vpn time out
azobiora
Member Posts: 15 ■□□□□□□□□□
Hi guys!
Ok i really do need a helping hand here.....!!!! just before i lose it ! i have done all that needs to be done. Configured a site to site between a 2811 router and ASA 5505. After long trouble shooting i found out that i needed to set an SA lifetime before i could establish a tunnel on both gears. Now that's done. But i still do have some problems.
1. Every 15min the tunnel goes down, i will have to test the tunnel with sdm before it comes back up again. Some times i get a report that the peer is not responding, i should check my connection, yet i could ping the remote site very well from a work station and even from the router. While it generates this report.
2.I was thinking that with the access-list permiting traffic between the specified LAN's of 192.168.19.0/24 to 192.168.21.0/24 while creating the intresting traffic is just enough for just about everything....But it seems to me that i am wrong about this. How i mean is.... after i established the tunnel....i could only ping the internal interface of ma router on the .19.7 network from my .21 network. I just can't reach any other device on the .19 subnet. Below is my config on the router
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 84.54.187.98 no-xauth
!
!
crypto ipsec transform-set MRS_VPN esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to84.54.187.98
set peer 84.54.187.98
set security-association lifetime seconds 86400
set transform-set MRS_VPN
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
description LAN_INTF$ETH-LAN$
ip address 192.168.19.7 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex half
speed 100
!
interface FastEthernet0/1
description WAN_INT
ip address 21.21.89.12 255.255.255.248
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 21.21.89.9
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list standard NAT_ADDRESS
permit 192.168.19.0 0.0.0.255
!
access-list 100 permit ip 192.168.19.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 deny ip 192.168.19.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 permit ip 192.168.19.0 0.0.0.255 any
match ip address 101
I really would appreciate any ideas as to how i could sort this problem please. Also going for another VPN configs on same router again EZVPN too!
Ok i really do need a helping hand here.....!!!! just before i lose it ! i have done all that needs to be done. Configured a site to site between a 2811 router and ASA 5505. After long trouble shooting i found out that i needed to set an SA lifetime before i could establish a tunnel on both gears. Now that's done. But i still do have some problems.
1. Every 15min the tunnel goes down, i will have to test the tunnel with sdm before it comes back up again. Some times i get a report that the peer is not responding, i should check my connection, yet i could ping the remote site very well from a work station and even from the router. While it generates this report.
2.I was thinking that with the access-list permiting traffic between the specified LAN's of 192.168.19.0/24 to 192.168.21.0/24 while creating the intresting traffic is just enough for just about everything....But it seems to me that i am wrong about this. How i mean is.... after i established the tunnel....i could only ping the internal interface of ma router on the .19.7 network from my .21 network. I just can't reach any other device on the .19 subnet. Below is my config on the router
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 84.54.187.98 no-xauth
!
!
crypto ipsec transform-set MRS_VPN esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to84.54.187.98
set peer 84.54.187.98
set security-association lifetime seconds 86400
set transform-set MRS_VPN
set pfs group2
match address 100
!
!
!
interface FastEthernet0/0
description LAN_INTF$ETH-LAN$
ip address 192.168.19.7 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex half
speed 100
!
interface FastEthernet0/1
description WAN_INT
ip address 21.21.89.12 255.255.255.248
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 21.21.89.9
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list standard NAT_ADDRESS
permit 192.168.19.0 0.0.0.255
!
access-list 100 permit ip 192.168.19.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 deny ip 192.168.19.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 101 permit ip 192.168.19.0 0.0.0.255 any
match ip address 101
I really would appreciate any ideas as to how i could sort this problem please. Also going for another VPN configs on same router again EZVPN too!