Question:
Cisco VPN not functioning. Config posted below.
anonymous
2008-08-04 18:11:29 UTC
Building configuration...

Current configuration : 1925 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 $1$vs5B$X2jkx7XOYY2WJkTUoJWjn1
!
username xxx privilege 15 secret 5 $1$7cFT$xziJmE4PpXXmM7VfCMEQm.
username CRWS_Kannan privilege 15 password 7 125D5453255A0A256E24752700103212564
2545803010904055F
ip subnet-zero
ip name-server 151.196.0.38
ip name-server 151.199.0.39
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key key1 address x.x.x.x
!
!
crypto ipsec transform-set vpn esp-des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 66.15.176.225
set security-association lifetime seconds 190
set transform-set vpn
match address 110
!
!
!
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1300
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address x.x.x.x 255.255.255.0
ip nat outside
no ip mroute-cache
no cdp enable
crypto map vpn
!
ip nat inside source list 120 interface Ethernet1 overload
ip nat inside source static tcp 10.1.1.4 5954 x.x.x.x 5954 extendable
ip nat inside source static tcp 10.1.1.4 5631 x.x.x.x 5631 extendable
ip nat inside source static udp 10.1.1.4 5632 x.x.x.x 5632 extendable
ip nat inside source static tcp 10.1.1.4 3389 x.x.x.x 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1 x.x.x.x
ip http server
!
!
access-list 110 permit ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 120 deny ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
Four answers:
Jeff
2008-08-08 09:42:24 UTC
Alright, there's a lot going on here. A lot of possibilities.



First, you can tell if the tunnel is half-way up by typing "show crypt isa sa". If you see an entry in the list and the state is "qm_idle", then so far, so good. If you see anything other than that, you have a problem burried in the "crypt isakmp policy 1" section.



Second, you can tell if the tunnel is completely up by typing "show crypt ips sa" and checking to see if you have entries under the "outgoing ESP" and "incoming ESP" sections. If you have nothing in those sections, you have a problem.



Alright, now just because the tunnel is up doesn't mean that traffic can flow through it. You have denied those addresses from being NATted, which is good. However, you have static statements for hosts 10.2.1.10 & 10.1.1.4. Depending on the code version, this can cause a problem for those particular hosts. If you're testing the VPN from those machines, you may experience problems. Try testing the VPN from two different machines that don't have statics. If you don't have other machines, pull out the statics for testing.



Honestly, that is where I'd put my money. I can't find a document for it, but what's happening is that the packet is hitting the static statement and getting NATted even though the NAT access-list does not include those packets. It's complicated, and you'll need to do some more research on it, but this should get you started on your journey.



Alright, so if you test the VPN from other machines and stuff still doesn't work, then I'm out of ideas. As a friendly reminder, des encryption is not the most bullet proof thing out there. Neither is md5. You might want to up it to 3des and sha. Depending on the version of code, you may be able to do AES, too.



Jr
anonymous
2014-08-18 13:18:01 UTC
I suggest making use of VPNPower to be able to unblock web sites. I've been using them since 4 years. http://www.vpnpower.net
anonymous
2014-04-19 19:59:36 UTC
I recommend using http://www.vpnpower.net to unblock websites. I am using their services for more than 3 years with no issues.
Florin G
2008-08-04 18:28:04 UTC
posting this here is not the best idea :) and i'm pretty sure u will not find best answer for this here, try cisco support site


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...