cisco 857 perso accesso da remoto
Inviato: gio 04 feb , 2010 3:49 pm
Salve a tutti, posto per un aiuto / chiarimento.
Su un router 857 fino ad ieri avevo accesso via ssh per amministrarlo, ho scaricato la configurazione per editarla e fare delle piccole modifiche sulla parte della vpn client -> lan. Non credo di aver messo mano ad altro. L'ho caricata prima in run e poi successivamente in startup .. da quel momento ho perso connettività in ssh (l'unica abilitata dall'esterno). All'interno della rete tutto funziona correttamente e anche io riesco ad entrare nella lan via vpn, ma anche da dentro non riesco ad accedere. L'unica alternativa è l'accesso via console che però non mi è possibile in questo momento.
Il tentativo di connessione via Putty mi da come errore "Network error: Connection refused", mentre tentando l'accesso con SDM mi propone "Check the connections between your workstation and the router; Make sure the router IOS image is one of the supported images; Clear a VTY line if all VTY lines are in use."
Allego la configurazione.
Ringrazio tutti
Saluti Claudio
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Quing'S'ystems
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone Rome 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.22.137 255.255.255.192
!
ip dhcp pool pool_name
import all
network 192.168.22.128 255.255.255.192
dns-server 192.168.22.184
default-router 192.168.22.190
lease 0 2
!
ip dhcp pool radio_pool_name
import all
network 192.168.22.64 255.255.255.192
dns-server 192.168.22.184
default-router 192.168.22.126
lease 0 2
!
ip cef
ip domain name domain.com
ip name-server 88.149.128.12
ip name-server 88.149.128.5
!
crypto pki trustpoint TP-self-signed-1781945177
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1781945177
revocation-check none
rsakeypair TP-self-signed-1781945177
!
crypto pki certificate chain TP-self-signed-1781945177
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373831 39343531 3737301E 170D3037 30373131 31363239
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37383139
34353137 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B666 A9B991B9 07E43BB8 08E4DC33 25F3AAE6 1EC0C2C1 9D033F6E 921FA743
ADAA8722 F260A980 EF27AE6C D819A959 8D33C571 01AC9FA4 57531F86 C73C488C
99E858AC CE8A6B45 E065FBE4 F629FA44 ACF77893 591D0DE8 B645CA76 FFE4F296
63BAF7D3 4A7AD140 7DAFFBE3 886F0DA0 878270AB 8A7C670E B4FB036D 07026525
E4990203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
551D1104 23302182 1F517569 6E672753 27797374 656D732E 7175696E 67737973
74656D73 2E636F6D 301F0603 551D2304 18301680 1470F648 78F6C266 41309628
55645AC1 DB654F79 1C301D06 03551D0E 04160414 70F64878 F6C26641 30962855
645AC1DB 654F791C 300D0609 2A864886 F70D0101 04050003 8181004E 1EB203D6
9A7CA0EB 4BA7F3E1 18F4E23C B96E5D4B 17D240FC 547D9726 C974DCFA BE38E561
244DC6E8 B09EFD91 B9F1C19A B5D66664 6EB09CD9 D20CB3F1 96DADF58 1244768C
ED107366 EEBC20A4 7E5F58D0 538A9A49 DFFB6B7C D42030BF 9EC1CA64 F578E01A
AFEA0FE0 3C010B72 E7457E29 8F3518E2 AFCEB768 6AB6E4C2 DEFF1E
quit
username user01 privilege 15 secret 5 $1$77H/$0AZxCNC68z5OKe4vm6S0u.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key 1234567890 address 217.xxx.xxx.xxx
!
crypto isakmp client configuration group groupname
key 1234567890
dns 192.168.22.184
pool groupname
include-local-lan
netmask 255.255.255.192
banner *
--------------------------------------------------------------
banner
--------------------------------------------------------------
*
crypto isakmp profile sdm-ike-profile-1
match identity group groupname
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP_MD5_HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP_MD5_HMAC
set isakmp-profile sdm-ike-profile-1
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.xxx.xxx.xxx
set peer 217.xxx.xxx.xxx
set transform-set ESP_MD5_HMAC
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to217.1xxx.xxx.xxx
set peer 217.xxx.xxx.xxx
set transform-set ESP_MD5_HMAC
match address 103
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
ip address 192.168.22.126 255.255.255.192
ip nat inside
ip virtual-reassembly
!
broadcast-key change 86400
!
encryption key 1 size 128bit 0 16079945003283929829417886 transmit-key
encryption mode ciphers wep128
!
ssid ssidname
authentication open
guest-mode
wpa-psk ascii 0 1234567890
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.22.190 255.255.255.192
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group sdm_dialer0_in in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 password
ppp pap sent-username hostname password 0 password
crypto map SDM_CMAP_1
!
ip local pool easyvpn-pool 192.168.22.152 192.168.22.159
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static udp 192.168.22.130 8001 interface Dialer0 8001
ip nat inside source static udp 192.168.22.130 8000 interface Dialer0 8000
ip nat inside source static udp 192.168.22.130 5004 interface Dialer0 5004
ip nat inside source static udp 192.168.22.130 3478 interface Dialer0 3478
ip nat inside source static udp 192.168.22.130 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.22.132 2001 interface Dialer0 2001
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.22.132 48995 interface Dialer0 48995
ip nat inside source static tcp 192.168.22.179 21 interface Dialer0 21
ip nat inside source static tcp 192.168.22.182 80 interface Dialer0 80
ip nat inside source static tcp 192.168.22.182 443 interface Dialer0 443
ip nat inside source static tcp 192.168.22.184 3389 interface Dialer0 3389
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.128 0.0.0.63
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.64 0.0.0.63
remark Auto generated by SDM for NTP (123) 193.204.114.233
permit udp host 193.204.114.233 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 193.204.114.232
permit udp host 193.204.114.232 eq ntp any eq ntp
permit ahp host 217.xxx.xxx.xxx any
permit esp host 217.xxx.xxx.xxx any
permit udp host 217.xxx.xxx.xxx any eq isakmp
permit udp host 217.xxx.xxx.xxx any eq non500-isakmp
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.0 0.0.0.255
permit ip any any
remark SIP 5060
permit udp any eq 5060 host 192.168.22.130 eq 5060
remark STUN 3478
permit udp any eq 3478 host 192.168.22.130 eq 3478
remark RTP 5004
permit udp any eq 5004 host 192.168.22.130 eq 5004
remark 8000
permit udp any eq 8000 host 192.168.22.130 eq 8000
remark 8001
permit udp any eq 8001 host 192.168.22.130 eq 8001
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.22.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.127
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.22.128 0.0.0.63 192.168.12.0 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.22.64 0.0.0.63 192.168.12.0 0.0.0.127
access-list 101 remark vlan1 interface rule
access-list 101 permit ip 192.168.22.128 0.0.0.63 any
access-list 101 remark Radio Interface Rule
access-list 101 permit ip 192.168.22.64 0.0.0.63 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.22.64 0.0.0.63 192.168.12.0 0.0.0.127
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.22.128 0.0.0.63 192.168.12.0 0.0.0.127
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
control-plane
!
banner login
-----------------------------------------------------------------------
banner
-----------------------------------------------------------------------
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175039
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
end
Su un router 857 fino ad ieri avevo accesso via ssh per amministrarlo, ho scaricato la configurazione per editarla e fare delle piccole modifiche sulla parte della vpn client -> lan. Non credo di aver messo mano ad altro. L'ho caricata prima in run e poi successivamente in startup .. da quel momento ho perso connettività in ssh (l'unica abilitata dall'esterno). All'interno della rete tutto funziona correttamente e anche io riesco ad entrare nella lan via vpn, ma anche da dentro non riesco ad accedere. L'unica alternativa è l'accesso via console che però non mi è possibile in questo momento.
Il tentativo di connessione via Putty mi da come errore "Network error: Connection refused", mentre tentando l'accesso con SDM mi propone "Check the connections between your workstation and the router; Make sure the router IOS image is one of the supported images; Clear a VTY line if all VTY lines are in use."
Allego la configurazione.
Ringrazio tutti
Saluti Claudio
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Quing'S'ystems
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone Rome 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.22.137 255.255.255.192
!
ip dhcp pool pool_name
import all
network 192.168.22.128 255.255.255.192
dns-server 192.168.22.184
default-router 192.168.22.190
lease 0 2
!
ip dhcp pool radio_pool_name
import all
network 192.168.22.64 255.255.255.192
dns-server 192.168.22.184
default-router 192.168.22.126
lease 0 2
!
ip cef
ip domain name domain.com
ip name-server 88.149.128.12
ip name-server 88.149.128.5
!
crypto pki trustpoint TP-self-signed-1781945177
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1781945177
revocation-check none
rsakeypair TP-self-signed-1781945177
!
crypto pki certificate chain TP-self-signed-1781945177
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373831 39343531 3737301E 170D3037 30373131 31363239
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37383139
34353137 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B666 A9B991B9 07E43BB8 08E4DC33 25F3AAE6 1EC0C2C1 9D033F6E 921FA743
ADAA8722 F260A980 EF27AE6C D819A959 8D33C571 01AC9FA4 57531F86 C73C488C
99E858AC CE8A6B45 E065FBE4 F629FA44 ACF77893 591D0DE8 B645CA76 FFE4F296
63BAF7D3 4A7AD140 7DAFFBE3 886F0DA0 878270AB 8A7C670E B4FB036D 07026525
E4990203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
551D1104 23302182 1F517569 6E672753 27797374 656D732E 7175696E 67737973
74656D73 2E636F6D 301F0603 551D2304 18301680 1470F648 78F6C266 41309628
55645AC1 DB654F79 1C301D06 03551D0E 04160414 70F64878 F6C26641 30962855
645AC1DB 654F791C 300D0609 2A864886 F70D0101 04050003 8181004E 1EB203D6
9A7CA0EB 4BA7F3E1 18F4E23C B96E5D4B 17D240FC 547D9726 C974DCFA BE38E561
244DC6E8 B09EFD91 B9F1C19A B5D66664 6EB09CD9 D20CB3F1 96DADF58 1244768C
ED107366 EEBC20A4 7E5F58D0 538A9A49 DFFB6B7C D42030BF 9EC1CA64 F578E01A
AFEA0FE0 3C010B72 E7457E29 8F3518E2 AFCEB768 6AB6E4C2 DEFF1E
quit
username user01 privilege 15 secret 5 $1$77H/$0AZxCNC68z5OKe4vm6S0u.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key 1234567890 address 217.xxx.xxx.xxx
!
crypto isakmp client configuration group groupname
key 1234567890
dns 192.168.22.184
pool groupname
include-local-lan
netmask 255.255.255.192
banner *
--------------------------------------------------------------
banner
--------------------------------------------------------------
*
crypto isakmp profile sdm-ike-profile-1
match identity group groupname
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP_MD5_HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP_MD5_HMAC
set isakmp-profile sdm-ike-profile-1
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.xxx.xxx.xxx
set peer 217.xxx.xxx.xxx
set transform-set ESP_MD5_HMAC
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to217.1xxx.xxx.xxx
set peer 217.xxx.xxx.xxx
set transform-set ESP_MD5_HMAC
match address 103
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
ip address 192.168.22.126 255.255.255.192
ip nat inside
ip virtual-reassembly
!
broadcast-key change 86400
!
encryption key 1 size 128bit 0 16079945003283929829417886 transmit-key
encryption mode ciphers wep128
!
ssid ssidname
authentication open
guest-mode
wpa-psk ascii 0 1234567890
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.22.190 255.255.255.192
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group sdm_dialer0_in in
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password 0 password
ppp pap sent-username hostname password 0 password
crypto map SDM_CMAP_1
!
ip local pool easyvpn-pool 192.168.22.152 192.168.22.159
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static udp 192.168.22.130 8001 interface Dialer0 8001
ip nat inside source static udp 192.168.22.130 8000 interface Dialer0 8000
ip nat inside source static udp 192.168.22.130 5004 interface Dialer0 5004
ip nat inside source static udp 192.168.22.130 3478 interface Dialer0 3478
ip nat inside source static udp 192.168.22.130 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.22.132 2001 interface Dialer0 2001
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.22.132 48995 interface Dialer0 48995
ip nat inside source static tcp 192.168.22.179 21 interface Dialer0 21
ip nat inside source static tcp 192.168.22.182 80 interface Dialer0 80
ip nat inside source static tcp 192.168.22.182 443 interface Dialer0 443
ip nat inside source static tcp 192.168.22.184 3389 interface Dialer0 3389
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.128 0.0.0.63
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.64 0.0.0.63
remark Auto generated by SDM for NTP (123) 193.204.114.233
permit udp host 193.204.114.233 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 193.204.114.232
permit udp host 193.204.114.232 eq ntp any eq ntp
permit ahp host 217.xxx.xxx.xxx any
permit esp host 217.xxx.xxx.xxx any
permit udp host 217.xxx.xxx.xxx any eq isakmp
permit udp host 217.xxx.xxx.xxx any eq non500-isakmp
remark IPSec Rule
permit ip 192.168.12.0 0.0.0.127 192.168.22.0 0.0.0.255
permit ip any any
remark SIP 5060
permit udp any eq 5060 host 192.168.22.130 eq 5060
remark STUN 3478
permit udp any eq 3478 host 192.168.22.130 eq 3478
remark RTP 5004
permit udp any eq 5004 host 192.168.22.130 eq 5004
remark 8000
permit udp any eq 8000 host 192.168.22.130 eq 8000
remark 8001
permit udp any eq 8001 host 192.168.22.130 eq 8001
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.22.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.22.0 0.0.0.255 192.168.12.0 0.0.0.127
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.22.128 0.0.0.63 192.168.12.0 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.22.64 0.0.0.63 192.168.12.0 0.0.0.127
access-list 101 remark vlan1 interface rule
access-list 101 permit ip 192.168.22.128 0.0.0.63 any
access-list 101 remark Radio Interface Rule
access-list 101 permit ip 192.168.22.64 0.0.0.63 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.22.64 0.0.0.63 192.168.12.0 0.0.0.127
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.22.128 0.0.0.63 192.168.12.0 0.0.0.127
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
control-plane
!
banner login
-----------------------------------------------------------------------
banner
-----------------------------------------------------------------------
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175039
ntp server 193.204.114.232 prefer
ntp server 193.204.114.233
end