Site-to-site con 2 857: mi verificate le configurazioni ?

[spider21]

Ho configurato due 857K9 con il nuovo CCP che, tra le altre, cose mi sembra notevolmente migliore del tristemente noto SDM.

Devo realizzare una site-to-site tra i due router ed ho utilizzato la procedura guidata ma , ovviamente, non funziona.

A me sembra che la configurazione sia identica per tutti e due ma per qualche motivo non va.

Sareste cosi' gentile da darci un'occhiata ?

In sintesi (ovviamente gli ip wan li ho inventati) :

SEDE A:
ADSL Alice Business 1 ip statico - IP WAN ROUTER: 200.200.200.1
LAN Router: 192.168.16.254

SEDE B
ADSL Altro gestore 1 ip statico - IP WAN ROUTER: 200.200.200.2
LAN Router: 192.168.17.254

Di seguito vi copio/incollo le due configurazioni. Grazie in anticipo se vorrete darmi una mano.

*********** ROUTER SEDE A *********************

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDE_A
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-596929751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-596929751
revocation-check none
rsakeypair TP-self-signed-596929751
!
!
crypto pki certificate chain TP-self-signed-596929751
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101

04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D

43657274
69666963 6174652D 35393639 32393735 31301E17 0D303230 33303130

30303635
305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403

1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3539

36393239
37353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189

02818100
E29D0EFE 79695FEC 28AC1878 C0D5B176 4013EC81 9D014873 354ADFDB

2B19091C
22BCD371 8F467BE9 67A2DA70 36FABF1F DC688DE2 984F7486 7F80A537

07A13350
8B6581A2 DB9CAAD3 01F7390A 47F8068C 5A43C91B 573D7155 3514ED7B

45A84C03
08E4B39E 0CAE23EC 2FD20DDC D05FC153 BF451636 E7300C0B F3FAD652

01DA3415
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C

0603551D
11041530 13821138 35372D43 56492E43 56492E4C 4F43414C 301F0603

551D2304
18301680 14325BB6 63583837 0F898D4C 5BCE9657 7D1DCB61 51301D06

03551D0E
04160414 325BB663 5838370F 898D4C5B CE96577D 1DCB6151 300D0609

2A864886
F70D0101 04050003 81810016 C3B55D99 E6C10966 290F7DFB 20BE79F2

98462694
E8552F66 EE2182C4 1FD15B4F 5F5CD0A2 E5FEF9B6 12D87BFD CA2DCEC3

C6A570B2
E92B54EF A14876C6 D694B2C7 C176DBB4 FAAD9C1C 737BE636 E86EF123

BE297DB0
5404C265 B93B36E8 61EBA327 F80E01D5 37DFB2B6 ECC40F94 10E72600

AF6A95CB
2B798CA4 E7886660 12717B
quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name SEDE_A.dominio
ip name-server 213.204.1.1
!
!
!
username pippo privilege 15 secret 5 xxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key CHIAVECONDIVISA address 200.200.200.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to200.200.200.2
set peer 200.200.200.2
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
ip address 200.200.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip 200.200.200.254 broadcast
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC

4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.16.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.16.250 3389 interface

ATM0.1 33389
ip nat inside source static tcp 192.168.16.250 1433 interface

ATM0.1 1433
ip nat inside source static tcp 192.168.16.250 443 interface

ATM0.1 443
ip nat inside source static tcp 192.168.16.250 987 interface

ATM0.1 987
ip nat inside source static tcp 192.168.16.250 1723 interface

ATM0.1 1723
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1

overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.0.255 192.168.17.0

0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.16.0 0.0.0.255 192.168.17.0

0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232
end

************ ROUTER SEDE B ********************

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDE_B
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-201985984
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-201985984
revocation-check none
rsakeypair TP-self-signed-201985984
!
!
crypto pki certificate chain TP-self-signed-201985984
certificate self-signed 01
3082025E 308201C7 A0030201 02020101 300D0609 2A864886 F70D0101

04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D

43657274
69666963 6174652D 32303139 38353938 34301E17 0D303230 33303130

30303633
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403

1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3230

31393835
39383430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189

02818100
CFB0F19A 84A68116 BE499C5D 189AA4B5 FFA7FEB2 3E57D404 2C4ACE7C

446982CA
F44E6408 16B2B68F 5FAFD698 6CD1695C 6ECCA6DC AE9074B5 AEFB4019

BD9E5C94
7C634F22 E7C3B7E1 F489FD56 4749B540 4D772F22 4B251795 A5C24257

1369D5F1
955DECA1 4DCB1275 02598DE5 60F76BEE DB2DB1AE F3D4057F BE6DFE65

DE3A8A2D
02030100 01A38187 30818430 0F060355 1D130101 FF040530 030101FF

30310603
551D1104 2A302882 26435649 2D4C4142 2E63656E 74726F76 65746572

696E6172
696F696D 70657269 6573652E 636F6D30 1F060355 1D230418 30168014

4CEC466F
6270C91F 8D2EFA38 0B8E4B34 D4C87F70 301D0603 551D0E04 1604144C

EC466F62
70C91F8D 2EFA380B 8E4B34D4 C87F7030 0D06092A 864886F7 0D010104

05000381
81007C46 8614A64C CD65D5C3 1DF0FD26 0705CD5E 98E55593 50ED825D

AB54288A
CE382813 BD22ACCD CE8BF262 96AB4AA0 39B649E3 C5C632F5 DD8F7970

1CAC4DC7
6D9C289B D10AE2EC 6D6452A1 7D21DE10 94292A95 519D752B C151F052

B6CB914E
C7B6DCB9 86590BEF 68FF532D DC3B7C77 3CC9636B E1FD6E46 EA14F266

F40087FB 993E
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.17.1 192.168.17.19
ip dhcp excluded-address 192.168.17.41 192.168.17.254
!
ip dhcp pool ccp-pool1
import all
network 192.168.17.0 255.255.255.0
dns-server 213.204.1.1
default-router 192.168.17.254
!
!
ip cef
no ip bootp server
ip domain name nomedominio.com
ip name-server 213.204.1.1
!
!
!
username pippo privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key CHIAVECONDIVISA address 200.200.200.1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to200.200.200.1
set peer 200.200.200.1
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 200.200.200.2 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip 200.200.200.129 broadcast
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC

4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.17.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1

overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.17.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.16.0

0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.17.0 0.0.0.255 192.168.16.0

0.0.0.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

[Raistlin]

Ho dato un occhiata veloce, se non erro manca la ppp e i relativi DLCI che ti dovrebbe fonire telecom italia.

[spider21]

Ho dato un occhiata veloce, se non erro manca la ppp e i relativi DLCI che ti dovrebbe fonire telecom italia.

Grazie per "l'occhiata"...

Cosa intendi per "ppp" ?

Non e' la sezione configurata in atm0.1:

ip address 200.200.200.1 255.255.255.0
pvc 8/35
protocol ip 200.200.200.254 broadcast
encapsulation aal5snap

Se non fosse configurata la ppp, non potrebbe navigare.. o no ??

Scusa l'ignoranza, ma cosa sono i "DLCI" ?

Grazie

[zot]

Fai tutto da cli....