VPN Clinet problema .. utilizzando PDM

[pcplanet2000]

Ciao a tutti , utilizzando la config di wizard per collegamento su vpn client , mi accade questo :

il router è un cisco 877 su adsl telecom 8 ip statici , quindi non utilizzo l'interfaccia dialer0 , ma ben si ho provato a configurare il tutto con una Virtual-template, funziona tutto la vpn sale , ma non riesco a pingare la rete interna ..

potrebbe essere dovuto dal fatto che l'ip pool della vpn è la stessa della rete interna che non riesco a pingare ?

posto la mia configurazione :

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$gnYK$3DvS3EuuRU3Dx7wTCmXfs/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1411872406
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411872406
revocation-check none
rsakeypair TP-self-signed-1411872406
!
!
crypto pki certificate chain TP-self-signed-1411872406
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343131 38373234 3036301E 170D3032 30333031 30353236
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313138
37323430 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB55 A3B16CBF B92C7D63 A7C27C51 79F50643 42A6CAF2 99F173DF 457075D7
D32B6876 F9082340 DFEAEE71 9ED1414A BE8B979F 56AE0677 FC37BC43 777F7F14
83A52598 93CA6AD4 2EC30D56 1CF8C423 34CBC1B1 571EAF8E C5AC898F FD6F036B
5039AF67 6B51E98D 6CE65F95 FB088A3D CA0BCFBC 233F2DFA C043D45C D85A2A38
A4BD0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D796F75 726E616D 652E7374 7564696F 2D746563 6E69636F
2E6C6F63 616C301F 0603551D 23041830 1680146F 81DD8EDC AB29C684 B98BA4E1
4C5A978B BAD5D630 1D060355 1D0E0416 04146F81 DD8EDCAB 29C684B9 8BA4E14C
5A978BBA D5D6300D 06092A86 4886F70D 01010405 00038181 002EABE3 8A69CBF1
A8B98227 0225256E BDBDD0DB AB9BB356 C2DFA6BD 334DD88F EAB45589 C8A607E8
48CE8DFD 27037454 979194E6 F12BF7CF FC27379F 181FE468 9FB6A38C B62D29D2
10C966EB ADDD63DF 33979D3C 07902989 0CBF2874 717A3658 DE0923C3 E7885172
9CFB0BB3 DF24BC06 2FAF6D4E 44FC64C7 07B00B0F 605D20BA D1
quit
dot11 syslog
ip source-route
!
!
ip cef
ip domain name studio-tecnico.local
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
!
!
!
username arecco privilege 15 secret 5 $1$2g8G$.SHwVJ4gdv3CTRZKJyF2E.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remotevpn
key delarearedel
dns 192.168.143.10
wins 192.168.143.10
domain studio-tecnico.local
pool SDM_POOL_1
acl 138
save-password
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group remotevpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 21600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto map Crypto 1 ipsec-isakmp
set peer 88.60.***.***
set transform-set ESP-3DES-SHA
set pfs group1
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 88.60.***.*** 255.255.255.248
ip flow ingress
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template2 type tunnel
ip unnumbered ATM0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.143.15 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.143.200 192.168.143.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 88.60.148.130
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.143.0 0.0.0.255
access-list 100 remark *************************************
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.143.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.143.0 0.0.0.255 any
access-list 101 permit icmp any 192.168.143.0 0.0.0.255
access-list 101 permit icmp 192.168.143.0 0.0.0.255 any
access-list 101 permit tcp any 192.168.143.0 0.0.0.255
access-list 131 remark *************************************
access-list 131 remark *** ACL ANTI-SPOOF ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *************************************
access-list 131 remark *** ACL TRAFFIC ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *************************************
access-list 131 remark *** ACL VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 138 remark SPLIT
access-list 138 remark SDM_ACL Category=4
access-list 138 permit ip 192.168.0.0 0.0.0.255 192.168.143.0 0.0.0.255
no cdp run

!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end


Grazie per l'attenzione
Fabrizio

[Wizard]

Beh oddio nn è proprio la mia config eh...!
Questa è fatta da quel poccio del PDM

[pcplanet2000]

..si.. preso un pò di spunto dalla tua config ..leggermente .. un pò qui un pò li ..cortesemente mi potresti dare una mano ? c'è l'inghippo da qualche parte..

per esempio prendo spunto dalla tua config .. :

crypto isakmp enable
crypto logging session

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90

crypto isakmp client configuration group remote-vpn
key 987bjdwiuhdiq%ihjo
dns 192.168.10.210
wins 192.168.10.210
domain xxx.local
max-users 100
max-logins 10
pool remote-pool
acl 158
save-password
split-dns xxx.local
max-users 10
banner *
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
*

crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
crypto ipsec security-association idle-time 3600

crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET

crypto map remotemap local-address dialer0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn

interface dialer0 -- > NON UTILIZZO INTERFACCIA DIALER POSSO UTILIZZARE UNA VIRTUAL TEMPLATE ?
crypto map remotemap

ip local pool remote-pool 192.168.100.0 192.168.110.100 --> DEVO ROUTARE ALLA CLASSE COERENTE CON QUELLA DELLA RETE INTERNA ..

ip route 192.168.100.0 255.255.255.0 dialer0

no access-list 158
access-list 158 rem *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 158 remark *************************************************************
access-list 158 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 158 remark *************************************************************

no access-list 101
access-list 101 remark ************************************************************
access-list 101 remark *** ACL PER PAT ***
access-list 101 remark ************************************************************
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

user remoto01 pass xxx
user remoto02 pass yyy


Grazie mille
Fabrizio

[Wizard]

Intanto aggiungi la rotta x il pool della vpn

[pcplanet2000]

ok .. la rotta la posso fare cosi :

ip route 192.168.100.0 255.255.255.0 ATM0.1 -- > giusto perchè sulla virual non si può fare ?

altra piccola domanda .. il pool non posso farlo della stessa classe della rete interna ?

Grazie ancora wizard

[Wizard]

altra piccola domanda .. il pool non posso farlo della stessa classe della rete interna ?

Si Si nessun problema
Se anche dopo l'inserimento della rotta nn va controlla il nat0

[Wizard]

altra piccola domanda .. il pool non posso farlo della stessa classe della rete interna ?

Si Si nessun problema
Se anche dopo l'inserimento della rotta nn va controlla il nat0

[pcplanet2000]

perfetto .. anche la rotta va bene ? ip route 192.168.100.0 255.255.255.0 --> ATM0.1 ?

[Wizard]

Ma nn usi questo come pool?!

192.168.143.200 192.168.143.210

Devi ruotare questo pool verso la atm0.1

[pcplanet2000]

yes yes !! quello era solo un esempio.. !! provo a poi ti dico !
Grazie !!
Fabrizio

[pcplanet2000]

Ho provato a fare la route su 192.168.143.0 ATM0.1
ma nulla non cambia , cisco vpn si collega senza problemi nessun errore , però non riesco a pingare la rete interna ..

Grazie ancora !
Fabrizio

[Wizard]

Come ti dicevo manca anche nat0:

Codice: Seleziona tutto

access-l 101 remark *** ACL PER NAT ***
access-l 101 deny ip 192.168.143.0 0.0.0.255 192.168.143.0 0.0.0.255
access-l 101 permit ip 192.168.143.0 0.0.0.255 any

no ip nat inside source list 1 interface ATM0.1 overload
no access-list 1

ip nat inside source list 101 interface ATM0.1 overload

[pcplanet2000]

Grazie ! Provo e ti faccio sapere !!

Saluti !
Fabrizio

[pcplanet2000]

provato mi da questo errore quando digito il comando per le nat inside :

Dynamic mapping in use , cannot change

Grazie
Fabrizio

[pcplanet2000]

per il discorso del routing è ok .. però non riesco a pingare della macchine all'interno della vpn , ho provato anche a cambiare ip del pool e metterlo diverso esempio 192.168.100.10 -- > 192.168.100.20 , ovviamente devo cambiare anche le regole di nat ? .. poi per ruotare l'ip del pool dovrebbe bastare fare ip route 192.168.100.0 255.255.255.0 ATM0.1 ?

Grazie ancora
Fabrizio