Strange Cisco 881w issues with Remote Desktop?

[PaulAlex]

#143420

Hello everyone – I hope someone can help me!

Despite not being very experienced with Cisco kit, I have successfully configured an 881w as a site-to-site VPN link between our head office and a remote site (all in one location currently!). Everything works as expected – I can ping hosts on the remote site, open file shares and run Remote Desktop sessions to the domain controller.

However, as soon as I try adding the additional subnets that exist at the head office end of the configuration, the Remote Desktop sessions terminate. To make matters more confusing, repetitive pings between the sites continue to receive replies, and the file shares remain accessible.

Head office = 192.168.5.x subnet
Remote office = 192.168.121.x subnet
Head Office subnet that seems to cause issues when added to config = 192.168.6.x subnet

Here is the config which fails:

---

sd_cisco#show run
Building configuration…

Current configuration : 6656 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sd_cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxx

!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3292076826
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3292076826
revocation-check none
rsakeypair TP-self-signed-3292076826
!
!
crypto pki certificate chain TP-self-signed-3292076826
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323932 30373638 3236301E 170D3039 30373135 31313336
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393230
37363832 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009658 5B3FDD41 BC04BDE4 55E214D9 45D3E505 E6CF91A2 948D1909 06FB909B
85437531 3BB4F28F 65291F9F 8DD07D77 0D461594 A9E64C1D 259F2B74 8E31178C
2E5E0D69 9B2A8E5B DA44C591 3686E25E 25CFD361 9D265665 523A3100 C7F8A40B
3592F337 08C6C265 7E92A137 9A0680A2 3974B4AB 9C6D1073 AD2954A4 7B9C147C
73DB0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 1673645F 63697363 6F2E7364 2E696D67 7465632E 6F726730
1F060355 1D230418 30168014 0F63B02E 4B16D1E4 45EEE528 9E3E332D 96070E52
301D0603 551D0E04 1604140F 63B02E4B 16D1E445 EEE5289E 3E332D96 070E5230
0D06092A 864886F7 0D010104 05000381 81000427 15B7AB80 23C157B0 8C936CF0
867D01AC B9F611C1 947F89F5 C86535D6 5F5A4C76 4C6D7CEC 79813840 C0602F32
619E90F1 33BB1DCE A9131832 664C4068 11503927 0185A6C7 3D8CDA4A 1EABC7A6
85EEB1FD B210B7DC 689D4E8E D667C60B 85CB06E0 55FC255C AA2E05F7 F8E2F290
EA0E1487 820A1009 698AA840 61A6333A 5FD8
quit
no ip source-route
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
no ip bootp server
ip domain name xx.xxxxxx.xxx
ip name-server 64.215.98.148
ip name-server 64.215.98.149
!
!
!
!
username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxx.xxx.xx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to xxx.xxx.xx.xxx
set peer xxx.xxx.xx.xxx
set transform-set ESP-3DES-SHA1
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address xx.xxx.xxx.xx 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.121.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.121.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.121.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.121.0 0.0.0.255 any
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
!
control-plane
!
banner exec ^C
% Password expiration warning.

---

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username “cisco” for one-time use. If you have
already used the username “cisco” to login to the router and your IOS image
supports the “one-time” user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you
want to use.

---

^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

sd_cisco#

---

If I remove the entries for the 192.168.6.x subnet, the issues go away.

Has anyone seen anything like this before? I cant help thinking that it is ACL-related, but simply cloned the 192.168.5.x entry to add the 192.168.6.x entry and allowed CP to make the reommended NAT changes – so I’m not sure where I could have gone wrong?

Any advice would be greatly appreciated!

Many thanks in advance,

PA

[Author]

Posts