Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn client problems - cna

Hey all...I was reading through the forums, but couldn't find any pre-existing posts describing the problems I'm having. Has anybody run into the following situation before?

I have a Cisco 1721 router with a pre-existing IKE LAN-to-LAN tunnel with another location. I configured it the other day for remote access VPN client logins.

Here's the situation: Cisco VPN clients can connect with no problem from anywhere. An IP address gets assigned. I can even ping LAN addresses at the location being connected to.

I'm having two problems:

(1) Not all LAN addresses are pingable all the time. For instance, one minute, I will be able to ping 10.1.18.1, but not 10.1.19.1. Then next minute, I might be able to ping 10.1.19.1, but NOT 10.1.18.1. The LAN segment is pretty large (10.1.16.0 255.255.252.0)

(2) Except for pings, I am unable to make any sort of connection to our servers onsite (VNC, Remote Desktop, etc). I can't find any problems with the access-lists that might cause this problem.

2 REPLIES
New Member

Re: vpn client problems - cna

Here's a sample of the config. We have a lot of static NAT's configured as well, but I removed them.

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpngroup local

aaa authorization network vpngroup local

aaa session-id common

ip subnet-zero

!

!

ip dhcp excluded-address 10.1.16.1 10.1.17.255

ip dhcp excluded-address 10.1.19.1 10.1.19.254

!

ip dhcp pool InternalNetwork

network 10.1.16.0 255.255.252.0

dns-server x.x.x.x x.x.x.x

default-router 10.1.16.1

lease 3

!

!

class-map match-all PriorityTraffic

match access-group 140

!

!

policy-map PriorityTrafficPolicy

class PriorityTraffic

bandwidth 512

class class-default

fair-queue

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key LAN_TO_LAN_KEY address x.x.x.x no-xauth

!

crypto isakmp client configuration group vpngroup

key vpnkey

pool Dynamic_Pool

acl vpnACL

!

!

crypto ipsec transform-set LAN_TO_LAN_Trans_Set esp-3des esp-md5-hmac

crypto ipsec transform-set VPN-Client-Transform-Set esp-3des esp-md5-hmac

!

!

crypto dynamic-map VPN-Dynamic-Map 10

set transform-set VPN-Client-Transform-Set

!

!

crypto map Remote isakmp authorization list vpngroup

crypto map Remote client configuration address respond

crypto map Remote 10 ipsec-isakmp

set peer 209.190.158.66

set transform-set LAN_TO_LAN_Trans_Set

match address 101

crypto map Remote 20 ipsec-isakmp dynamic VPN-Dynamic-Map

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.0

!

interface Multilink1

ip address x.x.x.x 255.255.255.224 secondary

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

service-policy output PriorityTrafficPolicy

no cdp enable

ppp multilink

ppp multilink fragment disable

ppp multilink group 1

crypto map Remote

!

interface FastEthernet0

description LAN Segment

ip address 10.1.16.1 255.255.252.0

ip nat inside

ip virtual-reassembly

ip route-cache policy

ip policy route-map zlogo

speed auto

no cdp enable

!

interface Serial0:0

no ip address

encapsulation ppp

no fair-queue

no cdp enable

ppp multilink

ppp multilink group 1

!

interface Serial1:0

no ip address

encapsulation ppp

no fair-queue

no cdp enable

ppp multilink

ppp multilink group 1

!

ip local pool Dynamic_Pool 192.168.254.1 192.168.254.254

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

no ip http secure-server

!

ip nat pool ovrld 67.129.179.102 67.129.179.102 prefix-length 30

ip nat inside source route-map nonat interface Multilink1 overload

!

!

!

ip access-list extended vpnACL

permit ip 10.1.16.0 0.0.3.255 192.168.254.0 0.0.0.255

access-list 7 permit 10.1.16.0 0.0.3.255

access-list 101 permit ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 110 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 110 deny ip host 10.1.16.80 any

access-list 110 deny ip host 10.1.16.81 any

access-list 110 deny ip host 10.1.17.112 any

access-list 110 deny ip host 10.1.17.56 any

access-list 110 permit ip 10.1.16.0 0.0.3.255 any

access-list 110 deny ip host 10.1.18.60 any

access-list 110 deny ip host 10.1.16.93 any

access-list 110 deny ip host 10.1.16.92 any

access-list 110 deny ip host 10.1.16.91 any

access-list 110 deny ip host 10.1.16.90 any

access-list 111 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255

access-list 111 permit ip 10.1.16.0 0.0.3.255 any

access-list 123 permit ip host 10.1.17.56 10.1.0.0 0.0.3.255

access-list 140 remark Traffic Prioritization

access-list 140 permit tcp any any range 6000 6010

access-list 140 permit udp any any range 6000 6010

access-list 140 remark Traffic Prioritization

!

route-map nonat permit 10

match ip address 111 110

New Member

Re: vpn client problems - cna

This is part of the exact problem I am having except I can sometimes remote desktop and then sometimes not. It is very intermittent.

Whilst I can't help with your query if I find anything out I will post an update here.

226
Views
0
Helpful
2
Replies