer 15.195.201.201
set transform-set CPQTRANSsha
set pfs group2
match address HPVPN
!
!
!
!
interface Ethernet0
description Amkotron Internal LAN Interface
ip address 10.2.0.1 255.255.255.0
ip nat inside
full-duplex
!
interface FastEthernet0
description Amkotron External Internet Interface
ip address 72.18.24.19 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
speed auto
crypto map CPQ
!
ip nat pool tohp 72.18.24.21 72.18.24.21 netmask 255.255.255.240
ip nat inside source route-map MAP-108 pool tohp
ip classless

ip route 0.0.0.0 0.0.0.0 72.18.24.17
ip route 10.0.0.0 255.255.255.0 10.2.0.2
ip route 10.5.0.0 255.255.255.0 10.2.0.2
ip route 15.0.0.0 255.0.0.0 72.18.24.17
ip route 16.0.0.0 255.0.0.0 72.18.24.17
no ip http server
no ip http secure-server
!
!
!
ip access-list extended HPVPN
permit ip host 72.18.24.21 16.0.0.0 0.255.255.255
permit ip host 72.18.24.21 15.0.0.0 0.255.255.255
!
access-list 108 permit ip 10.0.0.0 0.255.255.255 15.0.0.0 0.255.255.255
access-list 108 permit ip 10.0.0.0 0.255.255.255 16.0.0.0 0.255.255.255
!
route-map MAP-108 permit 10
match ip address 108
!
!
line con 0
password XXXXX
login
line aux 0
line vty 0 4
password XXXXX
login
!
end

Our problem started when the SonicWall died and we manually configured the replacement unit.  After the new SonicWall was done, we had to add the below IP Routes to the Cisco to make it work:

ip route 10.0.0.0 255.255.255.0 10.2.0.2
ip route 10.5.0.0 255.255.255.0 10.2.0.2
These routes were not part of the Cisco configuration before the SonicWall failure, and ererything did work, I don't know why we had to add them later for the system to work.

Again, I am new at Cisco systems so if there is more information that someone would need to know please ask.  Thanks for the help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tonycraig Wed, 07/07/2010 - 15:54

Did you have a saved config for the firewall or did you config it from scratch? Where is the outside nat table?

ericmoreland Wed, 07/07/2010 - 16:04

The config for the Cisco was unaffected by the SonicWall failure, the SonicWall did have a saved config file, but that turned out to be corrupted - so we rebuilt it as best we could.  That said, the current config for the SonicWall does work, but is most likely a little different from the original.  I don't fully understand your other question about the outside NAT table - please help me understand...

tonycraig Wed, 07/07/2010 - 16:24

I mean was the firewall also natting? I suspect that also had a nat  table. Your nat pool to HP only has one address in it. Without using  overload this is only going to map one address hence why only one device  can connect.

ericmoreland Wed, 07/07/2010 - 17:49

Thanks for the clarification - yes, the SonicWall has Routings that send traffic from "Any" source to any address in the 16. subnet via the interface that is connected to the Cisco router.  I did notice that the SonicWall also has selections for "NAT Policies" and "Routings" - what I have above is a Routing.  The SonicWall also has a feature called Packet Capture, I've been using this to see the network traffic through the SonicWall - it appears that the traffic is being correctly routed to the Cisco, but certain traffic simply doesn't return.  If another workstation is logged on to HP's website I can see the outbound and inbound traffic, if I try to log on at the same time, I only get outbound traffic - nothing returns.

Actions

This Discussion