VPN Tunnels Cisco 851k9

[davjava]

Buonasera a tutti i frequentatori del forum.
Utilizzando come centro stella un 851k9 collegato alla rete internet attraverso un apparato Fastweb (opportunamente configurato per nattare 1-1 l'indirizzo IP pubblico verso la FastEthernet4) e nelle periferie 2 Cisco 857k9 e 2 Cisco 851k9 ho realizzato una vpn tra la sede centrale e le 4 sedi periferiche. funziona tutto egregiamente tranne che nelle 2 periferie con i Cisco 851k9 (collegate alla rete internet attraverso apparti BT configurati per NAT 1-1 verso la FastEthernet4) saltuariamente il tunnel VPN non si instaura correttamente. Qualche idea? Grazie!

Centro stella:
!
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 18000
crypto isakmp key xxxxx address 1.1.1.1 no-xauth
crypto isakmp key xxxxx address 2.2.2.2 no-xauth
crypto isakmp key xxxxx address 3.3.3.3 no-xauth
crypto isakmp key xxxxx address 4.4.4.4 no-xauth
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map MAP local-address FastEthernet4
crypto map MAP 10 ipsec-isakmp
set peer 1.1.1.1
set security-association idle-time 1800
set transform-set SET
match address 101
crypto map MAP 20 ipsec-isakmp
set peer 2.2.2.2
set security-association idle-time 1800
set transform-set SET
match address 102
crypto map MAP 30 ipsec-isakmp
set peer 3.3.3.3
set security-association idle-time 1800
set transform-set SET
match address 103
crypto map MAP 40 ipsec-isakmp
set peer 4.4.4.4
set security-association idle-time 1800
set transform-set SET
match address 104
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.1.2 255.255.255.0
ip inspect firewall out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
interface Vlan1
ip address 10.1.42.35 255.255.255.224
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.63.160 255.255.255.240 192.168.1.1
ip route 192.168.82.224 255.255.255.240 192.168.1.1
ip route 192.168.103.0 255.255.255.240 192.168.1.1
ip route 192.168.103.32 255.255.255.240 192.168.1.1
!
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat inside source list 120 interface FastEthernet4 overload
!
access-list 101 permit ip 10.1.42.32 0.0.0.31 192.168.63.160 0.0.0.15
access-list 102 permit ip 10.1.42.32 0.0.0.31 192.168.82.224 0.0.0.15
access-list 103 permit ip 10.1.42.32 0.0.0.31 192.168.103.32 0.0.0.15
access-list 104 permit ip 10.1.42.32 0.0.0.31 192.168.103.0 0.0.0.15
access-list 120 deny ip 10.1.42.32 0.0.0.31 192.168.63.160 0.0.0.15
access-list 120 deny ip 10.1.42.32 0.0.0.31 192.168.82.224 0.0.0.15
access-list 120 deny ip 10.1.42.32 0.0.0.31 192.168.103.32 0.0.0.15
access-list 120 deny ip 10.1.42.32 0.0.0.31 192.168.103.0 0.0.0.15
access-list 120 permit ip 10.1.42.32 0.0.0.31 any

Sede periferica:


crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 18000
crypto isakmp key xxxxx address 5.5.5.5 no-xauth
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac
!
crypto map MAP local-address FastEthernet4
crypto map MAP 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set SET
match address 101
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.1.2 255.255.255.0
ip inspect firewall out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
interface Vlan1
ip address 192.168.103.33 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat inside source list 120 interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.103.32 0.0.0.15 10.1.42.32 0.0.0.31
access-list 120 deny ip 192.168.103.32 0.0.0.15 10.1.42.32 0.0.0.31
access-list 120 permit ip 192.168.103.32 0.0.0.15 any