Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2811 Easy VPN Server

I recently configured a Cisco 2811 as an Easy VPN Server.  We presently have a slew of Cisco 871w, 881w, and Cisco VPN clients connecting to it.  Everything works fine till I remove EIGRP, once EIGRP is removed all traffic through the VPN Server stops.  This has to be a reverse route issue but I can't seem to pinpoint why this is. Without EIGRP I can't ping or access any resources over the VPN tunnel.  If you have some suggestions please post, if this requires seeing the running-config, let me know and I will scrub and post it.

Thanks,

2 REPLIES
New Member

Re: Cisco 2811 Easy VPN Server

Here is the running-config:

Cisco2811VPN#sh run
Building configuration...

Current configuration : 16994 bytes
!
! Last configuration change at 22:44:51 EST Tue Feb 9 2010 by remote
! NVRAM config last updated at 22:41:28 EST Tue Feb 9 2010 by remote
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Cisco2811VPN
!
boot-start-marker
warm-reboot count 10 uptime 10
boot-end-marker
!
security authentication failure rate 3 log
logging userinfo
logging buffered 16384
no logging monitor
enable secret 5
enable password 7
!
aaa new-model
aaa local authentication attempts max-fail 15
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login vpn local
aaa authentication login oldvpn local
aaa authorization exec default local
aaa authorization network vpn local
aaa authorization network oldvpn local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone EST -5
clock summer-time EST recurring
!
!
crypto pki trustpoint TP-self-signed-1419741404
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1419741404
revocation-check none
rsakeypair TP-self-signed-1419741404
!
!
crypto pki certificate chain TP-self-signed-1419741404
certificate self-signed 01

        quit
dot11 syslog
no ip source-route
!
!
ip cef
!
!
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL telnet
no ip bootp server
no ip domain lookup
ip domain name domain.local

login block-for 600 attempts 3 within 60
login delay 1
login quiet-mode access-class LoginQuiet
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
password encryption aes
!
!
archive
log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
path tftp://x.x.x.x/Cisco2811VPN/$h
write-memory
time-period 14400
object-group network ITStaff
range 10.10.252.1 10.10.252.10
!
object-group network NETWORK
range x.x.x.x x.x.x.x
range x.x.x.x x.x.x.x
range 10.10.11.0 10.10.11.254
range 10.10.10.0 10.10.10.254
!
username vpnconnection password
!
redundancy
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh time-out 90
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10 10
!
crypto isakmp client configuration group VPN1
key 6
pool vpnpool
acl aclSPLIT
save-password
include-local-lan
!
crypto isakmp client configuration group VPN12
key 6
pool ITStaff
acl aclITSPLIT
save-password
include-local-lan
!
crypto isakmp client configuration group VPN123
key 6
pool vpnpoolcli
acl aclSPLITCLI
include-local-lan
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
crypto ipsec transform-set oldvpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic 1
set transform-set vpn oldvpn
!
!
crypto map oldvpn client authentication list oldvpn
crypto map oldvpn isakmp authorization list oldvpn
crypto map oldvpn client configuration address respond
!
crypto map vpn client authentication list vpn
crypto map vpn isakmp authorization list vpn
crypto map vpn client configuration address respond
crypto map vpn 3 ipsec-isakmp dynamic dynamic
!
!
!
!
!
interface FastEthernet0/0
description LAN Interface
ip address 10.10.10.2 255.255.255.0
ip access-group Internal-outbound-ACL out
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
description WAN Interface
ip address x.x.x.x 255.255.255.248
ip access-group Internet-inbound-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip inspect FIREWALL in
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
!
!
router eigrp 1
network 10.0.0.0
auto-summary
!
ip local pool vpnpool 10.10.251.2 10.10.251.200
ip local pool ITStaff 10.10.252.1 10.10.252.10
ip local pool vpnpoolcli 10.10.253.1 10.10.253.25
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.10.251.0 255.255.255.0 FastEthernet0/1
ip route 10.10.252.0 255.255.255.0 FastEthernet0/1
ip route 10.10.253.0 255.255.255.0 FastEthernet0/1
!
ip access-list extended Internal-outbound-ACL
permit icmp any host 10.10.10.9
permit icmp any host 10.10.10.11
permit icmp any host 10.10.10.13
permit tcp any host 10.10.10.9
permit tcp any host 10.10.10.11
permit tcp any host 10.10.10.13
permit icmp any host 10.10.10.12
permit udp any host 10.10.10.12 eq ntp
permit ip object-group ITStaff any
permit udp any host 10.10.10.221 eq tftp log
deny   ip 10.10.251.0 0.0.0.255 any
deny   ip 10.10.253.0 0.0.0.255 any
permit ip any any
ip access-list extended Internet-inbound-ACL
deny   ip host 66.178.48.195 any
deny   ip host 69.245.18.75 any
deny   ip host 70.154.54.105 any
deny   ip host 98.211.67.132 any
deny   ip host 161.53.141.3 any
deny   ip host 161.53.203.203 any
deny   ip host 209.128.108.117 any
deny   ip host 216.230.130.134 any
deny   ip host 24.206.111.128 any
deny   ip host 65.163.203.181 any
deny   ip host 66.112.41.186 any
deny   ip host 207.250.220.196 any
deny   ip host 69.197.163.178 any
deny   ip host 68.195.231.164 any log
deny   ip host 216.240.158.121 any log
deny   ip host 174.136.197.34 any
deny   tcp any any eq 135
deny   udp any any eq 135
deny   udp any any eq netbios-ss
deny   udp any any eq netbios-ns
deny   udp any any eq 445
deny   tcp any any eq 139
deny   tcp any any eq 4444
deny   tcp any any eq 137
deny   tcp any any eq 8080
deny   tcp any any eq 445
deny   tcp any any eq 3389
permit udp any any eq 10000
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
deny   ip 25.0.0.0 0.255.255.255 any
deny   ip 41.0.0.0 0.255.255.255 any
deny   ip 43.0.0.0 0.255.255.255 any
deny   ip 51.0.0.0 0.255.255.255 any
deny   ip 58.0.0.0 0.255.255.255 any
deny   ip 59.0.0.0 0.255.255.255 any
deny   ip 60.0.0.0 0.255.255.255 any
deny   ip 61.0.0.0 0.255.255.255 any
deny   ip 62.0.0.0 0.255.255.255 any
deny   ip 77.0.0.0 0.255.255.255 any
deny   ip 78.0.0.0 0.255.255.255 any
deny   ip 80.0.0.0 0.255.255.255 any
deny   ip 81.0.0.0 0.255.255.255 any
deny   ip 82.0.0.0 0.255.255.255 any
deny   ip 83.0.0.0 0.255.255.255 any
deny   ip 84.0.0.0 0.255.255.255 any
deny   ip 85.0.0.0 0.255.255.255 any
deny   ip 86.0.0.0 0.255.255.255 any
deny   ip 87.0.0.0 0.255.255.255 any
deny   ip 88.0.0.0 0.255.255.255 any
deny   ip 89.0.0.0 0.255.255.255 any
deny   ip 90.0.0.0 0.255.255.255 any
deny   ip 91.0.0.0 0.255.255.255 any
deny   ip 92.0.0.0 0.255.255.255 any
deny   ip 93.0.0.0 0.255.255.255 any
deny   ip 95.0.0.0 0.255.255.255 any
deny   ip 109.0.0.0 0.255.255.255 any
deny   ip 110.0.0.0 0.255.255.255 any
deny   ip 111.0.0.0 0.255.255.255 any
deny   ip 112.0.0.0 0.255.255.255 any
deny   ip 113.0.0.0 0.255.255.255 any
deny   ip 114.0.0.0 0.255.255.255 any
deny   ip 115.0.0.0 0.255.255.255 any
deny   ip 116.0.0.0 0.255.255.255 any
deny   ip 117.0.0.0 0.255.255.255 any
deny   ip 118.0.0.0 0.255.255.255 any
deny   ip 119.0.0.0 0.255.255.255 any
deny   ip 120.0.0.0 0.255.255.255 any
deny   ip 121.0.0.0 0.255.255.255 any
deny   ip 122.0.0.0 0.255.255.255 any
deny   ip 123.0.0.0 0.255.255.255 any
deny   ip 124.0.0.0 0.255.255.255 any
deny   ip 125.0.0.0 0.255.255.255 any
deny   ip 126.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 133.0.0.0 0.255.255.255 any
deny   ip 145.0.0.0 0.255.255.255 any
deny   ip 147.0.0.0 0.52.255.255 any
deny   ip 148.1.0.0 0.250.255.255 any
deny   ip 150.1.0.0 0.214.255.255 any
deny   ip 154.0.0.0 0.255.255.255 any
deny   ip 168.234.0.0 0.0.255.255 any
deny   ip 161.0.0.0 0.54.255.255 any
deny   ip 168.160.0.0 0.0.255.255 any
deny   ip 169.0.0.0 0.255.255.255 any
deny   ip 172.0.0.0 0.255.255.255 any
deny   ip 175.0.0.0 0.255.255.255 any
deny   ip 178.0.0.0 0.255.255.255 any
deny   ip 180.0.0.0 0.255.255.255 any
deny   ip 182.0.0.0 0.255.255.255 any
deny   ip 183.0.0.0 0.255.255.255 any
deny   ip 186.0.0.0 0.255.255.255 any
deny   ip 187.0.0.0 0.255.255.255 any
deny   ip 188.0.0.0 0.255.255.255 any
deny   ip 189.0.0.0 0.255.255.255 any
deny   ip 190.0.0.0 0.255.255.255 any
deny   ip 193.0.0.0 0.255.255.255 any
deny   ip 194.0.0.0 0.255.255.255 any
deny   ip 195.0.0.0 0.255.255.255 any
deny   ip 196.0.0.0 0.255.255.255 any
deny   ip 200.0.0.0 0.255.255.255 any
deny   ip 201.0.0.0 0.255.255.255 any
deny   ip 202.0.0.0 0.255.255.255 any
deny   ip 203.0.0.0 0.255.255.255 any
deny   ip 210.0.0.0 0.255.255.255 any
deny   ip 211.0.0.0 0.255.255.255 any
deny   ip 212.0.0.0 0.255.255.255 any
deny   ip 213.0.0.0 0.255.255.255 any
deny   ip 217.0.0.0 0.255.255.255 any
deny   ip 218.0.0.0 0.255.255.255 any
deny   ip 219.0.0.0 0.255.255.255 any
deny   ip 220.0.0.0 0.255.255.255 any
deny   ip 221.0.0.0 0.255.255.255 any
deny   ip 222.0.0.0 0.255.255.255 any
permit gre any any
permit icmp any any traceroute
permit icmp any any echo-reply
permit icmp any any echo
permit ahp any any
permit tcp any eq telnet host x.x.x.x log
permit tcp any any eq 22 log
deny   ip any any log
ip access-list extended LoginQuiet
permit ip object-group NETWORK any log
deny   ip any any log
ip access-list extended aclITSPLIT
permit ip 10.10.10.0 0.0.0.255 10.10.252.0 0.0.0.255
ip access-list extended aclSPLIT
permit ip 10.10.10.0 0.0.0.255 10.10.251.0 0.0.0.255
ip access-list extended aclSPLITCLI
permit ip 10.10.10.0 0.0.0.255 10.10.253.0 0.0.0.255
!
logging history informational
logging trap debugging
logging origin-id ip
logging host 10.10.10.221 sequence-num-session
access-list 1 permit 10.10.0.0 0.0.255.255
no cdp run

!
!
!
snmp-server community xxx RO
snmp-server enable traps tty
!
!
control-plane
!
!
alias exec shacl sh access-list Internet-inbound-ACL
alias exec sr show running-config
alias exec sri show running-config | inc
alias exec sib show ip interface brief
alias exec shaclo sh access-list Internal-outbound-ACL
!
line con 0
password 7
transport output telnet
line aux 0
rotary 1
no exec
transport input ssh
transport output ssh
line vty 0 4
privilege level 15
password 7
transport input ssh
transport output telnet ssh
line vty 5 15
privilege level 15
password 7
transport input ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.10.10.12
end

New Member

Re: Cisco 2811 Easy VPN Server

This has been resolved.

2512
Views
0
Helpful
2
Replies
CreatePlease to create content