Salve a tutti,
sono nuovo del forum ma grazie ai vostri topic sono riuscito a risolvere tanti problemi.
Ora mi sto cimentando con una vpn tra un 877 (Router principale) ed un 2610 (Router secondario) entrami configurati con ip dinami (TELE2 e ALICE).
Seguendo le guide trovate nel forum ho creato le due configurazioni ma non risesco a capire perche la vpn non va su. Eseguendo il comandi "show crypto isakmp sa" non vedo segni di vita.
Grazie per la vostra disponibiltà.
SEDE A CISCO 877:
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEA
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret [PASSWORD]
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.250
!
ip dhcp pool LAN
network 192.168.1.1 255.255.255.0
default-router 192.168.1.1
dns-server 151.99.125.2 151.99.0.100
lease 0 12
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.com
ip name-server 151.99.125.1
ip name-server 151.99.250.2
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
crypto pki trustpoint TP-self-signed-1070015463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1070015463
revocation-check none
rsakeypair TP-self-signed-1070015463
!
!
crypto pki certificate chain TP-self-signed-1070015463
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303730 30313534 3633301E 170D3032 30333031 30343237
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373030
31353436 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A62D AC78DB0F B0418115 4304BED4 C71DE830 7C7BCC41 00E143EA 19D08299
731384E1 3147507D 60EEA0AD 032B240F 01602117 8402F299 23DA93A5 A1CE340A
9000C3B9 0C498D32 E9CEAFAD 0624089E B344C0EE B213B2B2 AAB5A131 742BA841
56513070 39A7A103 6E283D49 DA027801 B52A79A7 C9B7AD22 80583EF3 57CC844C
74070203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1544454D 41504553 43415241 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801403 6BAD9BB2 05C9CF95 37A22680 23FB6D8A 2FFF4130
1D060355 1D0E0416 0414036B AD9BB205 C9CF9537 A2268023 FB6D8A2F FF41300D
06092A86 4886F70D 01010405 00038181 0021C74D 8406E420 3590F053 4EE87FA3
1D8ECCDA 919EAF90 C2BD281F C9B163EC 31CB98DF A105302D 7AF802C1 3141934C
3CB838AC 5B24732B DC0F0C78 3E3F558C 01C3E133 0FE912B7 DF078CFA 41BFEF35
B3F62E3A C4042BAC 382F90BF B621AFE4 E4294C96 280456C0 139A6CC6 64156A6F
50F99084 88F9C82A E58B1C7E FF67A607 2B
quit
username admin password [PASSWORD]
archive
log config
hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key [CHIAVE] address [IPPUBBLICOSEDEB]
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map static-map local-address Vlan1
crypto map static-map 1 ipsec-isakmp
set peer [IPPUBBLICOSEDEB]
set transform-set vpn-test
match address 101
!
!
!
interface ATM0
description ADSL TELE2
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.1.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname [UTENTE]
ppp chap password [PASSWORD]
ppp pap sent-username [UTENTE] password 7 [PASSWORD]
crypto map static-map
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
banner login ^C
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
SEDE B CISCO 2610:
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEB
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret [PASSWORD]
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip name-server 151.99.125.1
ip name-server 151.99.250.2
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password [PASSWORD]
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key [CHIAVE] address [IPPUBBLICOSEDEA]
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map static-map local-address Ethernet0/0
crypto map static-map 1 ipsec-isakmp
set peer [IPPUBBLICOSEDEA]
set transform-set vpn-test
match address 101
!
!
!
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
half-duplex
crypto map static-map
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname aliceadsl
ppp chap password aliceadsl
ppp pap sent-username aliceadsl password aliceadsl
!
ip nat inside source list 100 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
!
!
!
line con 0
exec-timeout 120 0
login local
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
!
end
Vpn 877 e 2610 con ip dimanici
Moderatore: Federico.Lagni
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
X ora ho visto 2 errori:
1) Int sbagliata nel crypto map static-map local-address
2) Manca la applicazione della crypto-map nella int pubblica
3) Regola nat errata
In sostanza è giustissimo che la vpn non vada!
1) Int sbagliata nel crypto map static-map local-address
2) Manca la applicazione della crypto-map nella int pubblica
3) Regola nat errata
In sostanza è giustissimo che la vpn non vada!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
wetel
- Cisco fan
- Messaggi: 51
- Iscritto il: gio 05 feb , 2009 5:04 pm
Ho cercato di rifare la configurazione, ma niente:
SEDE A Cisco 877:
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEA
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 $1$d.Xb$4DF53L07GIXhRvcMqHC7Y/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.250
!
ip dhcp pool LAN
network 192.168.1.240 255.255.255.240
default-router 192.168.1.1
dns-server 151.99.125.2 151.99.0.100
domain-name home.local
lease 0 12
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.com
ip name-server 151.99.125.1
ip name-server 151.99.250.2
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
crypto pki trustpoint TP-self-signed-1070015463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1070015463
revocation-check none
rsakeypair TP-self-signed-1070015463
!
!
crypto pki certificate chain TP-self-signed-1070015463
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303730 30313534 3633301E 170D3032 30333031 30343237
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373030
31353436 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A62D AC78DB0F B0418115 4304BED4 C71DE830 7C7BCC41 00E143EA 19D08299
731384E1 3147507D 60EEA0AD 032B240F 01602117 8402F299 23DA93A5 A1CE340A
9000C3B9 0C498D32 E9CEAFAD 0624089E B344C0EE B213B2B2 AAB5A131 742BA841
56513070 39A7A103 6E283D49 DA027801 B52A79A7 C9B7AD22 80583EF3 57CC844C
74070203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1544454D 41504553 43415241 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801403 6BAD9BB2 05C9CF95 37A22680 23FB6D8A 2FFF4130
1D060355 1D0E0416 0414036B AD9BB205 C9CF9537 A2268023 FB6D8A2F FF41300D
06092A86 4886F70D 01010405 00038181 0021C74D 8406E420 3590F053 4EE87FA3
1D8ECCDA 919EAF90 C2BD281F C9B163EC 31CB98DF A105302D 7AF802C1 3141934C
3CB838AC 5B24732B DC0F0C78 3E3F558C 01C3E133 0FE912B7 DF078CFA 41BFEF35
B3F62E3A C4042BAC 382F90BF B621AFE4 E4294C96 280456C0 139A6CC6 64156A6F
50F99084 88F9C82A E58B1C7E FF67A607 2B
quit
username admin password 7 060027761F4B1B4156
archive
log config
hidekeys
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXXX address XX.XX.XX.XX
!
!
crypto map static-map local-address Dialer1
crypto map static-map 10 ipsec-isakmp
set peer XX.XX.XX.XX
match address 151
!
!
!
interface ATM0
description ADSL TELE2
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.1.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group 104 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname XXXXXX
ppp chap password XXXXXX
ppp pap sent-username XXXXX password XXXXXXXXX
crypto map static-map
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.10 4662 interface Dialer1 4662
ip nat inside source static udp 192.168.1.10 4672 interface Dialer1 4672
!
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 131 permit ip any any
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
SEDE B cisco 2610:
version 12.3
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEB
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 $1$DXih$NddIU5WewnUx3eZrDY8iT.
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip name-server 151.99.125.1
ip name-server 151.99.250.2
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 0709091B1D0C0B5D44
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key XXXXXX address XX.XX.XX.XX
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map static-map local-address Dialer1
crypto map static-map 1 ipsec-isakmp
set peer XX.XX.XX.XX.
set transform-set vpn-test
match address 151
!
!
!
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
half-duplex
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname aliceadsl
ppp chap password 7 060703284F4B081D161B52
ppp pap sent-username aliceadsl password 7 1218091E110E0D00392764
crypto map static-map
!
ip nat inside source list 100 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 151 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
line con 0
exec-timeout 120 0
login local
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
!
end
SEDE A Cisco 877:
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEA
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 $1$d.Xb$4DF53L07GIXhRvcMqHC7Y/
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.250
!
ip dhcp pool LAN
network 192.168.1.240 255.255.255.240
default-router 192.168.1.1
dns-server 151.99.125.2 151.99.0.100
domain-name home.local
lease 0 12
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.com
ip name-server 151.99.125.1
ip name-server 151.99.250.2
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
crypto pki trustpoint TP-self-signed-1070015463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1070015463
revocation-check none
rsakeypair TP-self-signed-1070015463
!
!
crypto pki certificate chain TP-self-signed-1070015463
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303730 30313534 3633301E 170D3032 30333031 30343237
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373030
31353436 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A62D AC78DB0F B0418115 4304BED4 C71DE830 7C7BCC41 00E143EA 19D08299
731384E1 3147507D 60EEA0AD 032B240F 01602117 8402F299 23DA93A5 A1CE340A
9000C3B9 0C498D32 E9CEAFAD 0624089E B344C0EE B213B2B2 AAB5A131 742BA841
56513070 39A7A103 6E283D49 DA027801 B52A79A7 C9B7AD22 80583EF3 57CC844C
74070203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1544454D 41504553 43415241 2E636973 636F2E63 6F6D301F
0603551D 23041830 16801403 6BAD9BB2 05C9CF95 37A22680 23FB6D8A 2FFF4130
1D060355 1D0E0416 0414036B AD9BB205 C9CF9537 A2268023 FB6D8A2F FF41300D
06092A86 4886F70D 01010405 00038181 0021C74D 8406E420 3590F053 4EE87FA3
1D8ECCDA 919EAF90 C2BD281F C9B163EC 31CB98DF A105302D 7AF802C1 3141934C
3CB838AC 5B24732B DC0F0C78 3E3F558C 01C3E133 0FE912B7 DF078CFA 41BFEF35
B3F62E3A C4042BAC 382F90BF B621AFE4 E4294C96 280456C0 139A6CC6 64156A6F
50F99084 88F9C82A E58B1C7E FF67A607 2B
quit
username admin password 7 060027761F4B1B4156
archive
log config
hidekeys
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXXX address XX.XX.XX.XX
!
!
crypto map static-map local-address Dialer1
crypto map static-map 10 ipsec-isakmp
set peer XX.XX.XX.XX
match address 151
!
!
!
interface ATM0
description ADSL TELE2
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect IDS out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.1.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group 104 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname XXXXXX
ppp chap password XXXXXX
ppp pap sent-username XXXXX password XXXXXXXXX
crypto map static-map
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.10 4662 interface Dialer1 4662
ip nat inside source static udp 192.168.1.10 4672 interface Dialer1 4672
!
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 131 permit ip any any
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
SEDE B cisco 2610:
version 12.3
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SEDEB
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 $1$DXih$NddIU5WewnUx3eZrDY8iT.
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip name-server 151.99.125.1
ip name-server 151.99.250.2
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 0709091B1D0C0B5D44
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key XXXXXX address XX.XX.XX.XX
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map static-map local-address Dialer1
crypto map static-map 1 ipsec-isakmp
set peer XX.XX.XX.XX.
set transform-set vpn-test
match address 151
!
!
!
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/0
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
half-duplex
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp chap hostname aliceadsl
ppp chap password 7 060703284F4B081D161B52
ppp pap sent-username aliceadsl password 7 1218091E110E0D00392764
crypto map static-map
!
ip nat inside source list 100 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 151 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
line con 0
exec-timeout 120 0
login local
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
!
end
-
wetel
- Cisco fan
- Messaggi: 51
- Iscritto il: gio 05 feb , 2009 5:04 pm
Vi ringrazio per l'aiuto.
eliminando le acl di sicurezza, le ip inspect e rifacendo correttamente le acl per la vpn, tutto magicamente funziona.
Ora devo riattivare le acl, le ip inspect e consentire le vpn. Ho già trovato un post qui che fa al caso mio.
Come sempre questo forum è fonte di crescita.
eliminando le acl di sicurezza, le ip inspect e rifacendo correttamente le acl per la vpn, tutto magicamente funziona.
Ora devo riattivare le acl, le ip inspect e consentire le vpn. Ho già trovato un post qui che fa al caso mio.
Come sempre questo forum è fonte di crescita.
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Ok topic chiuso, proseguiamo nel nuovo
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
