857W: completamente disorientato!

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
bludev
n00b
Messaggi: 3
Iscritto il: gio 17 lug , 2008 2:59 pm

Buongiorno a tutti,
ho acquistato un paio di router 857W da installare nelle due sedi dell'azienda per la quale lavoro. Obiettivi:
  1. accesso a internet
    creare una wireless lan
    creare una connessione VPN tra le due sedi
    aprire qualche porta in ingresso lato WAN per alcuni servizi (3389 in particolare)
Una breve panoramica della situazione:
Sede 1:
  • router cisco 857W, IOS ver. 12.4(15)T3
    ADSL ALICE BUSINESS CLICK 4M ATM, 16 indirizzi IP statici (88.16.111.16<->31), gateway 88.60.111.17, punto-punto 88.60.127.55
    Indirizzi LAN dinamici (DHCP) classe 192.168.0.x
Sede 2:
  • router cisco 857W, IOS ver. 12.4(15)T3
    ADSL ALICE BUSINESS CLICK 4M ATM, 8 indirizzi IP statici (88.60.99.56<->63), gateway 88.60.99.57, punto-punto 88.60.120.23
    Indirizzi LAN dinamici (DHCP) classe 192.168.1.x
Mi aspettavo di poter configurare tutto attraverso l'interfaccia SDM (versione 2.5), ma ho trovato enormi difficoltà (bug?) e non so dove sbattere la testa, in particolare per quanto riguarda la configurazione del firewall e della VPN.

Per configurare il firewall ho provato sia con il "Basic firewall wizard" che con il "Advanced firewall wizard", ma alla fine della procedura mi esce inesorabilmente questo errore:

class-map type inspect match-any SDM_ESP
Error detected at this command. Click OK

Per quanto riguarda la VPN... anche qui ho provato innumerevoli volte col wizard, ma non sono mai riuscito a far accedere la spia VPN dei due router e sinceramente non saprei che cos'altro fare...

Leggendo sul forum vedo che molti preferiscono la configurazione manuale attraverso il "config editor", ma per ora i comandi in quell'elenco sono per me quasi incomprensibili (diciamo che in certi casi intuisco la funzione...).


La configurazione della sede 1:

Codice: Seleziona tutto

Building configuration...

Current configuration : 7317 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gesiot
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1426225540
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1426225540
 revocation-check none
 rsakeypair TP-self-signed-1426225540
!
!
crypto pki certificate chain TP-self-signed-1426225540
 certificate self-signed 01
  CUT!!!
  	quit
!
dot11 ssid gesiot
   authentication open 
   authentication key-management wpa
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1 
   dns-server 151.99.125.2 151.99.0.100 
   domain-name gesiot.local
   lease infinite
!
ip dhcp pool VOIP841
   hardware-address 0008.c68e.f078
!
ip dhcp pool SONIA
   host 192.168.0.6 255.255.255.0
   hardware-address 0015.f204.120c
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name gesiot.com
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXX
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXX address 88.60.99.58
crypto isakmp key YYYYYYYYYYYYY address 88.60.111.18
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to88.60.111.18
 set peer 88.60.111.18
 set transform-set ESP-3DES-SHA1 
 match address 103
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 88.60.111.18 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  protocol ip 88.60.111.17 broadcast
  oam-pvc manage
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm tkip 
 !
 ssid gesiot
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 88.60.111.16 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 88.60.111.16 0.0.0.15 88.60.99.56 0.0.0.7
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 88.60.111.16 0.0.0.15 88.60.99.56 0.0.0.7
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

La configurazione della sede 2:

Codice: Seleziona tutto

Building configuration...

Current configuration : 9774 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gesiot
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-231142874
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-231142874
 revocation-check none
 rsakeypair TP-self-signed-231142874
!
!
crypto pki certificate chain TP-self-signed-231142874
 certificate self-signed 01
  CUT!!!
  	quit
!
dot11 ssid gesiot
   authentication open 
   guest-mode
   infrastructure-ssid optional
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 151.99.125.2 151.99.0.100 
   default-router 192.168.1.1 
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name gesiot.com
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

!
!
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXXx address 88.60.111.18
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to88.60.111.18
 set peer 88.60.111.18
 set transform-set ESP-3DES-SHA3 
 match address 116
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 88.60.99.58 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  protocol ip 88.60.99.57 broadcast
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 XXXXXXXXXXXXXXXXXXXXXXXX transmit-key
 encryption mode ciphers tkip wep128 
 !
 ssid gesiot
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 88.60.99.56 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 88.60.99.56 0.0.0.7 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 88.60.99.56 0.0.0.7 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 88.60.99.56 0.0.0.7 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 88.60.111.16 0.0.0.15
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 remark SDM_ACL Category=128
access-list 107 permit ip host 255.255.255.255 any
access-list 107 permit ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip 88.60.99.56 0.0.0.7 any
access-list 108 remark SDM_ACL Category=128
access-list 108 permit ip host 88.60.111.18 any
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=128
access-list 110 permit ip host 255.255.255.255 any
access-list 110 permit ip 127.0.0.0 0.255.255.255 any
access-list 110 permit ip 88.60.99.56 0.0.0.7 any
access-list 111 remark SDM_ACL Category=128
access-list 111 permit ip any any
access-list 112 remark SDM_ACL Category=128
access-list 112 permit ip host 88.60.111.18 any
access-list 113 remark SDM_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 remark SDM_ACL Category=4
access-list 115 remark IPSec Rule
access-list 115 permit ip 88.60.99.56 0.0.0.7 88.60.111.16 0.0.0.15
access-list 116 remark SDM_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Qualcuno mi può aiutare? Grazie
Avatar utente
@lan72
Cisco enlightened user
Messaggi: 157
Iscritto il: gio 22 mag , 2008 4:36 pm
Località: Sicily

ciao, per esperienza ti posso affermare che il firewall con sdm non funziona propio e la vpn funziona solo la webvpn

tempo fa ho aperto un post propio su questo argomento

http://www.ciscoforums.it/viewtopic.php ... highlight=

alla fine ho configurato il tutto tramite CLI
share your knowledge

.::.::. Cisco867VAE [IOS:15.4.3.M6a|FW:35j23je]
bludev
n00b
Messaggi: 3
Iscritto il: gio 17 lug , 2008 2:59 pm

Grazie della risposta... ma dove trovo un manuale con la sintassi dei vari comandi della CLI?
Avatar utente
@lan72
Cisco enlightened user
Messaggi: 157
Iscritto il: gio 22 mag , 2008 4:36 pm
Località: Sicily

sul sito cisco se cerchi c'è ne sono molti ma sono specifici per i vari comandi, premetto che non conosco il tuo livello tecnico cmq ti consiglio di dare un'occhiata quà:

http://webeconoscenza.blogspot.com/2002 ... a-cli.html
share your knowledge

.::.::. Cisco867VAE [IOS:15.4.3.M6a|FW:35j23je]
Rispondi