I'm having issues with setting up VPN on a 2821 to allow users to connect with the Cisco VPN client.
Initially the VPN clients cannot connect. If I telnet to the router and run "clear ip nat trans *", then the VPN clients can connect. Anywhere from 5 minutes to 30 minutes later, the VPN clients can no longer connect until I clear the IP NAT translation tables. Anyone have any ideas?
Here is the configuration:
Current configuration : 10687 bytes
!
! Last configuration change at 13:48:52 NewYork Tue Oct 4 2005
! NVRAM config last updated at 13:48:55 NewYork Tue Oct 4 2005
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2821
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 XXXXXXXX
!
username vpnuser1 privilege 15 secret 5 XXXXXX
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate wic 0
no network-clock-participate aim 0
no network-clock-participate aim 1
network-clock-select 1 T1 0/0/0
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
ip cef
!
ip domain name yourdomain.com
ip name-server 19.109.129.6
ip name-server 19.109.129.4
ip name-server 19.109.129.5
ip ips po max-events 100
no ftp-server write-enable
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 1 timeslots 1-24 speed 64
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group vpngroup
key XXXXXXXXXXXx
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Tunnel1
no ip address
!
interface Loopback0
ip address 10.1.254.1 255.255.255.252
!
interface Loopback1
ip address 10.1.254.13 255.255.255.252
!
interface GigabitEthernet0/0
description inside interface
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description outside interface
ip address 19.226.157.98 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Serial0/0/0:0
ip address 10.1.254.5 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no fair-queue
!
interface Serial0/0/1:1
no ip address
shutdown
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
ip nat inside
ip virtual-reassembly
pvc 0/35
encapsulation aal5mux ppp Virtual-Template1
!
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
ip nat inside
ip virtual-reassembly
pvc 0/35
encapsulation aal5mux ppp Virtual-Template2
!
!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
ppp pap sent-username XXXXXXXX password 0 XXXXXX
!
interface Virtual-Template2
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly
ppp pap sent-username XXXXXXXXX password 0 XXXXX
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
ip local pool SDM_POOL_1 10.1.6.100 10.1.6.200
ip classless
ip route 0.0.0.0 0.0.0.0 19.215.147.97
ip route 10.1.2.0 255.255.255.0 10.1.254.2
ip route 10.1.3.0 255.255.255.0 10.1.254.6
ip route 10.1.4.0 255.255.255.0 10.1.254.14
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool natmain 19.215.147.98 19.215.147.98 netmask 255.255.255.0
ip nat inside source route-map nonat pool natmain overload
ip nat inside source static tcp 10.1.1.1 23 19.215.147.98 23 extendable
ip nat inside source static tcp 10.1.1.46 5631 19.215.147.98 5631 extendable
ip nat inside source static tcp 10.1.1.46 5632 19.215.147.98 5632 extendable
!
!
access-list 100 deny ip 160.0.0.0 15.255.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip 240.0.0.0 7.255.255.255 any
access-list 100 deny ip 248.0.0.0 7.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 107 deny ip any 10.1.6.0 0.0.0.255
access-list 107 permit ip 10.1.1.0 0.0.0.255 any
access-list 107 permit ip 10.1.2.0 0.0.0.255 any
access-list 107 permit ip 10.1.3.0 0.0.0.255 any
access-list 107 permit ip 10.1.4.0 0.0.0.255 any
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.2.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.3.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.4.0 0.0.0.255 10.1.6.0 0.0.0.255
!
route-map nonat permit 10
match ip address 107
!
end
Initially the VPN clients cannot connect. If I telnet to the router and run "clear ip nat trans *", then the VPN clients can connect. Anywhere from 5 minutes to 30 minutes later, the VPN clients can no longer connect until I clear the IP NAT translation tables. Anyone have any ideas?
Here is the configuration:
Current configuration : 10687 bytes
!
! Last configuration change at 13:48:52 NewYork Tue Oct 4 2005
! NVRAM config last updated at 13:48:55 NewYork Tue Oct 4 2005
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2821
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 XXXXXXXX
!
username vpnuser1 privilege 15 secret 5 XXXXXX
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
network-clock-participate wic 0
no network-clock-participate aim 0
no network-clock-participate aim 1
network-clock-select 1 T1 0/0/0
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
ip cef
!
ip domain name yourdomain.com
ip name-server 19.109.129.6
ip name-server 19.109.129.4
ip name-server 19.109.129.5
ip ips po max-events 100
no ftp-server write-enable
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 1 timeslots 1-24 speed 64
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group vpngroup
key XXXXXXXXXXXx
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Tunnel1
no ip address
!
interface Loopback0
ip address 10.1.254.1 255.255.255.252
!
interface Loopback1
ip address 10.1.254.13 255.255.255.252
!
interface GigabitEthernet0/0
description inside interface
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description outside interface
ip address 19.226.157.98 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Serial0/0/0:0
ip address 10.1.254.5 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no fair-queue
!
interface Serial0/0/1:1
no ip address
shutdown
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
ip nat inside
ip virtual-reassembly
pvc 0/35
encapsulation aal5mux ppp Virtual-Template1
!
!
interface ATM0/2/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
ip nat inside
ip virtual-reassembly
pvc 0/35
encapsulation aal5mux ppp Virtual-Template2
!
!
interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
ppp pap sent-username XXXXXXXX password 0 XXXXXX
!
interface Virtual-Template2
ip unnumbered Loopback1
ip nat inside
ip virtual-reassembly
ppp pap sent-username XXXXXXXXX password 0 XXXXX
!
interface Group-Async0
physical-layer async
no ip address
no group-range
!
ip local pool SDM_POOL_1 10.1.6.100 10.1.6.200
ip classless
ip route 0.0.0.0 0.0.0.0 19.215.147.97
ip route 10.1.2.0 255.255.255.0 10.1.254.2
ip route 10.1.3.0 255.255.255.0 10.1.254.6
ip route 10.1.4.0 255.255.255.0 10.1.254.14
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool natmain 19.215.147.98 19.215.147.98 netmask 255.255.255.0
ip nat inside source route-map nonat pool natmain overload
ip nat inside source static tcp 10.1.1.1 23 19.215.147.98 23 extendable
ip nat inside source static tcp 10.1.1.46 5631 19.215.147.98 5631 extendable
ip nat inside source static tcp 10.1.1.46 5632 19.215.147.98 5632 extendable
!
!
access-list 100 deny ip 160.0.0.0 15.255.255.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip 240.0.0.0 7.255.255.255 any
access-list 100 deny ip 248.0.0.0 7.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 107 deny ip any 10.1.6.0 0.0.0.255
access-list 107 permit ip 10.1.1.0 0.0.0.255 any
access-list 107 permit ip 10.1.2.0 0.0.0.255 any
access-list 107 permit ip 10.1.3.0 0.0.0.255 any
access-list 107 permit ip 10.1.4.0 0.0.0.255 any
access-list 108 permit ip 10.1.1.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.2.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.3.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 108 permit ip 10.1.4.0 0.0.0.255 10.1.6.0 0.0.0.255
!
route-map nonat permit 10
match ip address 107
!
end
