I am having a difficult time with the outbound VPN. I can connect fine from outside coming in. However, if I am inside and trying to connect other VPN (none cisco), some times it works, some times it doesn't. I can connect to Cisco devices configured for tunnel fine.
I have a few users that needs to connect to Microsoft Servers via the VPN tunnel. Not sure why but it doesn't work all the time.
Just for testing purposes, i've setup a linksys router. The vpn works everytime. So it has to be somewhere in my setup. Any help would be greatly appreciated. Below is my showrun.
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: xxxx
Password:
Router#show run
Building configuration...
Current configuration : 5580 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$mBEL$CMo1ksy30SMjWfwYGWWms.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login crestron local
aaa authorization exec default local
aaa authorization network crestron local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -7
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 68.2.16.30 68.2.16.25
default-router 192.168.1.1
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 68.2.16.30
ip name-server 68.2.16.25
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2422102923
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2422102923
revocation-check none
rsakeypair TP-self-signed-2422102923
!
!
crypto pki certificate chain TP-self-signed-2422102923
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343232 31303239 3233301E 170D3037 30393136 31393532
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34323231
30323932 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D666 21C82BCD 48D04273 E3EDFAE5 27D7EF53 AB2DDCAD A11D7BF2 2217C11F
1A41A97F 3C5DB220 2B84ACF1 1728EC5F AC33A335 4448B2EA B1EC600C C4605142
B8F363FF 2CFF05F1 6CCF6937 E7F0B2BD 6F388540 08CE877A 1E25323E 219C7DC4
22974CBF C078F681 F48C02C1 4D851D20 27C90F47 712A91F1 57D61936 83771033
E84B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 154D6F72 67616E2E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014C9 F5FE3A2F 04C42032 B31DA51A ED9E3805 E00C0230
1D060355 1D0E0416 0414C9F5 FE3A2F04 C42032B3 1DA51AED 9E3805E0 0C02300D
06092A86 4886F70D 01010405 00038181 004C0E0C 3AF99B28 11AC00FC 71A811B2
A88BE219 0384609F F214A79F 2F1A3194 EB932B78 C2BC9C33 DBA0D374 9E785CD9
AB92210E 49650426 4B9DBB8C 1180EBFF 41A7DB15 79C2FCC3 44683C0F 390D1C46
BE81BFAD 1EDEF1BE 514A73E8 E35A60DA 8F7E045B 32DAD010 079D4927 4D34BF7E
059EA7F6 DD57C523 BF1B9ACB BA145A9D A3
quit
username xxxxx privilege 15 secret 5 $1$H2dF$UgABy3Hin2064S/hh/mr//
username xxxxx password 7 104D1B1C1603000402
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group office
key office
dns 68.2.16.25
wins 192.168.16.1
pool ippool
acl 111
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 10
set transform-set 3DES-MD5
!
!
crypto map mymap client authentication list office
crypto map mymap isakmp authorization list office
crypto map mymap client configuration address respond
crypto map mymap 65000 ipsec-isakmp dynamic dynamic
!
!
!
interface Loopback1
ip address 3.3.3.1 255.255.255.252
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4 hostname cox.net
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
ip policy route-map redirect
!
ip local pool ippool 192.168.2.1 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 3500 interface FastEthernet4 3500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip host 192.168.1.50 192.168.2.0 0.0.0.255
no cdp run
route-map redirect permit 10
match ip address 112
set ip next-hop 3.3.3.2
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
password 7 00071A1507545A545C
login authentication crestron
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Router#
I have a few users that needs to connect to Microsoft Servers via the VPN tunnel. Not sure why but it doesn't work all the time.
Just for testing purposes, i've setup a linksys router. The vpn works everytime. So it has to be somewhere in my setup. Any help would be greatly appreciated. Below is my showrun.
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: xxxx
Password:
Router#show run
Building configuration...
Current configuration : 5580 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$mBEL$CMo1ksy30SMjWfwYGWWms.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login crestron local
aaa authorization exec default local
aaa authorization network crestron local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -7
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 68.2.16.30 68.2.16.25
default-router 192.168.1.1
!
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 68.2.16.30
ip name-server 68.2.16.25
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2422102923
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2422102923
revocation-check none
rsakeypair TP-self-signed-2422102923
!
!
crypto pki certificate chain TP-self-signed-2422102923
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343232 31303239 3233301E 170D3037 30393136 31393532
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34323231
30323932 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D666 21C82BCD 48D04273 E3EDFAE5 27D7EF53 AB2DDCAD A11D7BF2 2217C11F
1A41A97F 3C5DB220 2B84ACF1 1728EC5F AC33A335 4448B2EA B1EC600C C4605142
B8F363FF 2CFF05F1 6CCF6937 E7F0B2BD 6F388540 08CE877A 1E25323E 219C7DC4
22974CBF C078F681 F48C02C1 4D851D20 27C90F47 712A91F1 57D61936 83771033
E84B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 154D6F72 67616E2E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014C9 F5FE3A2F 04C42032 B31DA51A ED9E3805 E00C0230
1D060355 1D0E0416 0414C9F5 FE3A2F04 C42032B3 1DA51AED 9E3805E0 0C02300D
06092A86 4886F70D 01010405 00038181 004C0E0C 3AF99B28 11AC00FC 71A811B2
A88BE219 0384609F F214A79F 2F1A3194 EB932B78 C2BC9C33 DBA0D374 9E785CD9
AB92210E 49650426 4B9DBB8C 1180EBFF 41A7DB15 79C2FCC3 44683C0F 390D1C46
BE81BFAD 1EDEF1BE 514A73E8 E35A60DA 8F7E045B 32DAD010 079D4927 4D34BF7E
059EA7F6 DD57C523 BF1B9ACB BA145A9D A3
quit
username xxxxx privilege 15 secret 5 $1$H2dF$UgABy3Hin2064S/hh/mr//
username xxxxx password 7 104D1B1C1603000402
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group office
key office
dns 68.2.16.25
wins 192.168.16.1
pool ippool
acl 111
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 10
set transform-set 3DES-MD5
!
!
crypto map mymap client authentication list office
crypto map mymap isakmp authorization list office
crypto map mymap client configuration address respond
crypto map mymap 65000 ipsec-isakmp dynamic dynamic
!
!
!
interface Loopback1
ip address 3.3.3.1 255.255.255.252
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4 hostname cox.net
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
ip policy route-map redirect
!
ip local pool ippool 192.168.2.1 192.168.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxx
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.50 3500 interface FastEthernet4 3500
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip host 192.168.1.50 192.168.2.0 0.0.0.255
no cdp run
route-map redirect permit 10
match ip address 112
set ip next-hop 3.3.3.2
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
password 7 00071A1507545A545C
login authentication crestron
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Router#