Problema nat con vpn site to site attiva su Cisco 877

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
franzall
n00b
Messaggi: 15
Iscritto il: ven 11 lug , 2008 7:45 am

Ciao a tutti,
Possiedo un cisco 877 configurato in vpn site to site con un'ASA 5510.
Grazie alle preziose indicazioni trovate su questo ottimo forum avevo configurato un nat che girasse il servizio vnc su un IP della rete funzionante con la vpn; di seguito la conf (riporto le access list e route map):
ip nat inside source static tcp 192.168.0.230 5900 xx.xx.xx.56 5900 route-map POL-NAT
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit xx.xx.xx.98
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 100 deny tcp any host 192.168.0.1 eq telnet
access-list 100 deny tcp any host 192.168.0.1 eq 22
access-list 100 deny tcp any host 192.168.0.1 eq www
access-list 100 deny tcp any host 192.168.0.1 eq 443
access-list 100 deny tcp any host 192.168.0.1 eq cmd
access-list 100 deny udp any host 192.168.0.1 eq snmp
access-list 100 deny ip xx.xx.xx.0 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq telnet
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq 22
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq www
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq 443
access-list 101 permit tcp host xx.xx.xx.98 host xx.xx.xx.56 eq cmd
access-list 101 deny udp any host xx.xx.xx.56 eq snmp
access-list 101 permit udp host xx.xx.xx.98 host xx.xx.xx.56 eq non500-isakmp
access-list 101 permit udp host xx.xx.xx.98 host xx.xx.xx.56 eq isakmp
access-list 101 permit esp host xx.xx.xx.98 host xx.xx.xx.56
access-list 101 permit ahp host xx.xx.xx.98 host xx.xx.xx.56
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark ACL NAT SU INTERNET************************
access-list 103 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host xx.xx.xx.98 any
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny ip any any
access-list 105 remark ACL PEN************************************
access-list 105 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 105 permit ip any any
no cdp run
route-map NAT-PEN permit 1
match ip address 105
!
route-map SDM_RMAP_1 permit 1
match ip address 103

La configurazione mi da il seguente problema: appena metto la riga ip nat inside source static tcp 192.168.0.230 5900 xx.xx.xx.56 5900 route-map POL-NAT il traffico verso internet della rete 192.168.0.0 non funziona più, il nat del vnc non funziona mentre la vpn continua funzionare.
Ho provato anche a sostituire la riga ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload con la riga ip nat inside source list 103 interface ATM0.1 overload e in questo caso internet e VPN sono ok ma il nat vnc continua a non funzionare.

C'è qualcosa di sbagliato nella configurazione che ho attivato?
Il router ogni tanto si freezza e devo spegnerlo e accenderlo, può essere un problema di upgrade firmware?

Vi ringrazio in anticipo per il vostro aiuto.

Francesco.
Top
franzall
n00b
Messaggi: 15
Iscritto il: ven 11 lug , 2008 7:45 am

Ciao,
nessuno mi può dare una dritta?? :-(...

Grazie...

F.
Top
Rispondi

Torna a “Configurazioni”