Question

Locked

Cisco 851&871 Site-to-Site VPN and connection dead

By Cisco-addict ·
Hi all ,

I share a VPN with a friend using a Cisco 851 (mine) and 871 (his)
However , if he logs in with ssh at a linux box and issues a command which produces lots of output (like top )the connection just woes
On the other hand : If i log in at his linux box behind the cisco and issue top : clearly working

Last but not least : I have a dynamic ip and he has a static one.

Anyone got a clue?

Here's my running config :

Building configuration...

Current configuration : 8132 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Ct2f$PtVoCFPgjzFXQ2flCBrim1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4180214268
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4180214268
revocation-check none
rsakeypair TP-self-signed-4180214268
!
!
crypto pki certificate chain TP-self-signed-4180214268
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313830 32313432 3638301E 170D3037 30393139 31373133
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383032
31343236 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ABA4 46D09243 AB2B4304 A4CFDBC5 4EA38EAA 02F7B2A0 21D5BA70 B94AFD95
65960785 86097944 26057AAD E379D57C 78EBF888 F123B52A CF4541BE 554AB304
D49755C4 B7CC37AB 98F6**83 343CB1C9 B2E79C0D 9988D980 A9068108 E5D47B3A
8705E94E EDA62098 49B7F9 5CBA2943 FA947C3B CCFCB035 A86F2474 F753FFFE
D89B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14F6EC42 2E5D4B0E 7427ED7B 568E834F E1459270
16301D06 03551D0E 04160414 F6EC422E 5D4B0E74 27ED7B56 8E834FE1 45927016
300D0609 2A864886 F70D0101 04050003 8181003A B3F80A66 D91B8A0A 7BC9DFDE
A7BEFE6B 72892BF4 25CE278E F6560855 EB15AE4E 9231E582 F46CCA18 8721CB43
8B769528 8339413D 5E3DB1AB 8E6800E8 B3008244 0A4EE197 F5BE64D8 FFB9787B
9E10BBBE 61DE9F25 B9EC7461 183B2D91 5EFA9D83 8443F7A9 45763A85 319D4D39
CA229E89 0417660F C08C2B5B D6096D88 382A9B
quit
username dennis privilege 15 secret 5 $1$LEit$FZGzOl63hMSvvxgWGwE/B0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key comsolve!rulez address 213.84.172.75
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.84.172.75
set peer 213.84.172.75
set transform-set ESP-3DES-SHA
match address 103
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
router rip
version 2
network 192.168.1.0
no auto-summary
!
ip classless
ip flow-top-talkers
top 20
sort-by bytes
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 62.179.104.196 eq domain any
access-list 100 permit udp host 192.168.1.1 eq domain any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq www
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.16.0.0 0.0.31.255 192.168.1.0 0.0.0.255
access-list 102 permit udp host 213.84.172.75 any eq non500-isakmp
access-list 102 permit udp host 213.84.172.75 any eq isakmp
access-list 102 permit esp host 213.84.172.75 any
access-list 102 permit ahp host 213.84.172.75 any
access-list 102 permit udp host 62.179.104.196 eq domain any
access-list 102 permit tcp any any eq www
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.31.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.31.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark VTY Access-class list
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 105 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums