Routers
--
Questions
--
Followers
Top Experts
Connection issues between Cisco 1720 router and Cisco 831 VPN Router
Hello, I have a remote office that has a Cisco 831 router that has a VPN tunnel to a central office with a Cisco 1720 Router. I am unable to authenticate to the Windows 2003 domain from the remote location and I can not use Remote Desktop/Terminal services to or from the central office. I can do everything fine locally and with the Cisco VPN client software.
Here is my config for the remote office:
Current configuration : 3593 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Home-Office
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret *********************
!
Username ************
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.168.1 192.168.168.100
!
ip dhcp pool CLIENT
import all
network 192.x.x.x 255.255.255.0
default-router 192.x.x.x
dns-server 192.x.x.x
netbios-node-type m-node
netbios-name-server 192.x.x.x
domain-name *****
lease 0 8
!
!
ip cef
no ip domain lookup
ip domain name *******
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group *
crypto isakmp key ******** address ************
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map intmap 10 ipsec-isakmp
set peer X.X.X.X
set transform-set myset
match address 100
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Loopback1
ip address 172.31.1.1 255.255.255.252
!
interface Ethernet0
ip address 192.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
rate-limit input access-group 160 128000 16000 16000 conform-action transmit exceed-action drop
duplex auto
no cdp enable
crypto map intmap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Ethernet1 overload
!
access-list 100 remark Tunnel Encryption
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 remark NAT RULES
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 permit ip 192.168.168.0 0.0.0.255 any
access-list 160 remark PRING RATE LIMIT
access-list 160 permit icmp any any
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 0 0
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
end
It workes a few weeks ago, but then the ISP of the remote site made some "changes" and now it isn't going through.
Any ideas?
Thanks in advance,
Tareef
Here is my config for the remote office:
Current configuration : 3593 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Home-Office
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret *********************
!
Username ************
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.168.1 192.168.168.100
!
ip dhcp pool CLIENT
import all
network 192.x.x.x 255.255.255.0
default-router 192.x.x.x
dns-server 192.x.x.x
netbios-node-type m-node
netbios-name-server 192.x.x.x
domain-name *****
lease 0 8
!
!
ip cef
no ip domain lookup
ip domain name *******
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group *
crypto isakmp key ******** address ************
crypto isakmp keepalive 10 5
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map intmap 10 ipsec-isakmp
set peer X.X.X.X
set transform-set myset
match address 100
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Loopback1
ip address 172.31.1.1 255.255.255.252
!
interface Ethernet0
ip address 192.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
rate-limit input access-group 160 128000 16000 16000 conform-action transmit exceed-action drop
duplex auto
no cdp enable
crypto map intmap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Ethernet1 overload
!
access-list 100 remark Tunnel Encryption
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.168.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 remark NAT RULES
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 110 permit ip 192.168.168.0 0.0.0.255 any
access-list 160 remark PRING RATE LIMIT
access-list 160 permit icmp any any
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 0 0
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
end
It workes a few weeks ago, but then the ISP of the remote site made some "changes" and now it isn't going through.
Any ideas?
Thanks in advance,
Tareef
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
By the way, I can ping and resolve servers/clients across the VPN, ping time is around 28-32ms.
Thanks
Thanks
I have discovered the issue, there was a "Blackhole" router. Reference http://support.microsoft.com/default.aspx?scid=kb;en-us;q314825.
I added the command: 'ip tcp mss 1412' and 'ip tcp path-mtu-discovery' to both routers, but the clients still had issues. I tried to add the command: 'mtu 1412' to the ethernet interface, but it says "Interface Ethernet 1 does not support user settable mtu".
So I had to manually set clients MTU to 1412. As some of the clients laptops, I would prefer not to manually set the MTU on the client's interface
The version is 12.3. Any thoughts?
Thanks,
Tareef
I added the command: 'ip tcp mss 1412' and 'ip tcp path-mtu-discovery' to both routers, but the clients still had issues. I tried to add the command: 'mtu 1412' to the ethernet interface, but it says "Interface Ethernet 1 does not support user settable mtu".
So I had to manually set clients MTU to 1412. As some of the clients laptops, I would prefer not to manually set the MTU on the client's interface
The version is 12.3. Any thoughts?
Thanks,
Tareef
<< It workes a few weeks ago, but then the ISP of the remote site made some
<< "changes" and now it isn't going through.
<<
Can you specify what changes were made? Did the ISP close specific ports or the like?
If you go to http://www.grc.com & run shields-up does it show the necessary ports open?
<< "changes" and now it isn't going through.
<<
Can you specify what changes were made? Did the ISP close specific ports or the like?
If you go to http://www.grc.com & run shields-up does it show the necessary ports open?
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Hello kbbnet,
They said the perform some maintenance on their network. No ports were closed. But I just discovered from troubleshooting that the MTU has decreased. I had to set MTU on the client to 1412.
I tried to set it on the 831 Ethernet 1, using command 'ip mtu 1412', but when I do a 'sho int eth1', it still shows MTU 1500.
I need to set the MTU on the router to 1412, but not sure how.
Thanks,
Tareef
They said the perform some maintenance on their network. No ports were closed. But I just discovered from troubleshooting that the MTU has decreased. I had to set MTU on the client to 1412.
I tried to set it on the 831 Ethernet 1, using command 'ip mtu 1412', but when I do a 'sho int eth1', it still shows MTU 1500.
I need to set the MTU on the router to 1412, but not sure how.
Thanks,
Tareef
<< tried to set it on the 831 Ethernet 1, using command 'ip mtu 1412', but when I do
<< a 'sho int eth1', it still shows MTU 1500.
<<
On your ethernet interface try using the command ip tcp adjust-mss 1452.
ip tcp adjust-mss 1412
<< a 'sho int eth1', it still shows MTU 1500.
<<
On your ethernet interface try using the command ip tcp adjust-mss 1452.
ip tcp adjust-mss 1412
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Routers
--
Questions
--
Followers
Top Experts
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.