08-24-2006 08:31 AM - edited 02-21-2020 02:35 PM
Hey all...I was reading through the forums, but couldn't find any pre-existing posts describing the problems I'm having. Has anybody run into the following situation before?
I have a Cisco 1721 router with a pre-existing IKE LAN-to-LAN tunnel with another location. I configured it the other day for remote access VPN client logins.
Here's the situation: Cisco VPN clients can connect with no problem from anywhere. An IP address gets assigned. I can even ping LAN addresses at the location being connected to.
I'm having two problems:
(1) Not all LAN addresses are pingable all the time. For instance, one minute, I will be able to ping 10.1.18.1, but not 10.1.19.1. Then next minute, I might be able to ping 10.1.19.1, but NOT 10.1.18.1. The LAN segment is pretty large (10.1.16.0 255.255.252.0)
(2) Except for pings, I am unable to make any sort of connection to our servers onsite (VNC, Remote Desktop, etc). I can't find any problems with the access-lists that might cause this problem.
08-24-2006 08:33 AM
Here's a sample of the config. We have a lot of static NAT's configured as well, but I removed them.
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpngroup local
aaa authorization network vpngroup local
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 10.1.16.1 10.1.17.255
ip dhcp excluded-address 10.1.19.1 10.1.19.254
!
ip dhcp pool InternalNetwork
network 10.1.16.0 255.255.252.0
dns-server x.x.x.x x.x.x.x
default-router 10.1.16.1
lease 3
!
!
class-map match-all PriorityTraffic
match access-group 140
!
!
policy-map PriorityTrafficPolicy
class PriorityTraffic
bandwidth 512
class class-default
fair-queue
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key LAN_TO_LAN_KEY address x.x.x.x no-xauth
!
crypto isakmp client configuration group vpngroup
key vpnkey
pool Dynamic_Pool
acl vpnACL
!
!
crypto ipsec transform-set LAN_TO_LAN_Trans_Set esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-Client-Transform-Set esp-3des esp-md5-hmac
!
!
crypto dynamic-map VPN-Dynamic-Map 10
set transform-set VPN-Client-Transform-Set
!
!
crypto map Remote isakmp authorization list vpngroup
crypto map Remote client configuration address respond
crypto map Remote 10 ipsec-isakmp
set peer 209.190.158.66
set transform-set LAN_TO_LAN_Trans_Set
match address 101
crypto map Remote 20 ipsec-isakmp dynamic VPN-Dynamic-Map
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Multilink1
ip address x.x.x.x 255.255.255.224 secondary
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
service-policy output PriorityTrafficPolicy
no cdp enable
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
crypto map Remote
!
interface FastEthernet0
description LAN Segment
ip address 10.1.16.1 255.255.252.0
ip nat inside
ip virtual-reassembly
ip route-cache policy
ip policy route-map zlogo
speed auto
no cdp enable
!
interface Serial0:0
no ip address
encapsulation ppp
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
interface Serial1:0
no ip address
encapsulation ppp
no fair-queue
no cdp enable
ppp multilink
ppp multilink group 1
!
ip local pool Dynamic_Pool 192.168.254.1 192.168.254.254
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
!
ip nat pool ovrld 67.129.179.102 67.129.179.102 prefix-length 30
ip nat inside source route-map nonat interface Multilink1 overload
!
!
!
ip access-list extended vpnACL
permit ip 10.1.16.0 0.0.3.255 192.168.254.0 0.0.0.255
access-list 7 permit 10.1.16.0 0.0.3.255
access-list 101 permit ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 110 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 110 deny ip host 10.1.16.80 any
access-list 110 deny ip host 10.1.16.81 any
access-list 110 deny ip host 10.1.17.112 any
access-list 110 deny ip host 10.1.17.56 any
access-list 110 permit ip 10.1.16.0 0.0.3.255 any
access-list 110 deny ip host 10.1.18.60 any
access-list 110 deny ip host 10.1.16.93 any
access-list 110 deny ip host 10.1.16.92 any
access-list 110 deny ip host 10.1.16.91 any
access-list 110 deny ip host 10.1.16.90 any
access-list 111 deny ip 10.1.16.0 0.0.3.255 10.1.0.0 0.0.3.255
access-list 111 permit ip 10.1.16.0 0.0.3.255 any
access-list 123 permit ip host 10.1.17.56 10.1.0.0 0.0.3.255
access-list 140 remark Traffic Prioritization
access-list 140 permit tcp any any range 6000 6010
access-list 140 permit udp any any range 6000 6010
access-list 140 remark Traffic Prioritization
!
route-map nonat permit 10
match ip address 111 110
11-03-2006 12:29 AM
This is part of the exact problem I am having except I can sometimes remote desktop and then sometimes not. It is very intermittent.
Whilst I can't help with your query if I find anything out I will post an update here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide