fenderjbass
IS-IT--Management
Hello everyone! I'm hoping someone can help me with a little issue I'm having. I picked up a little job that needed help with mobile VPN access. What I was told was it worked, and then it stopped. Which means it could be 1000000 possible reasons. They had an IT firm in there for a while, but I guess they were doing more harm then good. So, I looked over the running config, and saw a few gaps which could defiantly cause some issues with connection. It looks like whoever set it up, possibly wrote the ipsec phase 1 and 2 proposals to startup config, and continued on configuring and didn't save that. So possibly after a reboot of the router, the non saved parts of the config got wiped, and it stopped working. So, my changes where successful and I was able to VPN into the network. Happy dance and all that. I'm able to ping ips on the local subnet, so I assume, from what I was told it was fixed. So I contacted the on site contact, and let him know it was fixed, and as a lesson I learned before, I sent screen shots of it being operational. So I get a call back later, that when they are connected through mobile VPN, they cant RDP into the RDP server. Seemed odd, but I inspected it further... I can telnet, ssh, even access cifs shares from the server, but could not RDP into it. I checked server firewall, AV etc. I looked over ACL's I thought possible it was blocking it there, there are some ACLS for blocking incoming traffic from telneting and RDP. So I rewrote the ACl with allowing the vpn subnet connect via RDP to server. I even went as far as basically wiping the acls, and still could not RDP. By doing this, allowed me to RDP externally from my laptop, which at least proved the server isnt blocking the connecting. So to avoid pulling all my hair out, hoping someone could offer some assistance. I did a google search on this issue, and tried changing MTU on the vpn client, that didnt fix it. And it is configured as split tunnel. So Ill post the running config with original ACL's. F0 is outside interface, local subnet is 192.168.1.0/24 and vpn is 192.168.23.0/24. I pay in beer
Building configuration...
Current configuration : 9773 bytes
!
! Last configuration change at 12:43:01 UTC Thu Apr 18 2013 by ***********
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ******
!
boot-start-marker
boot system flash:c181x-advipservicesk9-mz.151-3.T1.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable password secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remote_vpn local
aaa authorization exec default local
aaa authorization network group local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2339584027
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2339584027
revocation-check none
rsakeypair TP-self-signed-2339584027
!
!
crypto pki certificate chain TP-self-signed-2339584027
certificate self-signed 01
**********************************************
quit
dot11 syslog
!
dot11 ssid BUDDY_1
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 ******
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool RPD
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.10
default-router 192.168.1.1
!
!
!
ip cef
ip domain name cisco.local
ip name-server 4.2.2.2
ip name-server 4.2.2.3
ip name-server 192.168.1.10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 pptp
ip inspect name DEFAULT100 dns
ip inspect name DEFAULT100 dnsix
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip ddns update method DynDNS
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811W-AG-B/K9 sn FHK1447708V
archive
log config
hidekeys
username *** privilege 15 password 0 ******
username *** password 0 *****
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 48000
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 4
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
lifetime 4800
!
crypto isakmp client configuration group group
key ******
dns 192.168.1.10
wins 192.168.1.10
domain anyserver.local
pool vpnpool
acl split
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
reverse-route
!
!
!
crypto map dynmap client configuration address respond
!
crypto map intmap client authentication list remote_vpn
crypto map intmap isakmp authorization list group
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid BUDDY_1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid BUDDY_1
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
mac-address 0024.b216.d19a
ip dhcp client update dns server none
ip ddns update DynDNS
ip address dhcp client-id FastEthernet0 hostname *******
ip access-group 103 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
crypto map intmap
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
encapsulation slip
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool vpnpool 192.168.23.1 192.168.23.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.6 6010 interface FastEthernet0 6010
ip nat inside source static tcp 192.168.1.6 6011 interface FastEthernet0 6011
ip nat inside source static tcp 192.168.1.4 6004 interface FastEthernet0 6004
ip nat inside source static tcp 192.168.1.4 6005 interface FastEthernet0 6005
ip nat inside source static tcp 192.168.1.18 6012 interface FastEthernet0 6012
ip nat inside source static tcp 192.168.1.18 6013 interface FastEthernet0 6013
ip nat inside source static tcp 192.168.1.15 6014 interface FastEthernet0 6014
ip nat inside source static tcp 192.168.1.15 6015 interface FastEthernet0 6015
ip nat inside source static tcp 192.168.1.7 6016 interface FastEthernet0 6016
ip nat inside source static tcp 192.168.1.7 6017 interface FastEthernet0 6017
ip nat inside source static tcp 192.168.1.19 6020 interface FastEthernet0 6020
ip nat inside source static tcp 192.168.1.19 6021 interface FastEthernet0 6021
ip nat inside source static tcp 192.168.1.23 6022 interface FastEthernet0 6022
ip nat inside source static tcp 192.168.1.23 6023 interface FastEthernet0 6023
ip nat inside source static tcp 192.168.1.16 6024 interface FastEthernet0 6024
ip nat inside source static tcp 192.168.1.16 6025 interface FastEthernet0 6025
ip nat inside source static tcp 192.168.1.11 1723 interface FastEthernet0 1723
ip nat inside source static tcp 192.168.1.21 6026 interface FastEthernet0 6026
ip nat inside source static tcp 192.168.1.21 6027 interface FastEthernet0 6027
ip nat inside source static tcp 192.168.1.10 6000 interface FastEthernet0 6000
ip nat inside source static tcp 192.168.1.10 6001 interface FastEthernet0 6001
ip nat inside source static tcp 192.168.1.20 6018 interface FastEthernet0 6018
ip nat inside source static tcp 192.168.1.20 6019 interface FastEthernet0 6019
ip nat inside source static tcp 192.168.1.55 6028 interface FastEthernet0 6028
ip nat inside source static tcp 192.168.1.55 6029 interface FastEthernet0 6029
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp
!
ip access-list extended split
permit ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
!
logging esm config
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 103 permit tcp 173.210.**.** 0.0.0.15 any eq telnet
access-list 103 permit tcp 173.210.**.** 0.0.0.15 any eq 3389
access-list 103 deny tcp any any eq telnet
access-list 103 deny tcp any any eq 3389
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq bootpc
access-list 103 permit icmp any any
access-list 103 permit ip any any
access-list 103 permit esp any any
access-list 106 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
match interface FastEthernet0
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end
Building configuration...
Current configuration : 9773 bytes
!
! Last configuration change at 12:43:01 UTC Thu Apr 18 2013 by ***********
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ******
!
boot-start-marker
boot system flash:c181x-advipservicesk9-mz.151-3.T1.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable password secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remote_vpn local
aaa authorization exec default local
aaa authorization network group local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2339584027
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2339584027
revocation-check none
rsakeypair TP-self-signed-2339584027
!
!
crypto pki certificate chain TP-self-signed-2339584027
certificate self-signed 01
**********************************************
quit
dot11 syslog
!
dot11 ssid BUDDY_1
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 ******
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool RPD
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.10
default-router 192.168.1.1
!
!
!
ip cef
ip domain name cisco.local
ip name-server 4.2.2.2
ip name-server 4.2.2.3
ip name-server 192.168.1.10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 pptp
ip inspect name DEFAULT100 dns
ip inspect name DEFAULT100 dnsix
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip ddns update method DynDNS
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811W-AG-B/K9 sn FHK1447708V
archive
log config
hidekeys
username *** privilege 15 password 0 ******
username *** password 0 *****
!
!
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 48000
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 4
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
lifetime 4800
!
crypto isakmp client configuration group group
key ******
dns 192.168.1.10
wins 192.168.1.10
domain anyserver.local
pool vpnpool
acl split
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
reverse-route
!
!
!
crypto map dynmap client configuration address respond
!
crypto map intmap client authentication list remote_vpn
crypto map intmap isakmp authorization list group
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid BUDDY_1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid BUDDY_1
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
mac-address 0024.b216.d19a
ip dhcp client update dns server none
ip ddns update DynDNS
ip address dhcp client-id FastEthernet0 hostname *******
ip access-group 103 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly in
duplex auto
speed auto
crypto map intmap
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
no ip address
ip nat inside
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
encapsulation slip
!
interface BVI1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool vpnpool 192.168.23.1 192.168.23.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.1.6 6010 interface FastEthernet0 6010
ip nat inside source static tcp 192.168.1.6 6011 interface FastEthernet0 6011
ip nat inside source static tcp 192.168.1.4 6004 interface FastEthernet0 6004
ip nat inside source static tcp 192.168.1.4 6005 interface FastEthernet0 6005
ip nat inside source static tcp 192.168.1.18 6012 interface FastEthernet0 6012
ip nat inside source static tcp 192.168.1.18 6013 interface FastEthernet0 6013
ip nat inside source static tcp 192.168.1.15 6014 interface FastEthernet0 6014
ip nat inside source static tcp 192.168.1.15 6015 interface FastEthernet0 6015
ip nat inside source static tcp 192.168.1.7 6016 interface FastEthernet0 6016
ip nat inside source static tcp 192.168.1.7 6017 interface FastEthernet0 6017
ip nat inside source static tcp 192.168.1.19 6020 interface FastEthernet0 6020
ip nat inside source static tcp 192.168.1.19 6021 interface FastEthernet0 6021
ip nat inside source static tcp 192.168.1.23 6022 interface FastEthernet0 6022
ip nat inside source static tcp 192.168.1.23 6023 interface FastEthernet0 6023
ip nat inside source static tcp 192.168.1.16 6024 interface FastEthernet0 6024
ip nat inside source static tcp 192.168.1.16 6025 interface FastEthernet0 6025
ip nat inside source static tcp 192.168.1.11 1723 interface FastEthernet0 1723
ip nat inside source static tcp 192.168.1.21 6026 interface FastEthernet0 6026
ip nat inside source static tcp 192.168.1.21 6027 interface FastEthernet0 6027
ip nat inside source static tcp 192.168.1.10 6000 interface FastEthernet0 6000
ip nat inside source static tcp 192.168.1.10 6001 interface FastEthernet0 6001
ip nat inside source static tcp 192.168.1.20 6018 interface FastEthernet0 6018
ip nat inside source static tcp 192.168.1.20 6019 interface FastEthernet0 6019
ip nat inside source static tcp 192.168.1.55 6028 interface FastEthernet0 6028
ip nat inside source static tcp 192.168.1.55 6029 interface FastEthernet0 6029
ip nat inside source static tcp 192.168.1.10 3389 interface FastEthernet0 3389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp
!
ip access-list extended split
permit ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
!
logging esm config
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 103 permit tcp 173.210.**.** 0.0.0.15 any eq telnet
access-list 103 permit tcp 173.210.**.** 0.0.0.15 any eq 3389
access-list 103 deny tcp any any eq telnet
access-list 103 deny tcp any any eq 3389
access-list 103 permit udp any any eq bootps
access-list 103 permit udp any any eq bootpc
access-list 103 permit icmp any any
access-list 103 permit ip any any
access-list 103 permit esp any any
access-list 106 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
match interface FastEthernet0
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end