Solved

Site-to-Site VPN between a Cisco 2821 Router and a Cisco VPN Concentrator 3060

Posted on 2011-03-22
5
676 Views
Last Modified: 2012-06-27
I have a site-to-site VPN between a Cisco 2821 Router and a Cisco VPN Concentrator 3060.  The VPN is currently up and working, but I need to modify the access-list for the VPN, and when I do the VPN goes down.  I am modifying the access-list for the VPN to get rid of a network that doesn't exist anymore.  Below is the relevant information for the Cisco 2821 side:

Cisco 2821

crypto map cti_office_map 1 ipsec-isakmp
 description Main_Office
 set peer x.x.x.135
 set transform-set to_cti
 match address 110

access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.0.16.0 0.0.15.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.1.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.2.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.3.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.5.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 10.6.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 110 permit ip 192.0.0.0 0.255.255.255 172.31.252.0 0.0.3.255

I'm want to remove the following lines from the access-list:

access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.0.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 10.0.32.0 0.0.15.255
access-list 110 permit ip 10.4.0.0 0.0.255.255 172.31.252.0 0.0.3.255

The 10.4.0.0/16 network does not exist anymore that's why I want to remove it.  When I remove these 3 lines the VPN goes down.  I'm not sure why:

On the concentrator 3060 side of things I removed the 10.4.0.0/16 network just fine and the VPN stayed up.  Any ideas on what to do on the Cisco 2821 side?  Thanks.
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 250 total points
ID: 35189066
after removing the 10.4.0.0/16 network on the 2821, did you try to ping from the other subnets to let the VPN try and establish a new VPN connection? you may use an extended ping from 10.5.0.0 subnet IP just to test if that subnet can create and establish the VPN connection.

at first look, looking at those ACL, it should not create a problem when you remove the said lines.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
ID: 35189088
So when you removed the lines, did you check if the match address 110 was still in place? The same thing goes for the nat exempt (if you use that).
0
 
LVL 4

Author Comment

by:denver218
ID: 35189129
Thanks.  I had a constant ping going, but the VPN still went down when I removed those lines
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 35189199
can i ask where how and where you issued the constant ping? I'm guessing that the constant ping is coming from the 10.4.0.0 subnet. just want to make sure that you are issuing the ping from the other subnets (like 10.5.0.0) and that clients on the 10.5.0.0 subnets are able to establish VPN connections.

also, take note that crypto ACL should be mirror image on both sides. For routers the ACL should be mirror of each other (in a sense looking the same but coming from and pointing on the other direction).
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35191429
All is working now.  After I removed those lines in the ACL, I rebooted the router and all was well.  All VPN's came back up
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
can't ssh to external IP 9 87
Bandwidth cap???? 8 98
types of VPN 2 57
VPN Exposure 19 39
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question