VPN Clinet problema .. utilizzando PDM

[pcplanet2000]

riposto il config modificato


Using 6610 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$.3UN$fe95pLamBZz2siW1LmdR11
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1411872406
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411872406
revocation-check none
rsakeypair TP-self-signed-1411872406
!
!
crypto pki certificate chain TP-self-signed-1411872406
certificate self-signed 01 nvram:IOS-Self-Sig#8.cer
dot11 syslog
ip source-route
!
!
ip cef
ip domain name studio-tecnico.local
ip name-server 192.168.143.10
ip name-server 151.99.0.100
!
!
!
!
username arecco privilege 15 secret 5 $1$YX4Q$.9f5k2qkqkgH5z4RHWfiU1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group remote-vpn
key delarearedel
dns 192.168.143.10
wins 192.168.143.10
domain studio-tecnico.local
pool SDM_POOL_2
acl 158
save-password
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group remote-vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set VPN-CLI-SET
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 88.60.xxx.xxx 255.255.255.0
ip flow ingress
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered ATM0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.143.15 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!

ip local pool SDM_POOL_2 192.168.100.1 192.168.100.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.143.0 255.255.255.0 ATM0.1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool Internet 88.60.148.129 88.60.148.129 netmask 255.255.255.248
ip nat pool Internet2 88.60.148.130 88.60.148.130 netmask 255.255.255.248
ip nat inside source list 101 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark NAT
access-list 1 remark SDM_ACL Category=2
access-list 1 permit any
access-list 2 remark NAT2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0
access-list 101 remark NAT E PAT
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.143.0 0.0.0.255 192.168.143.0 0.0.0.255
access-list 101 permit ip 192.168.143.0 0.0.0.255 any
access-list 101 permit icmp 192.168.143.0 0.0.0.255 any
access-list 101 permit tcp 192.168.143.0 0.0.0.255 any
access-list 101 permit icmp any 192.168.143.0 0.0.0.255
access-list 103 remark ACL PER ICMP ECHO
access-list 103 remark SDM_ACL Category=4
access-list 103 permit icmp 192.168.0.0 0.0.0.255 any
access-list 103 permit tcp 192.168.0.0 0.0.0.255 any
access-list 131 remark **************************************
access-list 131 remark *** ACL ANTI-SPOOFING ******
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *****************************
access-list 131 remark *** ACL ICMP ****************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 permit icmp any any
access-list 158 remark ACL per SPLIT
access-list 158 remark SDM_ACL Category=4
access-list 158 permit ip 192.168.0.0 0.0.0.255 192.168.143.0 0.0.0.255
no cdp run

!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Correggimi se sbaglio , avendo modificato il pool per la vpn cambio anche access list 101 ? ed in più devo ruotare il pool sulla atm0.1 ?

Grazie!
Fabrizio

[Wizard]

Nel group remote-vpn hai il pool sbaglaito (SDM_POOL_2) invece che "Internet" o "Internet 2".
Poi, la rotta x il pool vpn falla precisa non di tutta la classe c

[pcplanet2000]

OK !! Ho fatto anche alcune modifiche alle regole acl dello split dns .. adesso sembra funzionare riesco a pingare ..la rete , prossimo posto metto la configurazione cosa mai fosse utile ..

Grazie ancora
Fabrizio