cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
252
Views
0
Helpful
1
Replies
Highlighted
Beginner

871 VPN Router to ASA 5500 Only sees some networks

We have an 871 vpn router conntected back to our main facility ASA5500.  The VPN tunnel seems to come and go for no reason we can find.

The weird thing of all this is that we can only ping some subnets and not everything even though we alow all networks to be routed.

This is one of those things we keep looking at but for some reason just can't find the problem.

Hoping another set of eyes spots something obvious.....

Config below

Current configuration : 9347 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Lincoln-Office
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 64000
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius ACS
server 10.2.2.201 auth-port 1645 acct-port 1646
server 10.2.2.202 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ TACAUTH
server 10.2.2.201
server 10.2.2.202
!
aaa authentication login vty local
aaa authentication login cc group tacacs+ local line
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec default group TACAUTH if-authenticated
aaa authorization network default group ACS
aaa accounting commands 15 default
action-type start-stop
!        
!
!
aaa session-id common
clock timezone est -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-3320966540
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3320966540
revocation-check none
rsakeypair TP-self-signed-3320966540
!
!
crypto pki certificate chain TP-self-signed-3320966540
certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333230 39363635 3430301E 170D3032 30383139 30373533
  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323039
  36363534 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D645 BC09F98E CC10F4C3 74B35535 780EBD9B D8A66766 F2BA7FED E345E50E
  0369141B 48F4A906 2FE39DC6 F56E96D4 29DCABAC F60570DC C23A3705 08EEDA4B
  8610B8AA 83F0792B C965D1B8 8E67359B F728A491 1D919B9A 3D135629 3544B1FD
  35D07F9D 85165255 E16B35D0 791A8BD5 7A1D9EFB 531F8C43 78F20719 40559E4E
  35AB0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 194C696E 636F6C6E 2D4F6666 6963652E 736A6873 2E6C6F63
  616C301F 0603551D 23041830 168014A2 4417B779 46022464 5DE617D1 5210A9B4
  FE471C30 1D060355 1D0E0416 0414A244 17B77946 0224645D E617D152 10A9B4FE
  471C300D 06092A86 4886F70D 01010405 00038181 002B01F1 F04BD1AA A49C582F
  AAD3E752 3DA934B0 CDAAFB90 CAB1E157 A5716567 28537677 4F1FEE65 DB45B6B5
  40A615B8 365B21DD 3AB4FD42 E876276B D1171331 DECC02BE CB5AFAC8 92B0C7E7
  9F0FE527 F96D471B 77CB4F54 29DE5658 CB6B70E7 971A2433 7D7BF27B EEBF514E
  9C9E68AC 30FDC52A 097B39F6 3E794080 EA898880 C7
        quit
dot11 syslog
no ip source-route
no ip gratuitous-arps
!        
!
ip cef
ip inspect name Internet tcp
ip inspect name Internet udp
ip domain lookup source-interface Vlan99
ip domain name sjhs.local
ip name-server 10.32.0.33
ip name-server 10.32.0.32
!
!
dot1x system-auth-control
dot1x credentials CC
!
!
!


!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key testtest address 22.22.22.22
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto map CharterCARE 10 ipsec-isakmp
set peer 22.22.22.22
set transform-set VPN
set pfs group5
match address 103
!
archive
log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet4
ip address 11.22.33.44 255.255.255.224
ip access-group INTERNET_IN in
ip inspect Internet out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map CharterCARE
!
interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 10.6.55.1 255.255.255.0
ip helper-address 10.2.2.141
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (to cable internet gateway)
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 101 interface FastEthernet4 overload
ip tacacs source-interface Vlan99
!
ip access-list extended INTERNET_IN
permit ip host 198.7.242.68 any
permit ip host 198.7.242.79 any
permit icmp any any echo-reply
permit icmp any any administratively-prohibited
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
permit ip host 198.7.242.69 any
deny   ip any any log
!
ip radius source-interface Vlan99
logging trap warnings
logging 10.2.2.30
access-list 101 deny   ip 10.6.55.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.2.2.0 0.0.1.255
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.253.255.0 0.0.0.7
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.64.10.0 0.0.0.255
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.64.251.0 0.0.0.255
access-list 101 deny   ip 10.6.55.0 0.0.0.255 10.64.250.0 0.0.0.255
access-list 101 permit ip 10.6.55.0 0.0.0.255 any
access-list 102 permit ip 10.6.55.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.2.2.0 0.0.1.255
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.253.255.0 0.0.0.7
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.64.10.0 0.0.0.255
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.64.250.0 0.0.1.255
access-list 102 permit ip 10.6.55.0 0.0.0.255 10.64.250.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 10.2.2.0 0.0.1.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 10.253.255.0 0.0.0.7
access-list 103 permit ip 10.6.55.0 0.0.0.255 10.64.10.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 172.25.250.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 172.25.251.0 0.0.0.255
access-list 103 permit ip 10.6.55.0 0.0.0.255 10.32.0.0 0.0.0.255
access-list 104 permit ip 10.6.55.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 permit ip 10.6.55.0 0.0.0.255 172.25.0.0 0.0.255.255
!
!
!
tacacs-server host 10.2.2.201
tacacs-server host 10.2.2.202
tacacs-server key 7 xxxxxxxxxxxxxxxxxxx
radius-server host 10.2.2.201 auth-port 1645 acct-port 1646
radius-server host 10.2.2.202 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 protocol ieee
banner exec ^C

***************************************
****                               ****
***                                 ***
**                                   **
*        Serial # xxxxxxxxxxx         *
**                                   **
***                                 ***
****                               ****
***************************************
^C
banner motd ^C

********************************************************************************
*   *
********************************************************************************

^C
!
line con 0
exec-timeout 30 0
logging synchronous
login authentication vty
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxx
logging synchronous
login authentication cc
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
ntp server 10.2.2.1
end

1 REPLY 1
Highlighted
Cisco Employee

Nothing seems to be incorrect on the router configuration. You might want to share the ASA end config to see if it's config error.

Also just make sure that NAT exemption has been configured for all those networks on ASA as well as routing on the ASA end is correct for 10.6.55.0/24 (router LAN) subnet.