Salve a tutti,
newbie per il forum; in realtà mi trovo a chiedere consiglio se qualcuno ha giù affrontato lo stesso problema e sa darmi qualche dritta.
Il problema è che con la configurazione attuale funziona tutto, anche il backup su ISDN: ovvero in caso di down il dialer1 (per l'interfaccia BRI) instrada correttamente il traffico (con show ip route, last resort me lo dà sul Dialer1) Ma le macchine inside non navigano: credo che il problema sia il NAT overload.
Come si fa a dire di utilizzare il NAT sul Dialer1 in caso di backup?
So che le interfaccie Dialer sono sempre in spoofing, e quindi dovrebbero essere sempre in grado di utilizzare il NAT....
Grazie a tutti,
Posto la mia configurazione:
!version 12.4
no service slave-log
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service pt-vty-logging
service disable-ip-fast-frag
!
hostname XXXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$nHmK$/Ros1dpliMtp7dMVBZ0Q80
!
aaa new-model
!
!
aaa authentication attempts login 8
aaa authentication banner ^CCCCC
-= Warning =-
This is a protected system no unauthorized
access allowed. We monitor every events of this
system, and logs will be a proof in court.
^C
aaa authentication fail-message ^CCCCC
Your attempt to logon with a bad username/password
has been logged. I hope you were authorized to try...
^C
aaa authentication password-prompt PASSWORD:
aaa authentication username-prompt USERNAME:
aaa authentication login USERLIST local
aaa authorization exec default local
aaa authorization commands 15 default local
aaa authorization network USERLIST local
!
!
aaa session-id common
no ip source-route
!
!
ip cef
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group USERLIST
key cisco
pool SDM_POOL_1
acl 103
save-password
max-users 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
qos pre-classify
!
!
crypto map SDM_CMAP_1 client authentication list USERLIST
crypto map SDM_CMAP_1 isakmp authorization list USERLIST
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.0.201 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
description $BACKUP_INTF_ATM0.1_TRACK_1$
no ip address
encapsulation ppp
load-interval 30
dialer pool-member 2
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
ppp authentication pap chap callin
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
no snmp trap link-status
!
interface Vlan1
no ip address
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname 3174649559
ppp chap password 7 152B521D217D127071
ppp pap sent-username 3174649559 password 7 11304014324532585D
crypto map SDM_CMAP_1
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 2
dialer idle-timeout 180
dialer wait-for-carrier-time 10
dialer string XXXXXXXXXXXXx
dialer load-threshold 180 either
dialer-group 2
no cdp enable
ppp authentication chap pap callin
ppp chap hostname 30863555
ppp chap password 7 091E1C314134454B5E
ppp pap sent-username 30863555 password 7 0254566353375D7819
ppp multilink
crypto map SDM_CMAP_1
!
ip local policy route-map SDM_BACKUP_RMAP_1
ip local pool SDM_POOL_1 172.16.20.1 172.16.20.20
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 2
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip sla 1
icmp-echo XXX.XXX.XXX.XXX source-interface Dialer0
timeout 1000
threshold 2
frequency 3000
ip sla schedule 1 life forever start-time now
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 172.16.20.1 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.2 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.3 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.4 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.5 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.6 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.7 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.8 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.9 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.10 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.11 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.12 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.13 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.14 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.15 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.16 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.17 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.18 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.19 192.168.0.0 0.0.255.255
access-list 101 permit ip host 172.16.20.20 192.168.0.0 0.0.255.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 0.0.0.0 255.255.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM Backup Route-Map ACL
access-list 102 remark SDM_ACL Category=1
access-list 102 permit icmp any host 213.92.5.60 echo
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.1
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.2
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.3
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.4
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.5
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.6
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.7
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.8
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.9
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.10
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.11
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.12
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.13
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.14
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.15
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.16
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.17
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.18
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.19
access-list 104 deny ip 192.168.0.0 0.0.255.255 host 172.16.20.20
access-list 104 permit ip 192.168.0.0 0.0.255.255 any
access-list 150 remark Split Tunnel per client vpn
access-list 150 remark SDM_ACL Category=4
access-list 150 deny ip 172.16.0.0 0.0.255.255 any log
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
!
route-map SDM_BACKUP_RMAP_1 permit 1
match ip address 102
set interface Dialer0 Null0
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
BACKUP ISDN CISCO 1801: PROBLEMI NAT?
Moderatore: Federico.Lagni
