troubleshooting Question

Cisco 2800 Router bonded T1's and VPN questions

Avatar of chawness
chawness asked on
Routers
10 Comments1 Solution932 ViewsLast Modified:
I just recently switched to a new ISP and a new Cisco 2800 router. Everything is working now except for my VPN. When my users try to connect, it gets to the "Verifying username and password" and stops. It errors out with 721. I'm using Wireshark on the VPN server and can see communication with the client. I can also see the clients being allowed through my firewall.

How can I be sure the router is allowing VPN communication to pass in and out? Here is my current router config:



User Access Verification

Username: f*********t
Password:
G****************g#show run
Building configuration...

Current configuration : 4099 bytes
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname G***************g
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 2
logging buffered 51200 warnings
enable secret 5 $1**************************1
!
no aaa new-model
network-clock-participate wic 1
network-clock-participate wic 2
ip cef
!
!
!
!
no ip domain lookup
ip domain name G************y.local
multilink bundle-name authenticated
!
!
!
username fi*****t privilege 15 secret 5 $***********************************r.

archive
 log config
  hidekeys
!
!
controller T1 0/1/0
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/0
 framing esf
 linecode b8zs
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
!
!
!
interface Multilink1
 ip address 216.30.193.98 255.255.255.252
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 64.181.96.241 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1/0:1
 description Link 1 to WAN
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
interface Serial0/2/0:1
 description Link 2 to WAN
 no ip address
 encapsulation ppp
 ppp multilink
 ppp multilink group 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.30.193.97
!
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface Multilink1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_15##
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit udp host 66.109.175.210 eq domain any
access-list 104 permit udp host 216.30.255.3 eq domain any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit tcp any any eq telnet
access-list 104 permit tcp any any eq www
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   tcp any eq 5060 any eq 5060
access-list 104 deny   udp any eq 5060 any eq 5060
access-list 104 deny   tcp any eq 5061 any eq 5061
access-list 104 deny   udp any eq 5061 any eq 5061
access-list 104 deny   tcp any eq 2427 any eq 2427
access-list 104 deny   udp any eq 2427 any eq 2427
access-list 104 deny   tcp any eq 2517 any eq 2517
access-list 104 deny   udp any eq 2517 any eq 2517
access-list 104 deny   tcp any eq 1718 any eq 1718
access-list 104 deny   udp any eq 1718 any eq 1718
access-list 104 deny   tcp any eq 1719 any eq 1719
access-list 104 deny   udp any eq 1719 any eq 1719
access-list 104 deny   tcp any eq 1720 any eq 1720
access-list 104 deny   udp any eq 1720 any eq 1720
access-list 104 permit ip any any
!
!
control-plane
!
disable-eadi
!
line con 0
 login local
line aux 0
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end

G************g#
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 10 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros