CiscoForums.it

ciao a tutti sono nuovo e complimenti per il forum!
Qualcuno puo essere cosi gentile da spiegarmi come mai se applico l'acl 170 alla D1 non riesco piu a navigare


dove sto sbagliando?

Current configuration : 2896 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
enable password WWWW
!
username WWW password 0 WWWWWWWW
clock timezone italia 1
clock summer-time italia recurring last Sun Mar 3:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name HOME
ip name-server 130.244.127.161
ip name-server 130.244.127.169
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group WWWWW
key 0 WWWWW
pool ippool
acl 180
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
ip nat inside
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 170 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname WWWW
ppp chap password 0 WWWW
ppp pap sent-username WWWWWWW
crypto map clientmap
!
ip local pool ippool 192.168.30.100 192.168.30.200
ip nat inside source list 190 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
logging 192.168.0.2
access-list 170 permit tcp any any eq 22 log
access-list 170 permit tcp any any eq telnet log
access-list 170 permit udp any any eq non500-isakmp
access-list 170 permit udp any any eq isakmp
access-list 170 permit icmp any any
access-list 180 permit ip 192.168.30.0 0.0.255.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.0.0 0.0.0.255 any
!
line con 0
no modem enable
line aux 0
line vty 0 4
password WWWW
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

ciao, non sono molto ferrato in materia ma ci provo...
forse devi aggiungere:

dialer-list 1 protocol ip list 170
e poi inserire

dialer-group 1

nell'interfaccia D1.
Non ti assicuro niente.. è solo un consiglio da niubbo.

Perchè alla fine c'è un "deny ip any any" implicito e quindi le connessioni di ritorno non passano!
Per farle passare devi configurare ip inspect in uscita, oppure, abilitare le connessioni estabilished sulla dialer.
Chiaramente è molto consigliata la soluzione ip inspect.

Grazie a tutti per la disponibilità!

ed infatti cosi funziona


Current configuration : 4211 bytes
!
! Last configuration change at 08:57:07 italia Thu Feb 14 2008 by admin
! NVRAM config last updated at 20:33:57 italia Wed Feb 13 2008 by admin
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
enable password WWWW
!
username admin password 0 WWWWW
clock timezone italia 1
clock summer-time italia recurring last Sun Mar 3:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name HOME.local
ip name-server 130.244.127.161
ip name-server 130.244.127.169
!
!
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 3600
ip inspect name firewall ftp timeout 3600
ip inspect name firewall http timeout 3600
ip inspect name firewall tftp timeout 3600
ip inspect name firewall sqlnet timeout 3600
ip inspect name firewall smtp timeout 3600
ip inspect name firewall h323 timeout 3600
ip inspect name firewall vdolive timeout 3600
ip inspect name firewall cuseeme timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group WWWWW
key 0 WWWWWW
pool ippool
acl 180
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 160 in
ip nat outside
ip inspect firewall out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname WWWWWWW
ppp chap password 0 WWWWWW
ppp pap sent-username WWWWWWWW
crypto map clientmap
!
ip local pool ippool 192.168.30.100 192.168.30.200
ip nat inside source list 190 interface Dialer1 overload
ip nat inside source static udp 192.168.0.2 51000 interface Dialer1 51000
ip nat inside source static tcp 192.168.0.2 50000 interface Dialer1 50000
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
logging 192.168.0.2

access-list 160 permit tcp any any eq 22 log
access-list 160 permit tcp any any eq telnet log
access-list 160 permit icmp any any echo-reply
access-list 160 permit icmp any any packet-too-big
access-list 160 permit icmp any any unreachable
access-list 160 permit icmp any any traceroute
access-list 160 permit icmp any any time-exceeded
access-list 160 deny icmp any any
access-list 160 permit udp any any eq isakmp
access-list 160 permit udp any any eq non500-isakmp
access-list 160 permit tcp any any eq 50000
access-list 160 permit udp any any eq 51000
access-list 180 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.0.0 0.0.0.255 any
!
line con 0
no modem enable
line aux 0
line vty 0 4
password WWWW
transport input telnet ssh
!
scheduler max-task-time 5000
!
end


Ora sto provando con la vpn client..collegarsi si collega e prende anche l'ip ma poi dal router non riesco a pingare l'ip del client e cosi anche dal client non riesco a pingare il router
idee?

Devi ruoitare il pool della vpn verso la dialer

ip route 192.168.30.0 255.255.255.0 dialer 1

ho scritto una cazzata?

grazie ancora per la disponibilità

Yes, procedi!

nulla da fare!
la vpn client continua a darmi qualche problema!l'ip lo prende ma poi non riesco pingare ne tanto meno fare altro.
dove sto sbagliando?

Current configuration : 4211 bytes
!
! Last configuration change at 08:57:07 italia Thu Feb 14 2008 by admin
! NVRAM config last updated at 20:33:57 italia Wed Feb 13 2008 by admin
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
enable password WWWW
!
username admin password 0 WWWWW
clock timezone italia 1
clock summer-time italia recurring last Sun Mar 3:00 last Sun Oct 2:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name HOME.local
ip name-server 130.244.127.161
ip name-server 130.244.127.169
!
!
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 3600
ip inspect name firewall ftp timeout 3600
ip inspect name firewall http timeout 3600
ip inspect name firewall tftp timeout 3600
ip inspect name firewall sqlnet timeout 3600
ip inspect name firewall smtp timeout 3600
ip inspect name firewall h323 timeout 3600
ip inspect name firewall vdolive timeout 3600
ip inspect name firewall cuseeme timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group WWWWW
key 0 WWWWWW
pool ippool
acl 180
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 160 in
ip nat outside
ip inspect firewall out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname WWWWWWW
ppp chap password 0 WWWWWW
ppp pap sent-username WWWWWWWW
crypto map clientmap
!
ip local pool ippool 192.168.30.100 192.168.30.200
ip nat inside source list 190 interface Dialer1 overload
ip nat inside source static udp 192.168.0.2 51000 interface Dialer1 51000
ip nat inside source static tcp 192.168.0.2 50000 interface Dialer1 50000
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.30.0 255.255.255.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
logging 192.168.0.2

access-list 160 permit tcp any any eq 22 log
access-list 160 permit tcp any any eq telnet log
access-list 160 permit icmp any any echo-reply
access-list 160 permit icmp any any packet-too-big
access-list 160 permit icmp any any unreachable
access-list 160 permit icmp any any traceroute
access-list 160 permit icmp any any time-exceeded
access-list 160 deny icmp any any
access-list 160 permit udp any any eq isakmp
access-list 160 permit udp any any eq non500-isakmp
access-list 160 permit tcp any any eq 50000
access-list 160 permit udp any any eq 51000
access-list 180 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 deny ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.0.0 0.0.0.255 any
!
line con 0
no modem enable
line aux 0
line vty 0 4
password wwww
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

Con la 12.3 devi mettere una acl per il traffico della vpn sulla int pubblica:

access-list 160 permit ip 192.168.30.0 255.255.255.0 92.168.0.0 255.255.255.0

ho aggiornato ios e cambiato alcune cose e cosi funziona
Grazie per l'aiuto


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
enable password wwwww
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone italia 1
clock summer-time italia recurring last Sun Mar 3:00 last Sun Oct 2:00
!
!
!
!
ip cef
no ip domain lookup
ip domain name HOME.local
ip name-server 130.244.127.161
ip name-server 130.244.127.169
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 3600
ip inspect name firewall ftp timeout 3600
ip inspect name firewall http timeout 3600
ip inspect name firewall tftp timeout 3600
ip inspect name firewall sqlnet timeout 3600
ip inspect name firewall smtp timeout 3600
ip inspect name firewall h323 timeout 3600
ip inspect name firewall vdolive timeout 3600
ip inspect name firewall cuseeme timeout 3600
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username www password 0 wwwwww
!
!
ip ssh time-out 60
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group wwwww
key wwwwww
pool ippool
acl 180
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 110 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname wwww
ppp chap password 0 wwwww
ppp pap sent-username wwwwww password 0 wwwwww
crypto map clientmap
!
ip local pool ippool 192.168.30.100 192.168.30.200
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.30.0 255.255.255.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 190 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 50000 interface Dialer1 50000
ip nat inside source static udp 192.168.0.2 51000 interface Dialer1 51000
!
logging trap debugging
logging 192.168.0.2
access-list 110 permit tcp any any eq 22 log
access-list 110 permit tcp any any eq telnet log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny ip 132.147.160.0 0.0.0.255 any log
access-list 110 deny ip host 255.255.255.255 any log
access-list 110 deny ip host 0.0.0.0 any log
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any traceroute
access-list 110 permit icmp any any time-exceeded
access-list 110 deny icmp any any log
access-list 110 permit udp any any eq isakmp log
access-list 110 permit udp any any eq non500-isakmp log
access-list 110 permit tcp any any eq 50000
access-list 110 permit udp any any eq 51000
access-list 110 deny ip any any log
access-list 180 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password wwwww
transport input telnet ssh
!
scheduler max-task-time 5000
end