VPN su Cisco 877

[angelo.val]

Ciao a tutti,
chiedo il vostro aiuto per il seguente problema:
ho configurato un 877 come terminatore di vpn un pò scopiazzando dalle varie configurazioni postate ed un pò utilizzando SDM. Utilizzo il vpn-vlient versione 5.

Purtroppo riesco solo a collegarmi e a fare pingare router e client-vpn, il resto della rete è inesistente.

Potreste darmi una mano ? Grazie



Building configuration...

Current configuration : 6696 bytes
!
! Last configuration change at 15:17:00 MEDT Tue May 13 2008 by Admin
! NVRAM config last updated at 14:57:52 MEDT Tue May 13 2008 by Admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname routercisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3980331111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3980331111
revocation-check none
rsakeypair TP-self-signed-3980331111
!
!
crypto pki certificate chain TP-self-signed-3980331111
certificate self-signed 01
xxx
quit
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name xxx.local
ip name-server 213.140.2.49
!
!
!
username Admin privilege 15 secret 5 xxx
username User01 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key xxx
pool SDM_POOL_1
acl split-tunnel
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteUsers
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address IP_VPN 255.255.255.255
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address IP_ROUTER 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip IP_PTP broadcast
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.0.0.49 10.0.0.54
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.51 255.255.255.255 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list nat0 interface ATM0.1 overload
!
ip access-list extended nat0
remark SDM_ACL Category=3
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended split-tunnel
remark SDM_ACL Category=4
permit ip 10.0.0.0 0.0.0.255 10.0.0.48 0.0.0.7
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------

BANNER

-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end

[Wizard]

- Abilita il proxy arp sulle int interne (int vlan 1 - proxy arp)
- metti le rotte x tutti gli ip del pool vpn (tipo ip route 10.0.0.49 255.255.255.255 atm01)

[angelo.val]

- Abilita il proxy arp sulle int interne (int vlan 1 - proxy arp)
- metti le rotte x tutti gli ip del pool vpn (tipo ip route 10.0.0.49 255.255.255.255 atm01)

Mille Grazie !!!
Problema risolto abilitando il proxy arp (a proposito potresti spiegarmene il significato ?).
Le macchine già si vedono senza scrivere le route statiche, pensi che mi convenga scriverle in ogni caso ?

Grazie ancora.

[Wizard]

Il proxy arp serve poichè tu hai un pool vpn della stessa subnet della rete interna...
Se avessi un pool di una altra rete potresti disabilitarlo.
Per le rotte tieni così se va!