asked on Nat reversible - lost connection from inside
From the 1821 router i lost random the connection from inside machine 192.168.0.31 to the vpn site ( i recive host unreachable from router 192.168.0.1) and to internet, but from other machines no issues. From the vpn site i can ping and reach 192.168.0.31.
any idea??
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key kkkkkk address xxxxx no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-01 esp-des esp-sha-hmac
!
crypto map CM-FE1 10 ipsec-isakmp
description VPN Van to x
set peer xxxxxx
set transform-set TS-01
set pfs group2
match address 100
!
!
!
!
interface FastEthernet0
description UNIT NETWORK (192.168.0.0)
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
no cdp enable
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet1
description ADSL line - VPN to x
backup delay 10 10
backup interface BRI0
ip address dhcp
ip access-group FE1-IN in
ip access-group FE1-OUT out
no ip redirects
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
no cdp enable
crypto map CM-FE1
hold-queue 4096 in
hold-queue 4096 out
!
interface BRI0
bandwidth 64
ip address 172.31.225.1 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 60
dialer idle-timeout 90
dialer fast-idle 1
dialer enable-timeout 1
dialer string xxxxx
dialer hold-queue 100
dialer load-threshold 192 either
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
ppp authentication chap
ppp multilink
hold-queue 512 in
hold-queue 512 out
!
interface Vlan1
no ip address
!
ip route 0.0.0.0 0.0.0.0 BRI0 10
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat pool IP-POOL-VPN 172.31.225.1 172.31.225.254 prefix-length 24 type match-host
ip nat inside source route-map RM-NAT-INTERNET interface FastEthernet1 overload
ip nat inside source route-map RM-NAT-VPN pool IP-POOL-VPN reversible
!
ip access-list extended FE1-IN
evaluate FE1-OUT-REFLEX
permit udp host xxxx eq isakmp any eq isakmp
permit udp host xxxxx eq non500-isakmp any eq non500-isakmp
permit esp host xxxx any
permit udp any eq bootps host 255.255.255.255 eq bootpc
remark Permit traffic coming from x
permit ip 172.31.0.0 0.0.255.255 172.31.225.0 0.0.0.255
permit ip 10.16.127.0 0.0.0.127 172.31.225.0 0.0.0.255
deny ip any any log
ip access-list extended FE1-OUT
permit ip any any reflect FE1-OUT-REFLEX
deny ip any any log
!
no logging trap
access-list 100 remark Encrypts traffic with destination x
access-list 100 permit ip 172.31.225.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 172.31.225.0 0.0.0.255 10.16.127.0 0.0.0.127
access-list 100 deny ip any any
access-list 101 permit icmp any any
access-list 101 deny ip any any
access-list 111 remark Traffic that can go in internet
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 deny ip any 172.16.0.0 0.15.255.255
access-list 111 deny ip any 192.168.0.0 0.0.255.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip any any
access-list 121 remark traffic To be natted for Vpn
access-list 121 permit ip 192.168.0.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 121 permit ip 192.168.0.0 0.0.0.255 10.16.127.0 0.0.0.127
access-list 121 deny ip any any
dialer-list 1 protocol ip list 101
no cdp run
route-map RM-NAT-VPN permit 1
match ip address 121
!
route-map RM-NAT-INTERNET permit 10
match ip address 111
any idea??
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key kkkkkk address xxxxx no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TS-01 esp-des esp-sha-hmac
!
crypto map CM-FE1 10 ipsec-isakmp
description VPN Van to x
set peer xxxxxx
set transform-set TS-01
set pfs group2
match address 100
!
!
!
!
interface FastEthernet0
description UNIT NETWORK (192.168.0.0)
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
no cdp enable
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet1
description ADSL line - VPN to x
backup delay 10 10
backup interface BRI0
ip address dhcp
ip access-group FE1-IN in
ip access-group FE1-OUT out
no ip redirects
ip nat outside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
no cdp enable
crypto map CM-FE1
hold-queue 4096 in
hold-queue 4096 out
!
interface BRI0
bandwidth 64
ip address 172.31.225.1 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 60
dialer idle-timeout 90
dialer fast-idle 1
dialer enable-timeout 1
dialer string xxxxx
dialer hold-queue 100
dialer load-threshold 192 either
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
ppp authentication chap
ppp multilink
hold-queue 512 in
hold-queue 512 out
!
interface Vlan1
no ip address
!
ip route 0.0.0.0 0.0.0.0 BRI0 10
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat pool IP-POOL-VPN 172.31.225.1 172.31.225.254 prefix-length 24 type match-host
ip nat inside source route-map RM-NAT-INTERNET interface FastEthernet1 overload
ip nat inside source route-map RM-NAT-VPN pool IP-POOL-VPN reversible
!
ip access-list extended FE1-IN
evaluate FE1-OUT-REFLEX
permit udp host xxxx eq isakmp any eq isakmp
permit udp host xxxxx eq non500-isakmp any eq non500-isakmp
permit esp host xxxx any
permit udp any eq bootps host 255.255.255.255 eq bootpc
remark Permit traffic coming from x
permit ip 172.31.0.0 0.0.255.255 172.31.225.0 0.0.0.255
permit ip 10.16.127.0 0.0.0.127 172.31.225.0 0.0.0.255
deny ip any any log
ip access-list extended FE1-OUT
permit ip any any reflect FE1-OUT-REFLEX
deny ip any any log
!
no logging trap
access-list 100 remark Encrypts traffic with destination x
access-list 100 permit ip 172.31.225.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 172.31.225.0 0.0.0.255 10.16.127.0 0.0.0.127
access-list 100 deny ip any any
access-list 101 permit icmp any any
access-list 101 deny ip any any
access-list 111 remark Traffic that can go in internet
access-list 111 deny ip any 10.0.0.0 0.255.255.255
access-list 111 deny ip any 172.16.0.0 0.15.255.255
access-list 111 deny ip any 192.168.0.0 0.0.255.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip any any
access-list 121 remark traffic To be natted for Vpn
access-list 121 permit ip 192.168.0.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 121 permit ip 192.168.0.0 0.0.0.255 10.16.127.0 0.0.0.127
access-list 121 deny ip any any
dialer-list 1 protocol ip list 101
no cdp run
route-map RM-NAT-VPN permit 1
match ip address 121
!
route-map RM-NAT-INTERNET permit 10
match ip address 111
Networking
Last Comment
Sniper98G
If this is only affecting one of many machines I would look into the usual suspects for loss of connection. Barring any misconfiguration of the workstation (192.168.0.31) like default gateway settings. I would begin checking into the router (and any switches between it and the work station) to ensure it's ARP and CAM table entries are building properly. If this is not happening try clearing the ARP and CAM tables and rebuilding them. If it is still not working I would suspect the NIC on the workstation.
ASKER
The NIC on the workstation is ok and the ARP and CAM tables are ok , otherwise i could not reach this machine from VPN site.
This problem is the same on other Routers 1821 with the same config connected in VPN to the same terminator.
This problem is the same on other Routers 1821 with the same config connected in VPN to the same terminator.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.