SDM e secure-server

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
dzacca
n00b
Messaggi: 1
Iscritto il: mer 10 gen , 2007 9:46 pm

Ciao a tutti,
oggi mi è capitato un problema a cui non ho trovato soluzione.
Il router è un 1801, la configurazione la trovate qui sotto. In pratica, dopo aver brasato la configurazione vecchia e ricreata quella attuale, ricreando i trustpoint e i certificati selfsigned, ho abilitato l'http secure-server.

Adesso mi trovo con SDM che in http funziona in https no.
in http mi chiede login e password e poi si carica normalmente, mentre in https presenta il certificato ma appena io accetto il certificato il brouwser (provato con vari browser) mi da sempre lo stesso risultato:
can’t open the page “https://213.255.47.51/” because it couldn’t establish a secure connection to the server “213.255.47.51”

Qualcuno ha qualche idea su quale possa essere la causa di questo problema?

!Using 6537 out of 196600 bytes
!
! Last configuration change at 21:24:14 ITALY Wed Jan 10 2007
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone ITALY 1
clock summer-time ITALY recurring last Sun Mar 3:00 last Sun Oct 3:00
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name tycontechnoglass.com
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
!
password encryption aes

crypto pki trustpoint local
enrollment selfsigned
serial-number
subject-name cn=Cisco1801. xxxxxx.com
revocation-check none
rsakeypair localkeys 1024 1024
!
!
crypto pki certificate chain local
certificate self-signed 01 nvram:FCZ1026219Zh#6D01.cer
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 J`VdfdFLGcWBLT\aV[SCQfPUAGTMb_]NhFaL address xxxxxx 255.255.255.252
crypto isakmp key 6 FKWcdgMWY]eYZMOUZeXiAfYUGIQJLLREVDhO address xxxxxx 255.255.255.192
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to xxxxxx
set peer xxxxxx
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description xxxxxx
set peer xxxxxx
set transform-set ESP-3DES-SHA3
match address 104

bridge irb
!
!
!
interface FastEthernet0
description $FW_INSIDE$
no ip address
duplex auto
speed auto
bridge-group 1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet1
switchport trunk native vlan 2

interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Dot11Radio0
no ip address
shutdown
!
ssid WTyTg
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
ssid WTyTg
authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $FW_PUB_IP$
ip address xxxxxx 255.255.255.248
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
!
interface BVI1
description $LAN$
ip address 192.168.121.1 255.255.255.0
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 xxxxxx permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint local
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list standard localnet
remark SDM_ACL Category=16
permit 192.168.121.0 0.0.0.255
!
logging trap debugging
access-list 100 remark Tycon to Balfour-Leven
access-list 100 remark SDM_ACL Category=20
access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.121.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.121.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.121.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 101 deny ip 192.168.121.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.121.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip xxxxxx 0.0.0.3 xxxxxx 0.0.0.3
access-list 103 remark SDM_ACL Category=16
access-list 103 permit ip 192.168.121.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 104 remark Tycon to GNOC
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.121.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 105 remark Bolck telnet and http access to the router from outside
access-list 105 deny tcp any host xxxxxx eq telnet
access-list 105 deny tcp any host xxxxxx eq www
access-list 105 permit ip any any
access-list 106 remark any to any
access-list 106 permit ip any any
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179915
ntp update-calendar
ntp server 198.60.22.240
ntp server 69.31.13.10
ntp server 85.214.36.108 prefer
ntp server 216.75.55.11
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Top
Rispondi

Torna a “Configurazioni”