Su un cisco 877 ho seguente config. Ora i client che si connettono lavorano perfettamente, i router remoti si collegano ma non riescono ad accedere allare. Penso che il problema sia la acl che manca, ma sinceramento non riesco a capire dove legarla.
Grazie per eventuali aiuti.
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO877
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXx
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
no ip bootp server
ip name-server 151.99.125.1
ip name-server 151.99.250.2
!
!
crypto pki trustpoint TP-self-signed-1070015463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1070015463
revocation-check none
rsakeypair TP-self-signed-1070015463
!
!
crypto pki certificate chain TP-self-signed-1070015463
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303730 30313534 3633301E 170D3032 30333031 31363336
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30373030
31353436 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DE58 52ED7C50 55B269FA 0536E996 87E342C1 61BEBA0C C7E57067 7D38B66A
73763D3A 651DB7F3 F4E5D8F4 0264CC6F E4125A88 069A2021 7B351047 228C65E9
A6F75697 80EF9F66 4760D787 327B6B25 589A6781 5E69AB76 6A51DF2B 8A1993F1
78B636CA 6D1AA4CD 7E3D2450 6AF47398 0FF7A5DA 10B47203 2B4E6E54 0C38FDE5
97FD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 0744454D 4150452E 301F0603 551D2304 18301680 148BC964
A5C26584 3BA4FDEF 18BD362C EF3B7231 E5301D06 03551D0E 04160414 8BC964A5
C265843B A4FDEF18 BD362CEF 3B7231E5 300D0609 2A864886 F70D0101 04050003
818100B5 9D93356E 75C377F6 97F6B456 96B97790 547D8CDF E206661A F7B72405
E19ECF4A D12A4F12 C9C07D33 5E23D1BA 941FB4A4 4B3454C7 958E6F2F 18F6B222
D6012EF9 AF19D20C E58BEB58 582F9700 D910502F 9AF7A8D2 C5A6C765 3895B587
5381A7AD 094DFAE7 02CD85C4 8EEAB749 AEF1DD00 237AA146 C8CF1C2F CD49C1D1 B8A8FC
quit
username admin password XXXXXXXXXXXXXXXXx
archive
log config
hidekeys
!
!
crypto keyring DEMA-VPN-KEY
pre-shared-key address 0.0.0.0 0.0.0.0 key XXXXXXXXXXXXXXXX
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group demaservice
key XXXXXXXXXXXXXXXXXXXX
pool REMOTE-POOL
acl 158
crypto isakmp profile L2L
description CONNESSIONE LAN-to-LAN
keyring DEMA-VPN-KEY
match identity address 0.0.0.0
crypto isakmp profile VPN-CLIENT
description CONNESSIONE VPN CLIENT
match identity group demaservice
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
!
crypto dynamic-map DYN-MAP 5
set transform-set VPN-SET
set isakmp-profile VPN-CLIENT
crypto dynamic-map DYN-MAP 10
set transform-set VPN-SET
set isakmp-profile L2L
!
!
crypto map DEMA-VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
!
!
!
interface ATM0
description TELECOM INTERBUSINESS
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
ip address XXXXXXXXXXXXXXX
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map DEMA-VPN-MAP
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description CONNESSIONE LAN ***
ip address 192.168.1.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
ip local pool REMOTE-POOL 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http secure-server
ip nat inside source list 100 interface ATM0.1 overload
!
access-list 100 remark ---------- ACL PAT E NAT0 --------------------
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 158 remark ---------- ACL PER SPLIT-TUNNEL VPN-CLIENT ---
access-list 158 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
control-plane
!
banner login ^C
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
^C
!
line con 0
exec-timeout 120 0
login local
no modem enable
transport output ssh
stopbits 1
line aux 0
login local
transport output ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
VPN 877 niente ping
Moderatore: Federico.Lagni
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Di acl sulle int nn ne hai...
Scusa ma nn ho capito cosa nn riesci a fare...
Scusa ma nn ho capito cosa nn riesci a fare...
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
-
wetel
- Cisco fan
- Messaggi: 51
- Iscritto il: gio 05 feb , 2009 5:04 pm
Le acl sulla int le ho tolte per fare dei test.
I client Vpn lavorano correttamente ma un qualsiasi pc dall'altra parte della L2L non riesce a comunicare con la mia lan, anche collegamento vpn avvenudo.
Il problema l'ho risolto attivando sull'interfaccia ATM0.1 una crypto del tipo:
crypto map DEMA-VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
crypto map DEMA-VPN-MAP 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPN-SET
set isakmp-profile L2L
match address 151
exit
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
I client Vpn lavorano correttamente ma un qualsiasi pc dall'altra parte della L2L non riesce a comunicare con la mia lan, anche collegamento vpn avvenudo.
Il problema l'ho risolto attivando sull'interfaccia ATM0.1 una crypto del tipo:
crypto map DEMA-VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
crypto map DEMA-VPN-MAP 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPN-SET
set isakmp-profile L2L
match address 151
exit
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Quindi il problema è risolto?!
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
