Announcement

Collapse
No announcement yet.

Strange Cisco 881w issues with Remote Desktop?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange Cisco 881w issues with Remote Desktop?

    Hello everyone - I hope someone can help me!

    Despite not being very experienced with Cisco kit, I have successfully configured an 881w as a site-to-site VPN link between our head office and a remote site (all in one location currently!). Everything works as expected - I can ping hosts on the remote site, open file shares and run Remote Desktop sessions to the domain controller.

    However, as soon as I try adding the additional subnets that exist at the head office end of the configuration, the Remote Desktop sessions terminate. To make matters more confusing, repetitive pings between the sites continue to receive replies, and the file shares remain accessible.

    Head office = 192.168.5.x subnet
    Remote office = 192.168.121.x subnet
    Head Office subnet that seems to cause issues when added to config = 192.168.6.x subnet

    Here is the config which fails:

    -----------------------------------------------------------------------

    sd_cisco#show run
    Building configuration...

    Current configuration : 6656 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname sd_cisco
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging message-counter syslog
    logging buffered 51200
    logging console critical
    enable secret 5 xxxxxxxx

    !
    no aaa new-model
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-3292076826
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3292076826
    revocation-check none
    rsakeypair TP-self-signed-3292076826
    !
    !
    crypto pki certificate chain TP-self-signed-3292076826
    certificate self-signed 01
    3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33323932 30373638 3236301E 170D3039 30373135 31313336
    32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393230
    37363832 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009658 5B3FDD41 BC04BDE4 55E214D9 45D3E505 E6CF91A2 948D1909 06FB909B
    85437531 3BB4F28F 65291F9F 8DD07D77 0D461594 A9E64C1D 259F2B74 8E31178C
    2E5E0D69 9B2A8E5B DA44C591 3686E25E 25CFD361 9D265665 523A3100 C7F8A40B
    3592F337 08C6C265 7E92A137 9A0680A2 3974B4AB 9C6D1073 AD2954A4 7B9C147C
    73DB0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
    551D1104 1A301882 1673645F 63697363 6F2E7364 2E696D67 7465632E 6F726730
    1F060355 1D230418 30168014 0F63B02E 4B16D1E4 45EEE528 9E3E332D 96070E52
    301D0603 551D0E04 1604140F 63B02E4B 16D1E445 EEE5289E 3E332D96 070E5230
    0D06092A 864886F7 0D010104 05000381 81000427 15B7AB80 23C157B0 8C936CF0
    867D01AC B9F611C1 947F89F5 C86535D6 5F5A4C76 4C6D7CEC 79813840 C0602F32
    619E90F1 33BB1DCE A9131832 664C4068 11503927 0185A6C7 3D8CDA4A 1EABC7A6
    85EEB1FD B210B7DC 689D4E8E D667C60B 85CB06E0 55FC255C AA2E05F7 F8E2F290
    EA0E1487 820A1009 698AA840 61A6333A 5FD8
    quit
    no ip source-route
    ip dhcp excluded-address 10.10.10.1
    !
    !
    ip cef
    no ip bootp server
    ip domain name xx.xxxxxx.xxx
    ip name-server 64.215.98.148
    ip name-server 64.215.98.149
    !
    !
    !
    !
    username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
    !
    !
    crypto isakmp policy 1
    encr aes
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key xxxxxxxx address xxx.xxx.xx.xxx
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to xxx.xxx.xx.xxx
    set peer xxx.xxx.xx.xxx
    set transform-set ESP-3DES-SHA1
    match address 100
    !
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $FW_OUTSIDE$$ES_WAN$
    ip address xx.xxx.xxx.xx 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    arp timeout 0
    !
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.121.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    !
    ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.5.0 0.0.0.255
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.6.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
    access-list 101 permit ip 10.10.10.0 0.0.0.255 any
    access-list 103 remark CCP_ACL Category=2
    access-list 103 remark IPSec Rule
    access-list 103 deny ip 192.168.121.0 0.0.0.255 192.168.6.0 0.0.0.255
    access-list 103 remark IPSec Rule
    access-list 103 deny ip 192.168.121.0 0.0.0.255 192.168.5.0 0.0.0.255
    access-list 103 permit ip 192.168.121.0 0.0.0.255 any
    no cdp run

    !
    !
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    banner exec ^C
    % Password expiration warning.
    -----------------------------------------------------------------------

    Cisco Configuration Professional (Cisco CP) is installed on this device
    and it provides the default username "cisco" for one-time use. If you have
    already used the username "cisco" to login to the router and your IOS image
    supports the "one-time" user option, then this username has already expired.
    You will not be able to login to the router with this username after you exit
    this session.

    It is strongly suggested that you create a new username with a privilege level
    of 15 using the following command.

    username <myuser> privilege 15 secret 0 <mypassword>

    Replace <myuser> and <mypassword> with the username and password you
    want to use.

    -----------------------------------------------------------------------
    ^C
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    sd_cisco#

    ------------------------------------------------------------



    If I remove the entries for the 192.168.6.x subnet, the issues go away.

    Has anyone seen anything like this before? I cant help thinking that it is ACL-related, but simply cloned the 192.168.5.x entry to add the 192.168.6.x entry and allowed CP to make the reommended NAT changes - so I'm not sure where I could have gone wrong?

    Any advice would be greatly appreciated!

    Many thanks in advance,

    PA
Working...
X