08-24-2006 08:31 AM - edited 02-21-2020 02:35 PM
Hey all...I was reading through the forums, but couldn't find any pre-existing posts describing the problems I'm having. Has anybody run into the following situation before?
I have a Cisco 1721 router with a pre-existing IKE LAN-to-LAN tunnel with another location. I configured it the other day for remote access VPN client logins.
Here's the situation: Cisco VPN clients can connect with no problem from anywhere. An IP address gets assigned. I can even ping LAN addresses at the location being connected to.
I'm having two problems:
(1) Not all LAN addresses are pingable all the time. For instance, one minute, I will be able to ping 10.1.18.1, but not 10.1.19.1. Then next minute, I might be able to ping 10.1.19.1, but NOT 10.1.18.1. The LAN segment is pretty large (10.1.16.0 255.255.252.0)
(2) Except for pings, I am unable to make any sort of connection to our servers onsite (VNC, Remote Desktop, etc). I can't find any problems with the access-lists that might cause this problem.
08-24-2006 08:33 AM
Here's a sample of the config. We have a lot of static NAT's configured as well, but I removed them.
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpngroup local
aaa authorization network vpngroup local
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.16.1 10.1.17.255
ip dhcp excluded-address 10.1.19.1 10.1.19.254
!
ip dhcp pool InternalNetwork
network 10.1.16.0 255.255.252.0
dns-server x.x.x.x x.x.x.x
default-router 10.1.16.1
lease 3
!
!
class-map match-all PriorityTraffic
match access-group 140
!
!
policy-map PriorityTrafficPolicy
class PriorityTraffic
bandwidth 512
class class-default
fair-queue
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key LAN_TO_LAN_KEY address x.x.x.x no-xauth
!
crypto isakmp client configuration group vpngroup
key vpnkey
pool Dynamic_Pool
acl vpnACL
!
!
crypto ipsec transform-set LAN_TO_LAN_Trans_Set esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-Client-Transform-Set esp-3des esp-md5-hmac
!
!
crypto dynamic-map VPN-Dynamic-Map 10
set transform-set VPN-Client-Transform-Set
!
!
crypto map Remote isakmp authorization list vpngroup
crypto map Remote client configuration address respond
crypto map Remote 10 ipsec-isakmp
set peer 209.190.158.66
set transform-set LAN_TO_LAN_Trans_Set
match address 101
crypto map Remote 20 ipsec-isakmp dynamic VPN-Dynamic-Map
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Multilink1
ip address x.x.x.x 255.255.255.224 secondary
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
service-policy output PriorityTrafficPolicy
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
crypto map Remote
!
interface FastEthernet0
description LAN Segment
ip address 10.1.16.1 255.255.252.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map zlogo
speed auto
no cdp enable
!
interface Serial0:0
no ip address
encapsulation ppp
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial1:0
no ip address
encapsulation ppp
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
ip local pool Dynamic_Pool 192.168.254.1 192.168.254.254
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
!
ip nat pool ovrld 67.129.179.102 67.129.179.102 prefix-length 30
ip nat inside source route-map nonat interface Multilink1 overload
!
!
!
ip access-list extended vpnACL
permit ip 10.1.16.0 0.0.3.255 192.168.254.0 0.0.0.255
access-list 7 permit 10.1.16.0 0.0.3.255
access-list 101 permit ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 110 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 110 deny ip host 10.1.16.80 any
access-list 110 deny ip host 10.1.16.81 any
access-list 110 deny ip host 10.1.17.112 any
access-list 110 deny ip host 10.1.17.56 any
access-list 110 permit ip 10.1.16.0 0.0.3.255 any
access-list 110 deny ip host 10.1.18.60 any
access-list 110 deny ip host 10.1.16.93 any
access-list 110 deny ip host 10.1.16.92 any
access-list 110 deny ip host 10.1.16.91 any
access-list 110 deny ip host 10.1.16.90 any
access-list 111 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 111 permit ip 10.1.16.0 0.0.3.255 any
access-list 123 permit ip host 10.1.17.56 10.1.0.0 0.0.3.255
access-list 140 remark Traffic Prioritization
access-list 140 permit tcp any any range 6000 6010
access-list 140 permit udp any any range 6000 6010
access-list 140 remark Traffic Prioritization
!
route-map nonat permit 10
match ip address 111 110
11-03-2006 12:29 AM
This is part of the exact problem I am having except I can sometimes remote desktop and then sometimes not. It is very intermittent.
Whilst I can't help with your query if I find anything out I will post an update here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: