IOS VPN split tunnel con network source e target uguali

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
atomik
n00b
Messaggi: 5
Iscritto il: gio 13 dic , 2007 9:57 am

Ciao a tutti,

ho completato la mia prima configurazione per un Cisco 857 e funziona quasi tutto perfettamente.

L'unico problema che non riesco a risolvere riguarda la VPN:

se io mi collego dall'iphone o da un PC su una rete con indirizzamento differente tutto funziona in modo perfetto;

quando invece provo a collegarmi da una rete che ha lo stesso indirizzamento (192.168.1.0), non riesco piu' a raggiungere la rete target, mentre raggiungo senza problemi la rete interna da cui mi collego.

Considerando che a me serve solo raggiungere la rete target e navigare su internet, come posso modificare la configurazione che segue per ottenere questo risultato?
(non posso modificare l'indirizzamento delle reti)

Considerate che sono ancora un novellino che studia ancora per la CCNA, quindi abbiate pieta' :roll:

Ecco di seguito la configurazione, grazie in anticipo a tutti

Codice: Seleziona tutto

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER_NAME
!
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T8.bin
boot system flash 
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 .......
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-....
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-....
 revocation-check none
 rsakeypair TP-self-signed-....
!
!
crypto pki certificate chain TP-self-signed-.....
 certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool dhcp_pool
   import all
   network 192.168.1.0 255.255.255.0
   update dns
   default-router 192.168.1.254 
   dns-server 192.168.1.10 88.149.128.12 88.149.128.22
   domain-name "domain".local
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name "domain".local
ip name-server 88.149.128.12 
ip name-server 88.149.128.22
ip ddns update method "nome_metodo"
 HTTP
  add .....
 interval maximum 28 0 0 0
!
!
!
!
username ... privilege 15 secret 5 .....
username ... privilege 0 secret 5 .....
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group "nome_gruppo"
 key .....
 dns 192.168.1.10
 pool SDM_POOL_1
 acl 103
 save-password
 include-local-lan
 max-users 10
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group "nome_gruppo"
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 28800
 set transform-set ESP-AES128-SHA1 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-AES128-SHA1 
 reverse-route
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template2 type tunnel
 ip unnumbered Dialer0
 no ip redirects
 ip route-cache flow
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description WAN
 ip ddns update hostname "hostname"."domain".net
 ip ddns update "hostname"
 ip address negotiated
 ip access-group 130 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ....
 ppp chap password 7 .....
 ppp pap sent-username ....... password .........
!
ip local pool SDM_POOL_1 192.168.2.10 192.168.2.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 103 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 103 remark ************************************************************
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark ************************************************************
access-list 130 remark *** ACL PER PAT ***
access-list 130 remark ************************************************************
access-list 130 deny   ip 172.16.0.0 0.15.255.255 any
access-list 130 deny   ip 10.0.0.0 0.255.255.255 any
access-list 130 deny   ip 127.0.0.0 0.255.255.255 any
access-list 130 deny   ip 255.0.0.0 0.255.255.255 any
access-list 130 deny   ip 224.0.0.0 7.255.255.255 any
access-list 130 deny   ip host 0.0.0.0 any
access-list 130 deny   ip 192.168.1.0 0.0.0.255 any
access-list 130 deny   tcp any any eq 139
access-list 130 deny   udp any any eq 135
access-list 130 deny   udp any any eq 136
access-list 130 deny   udp any any eq netbios-ns
access-list 130 deny   udp any any eq netbios-dgm
access-list 130 deny   udp any any eq netbios-ss
access-list 130 deny   udp any any eq sunrpc
access-list 130 deny   udp any any eq 2049
access-list 130 permit udp any any eq non500-isakmp
access-list 130 permit udp any any eq isakmp
access-list 130 permit esp any any
access-list 130 permit ahp any any
access-list 130 permit udp any any
access-list 130 permit icmp any any
access-list 130 permit tcp any any established
access-list 130 deny   ip any any
access-list 130 remark ************************************************************
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login * * * * * * * W A R N I N G * * * * * * * * * *


This computer system is for authorized use only. Unauthorized or improper use of this system may result in administrative 
disciplinary action and/or civil charges/criminal penalties. By continuing to use this system you indicate your awareness of
 and con


LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.


* * * * * * * * * * * * * * * * * * * * * * * *



!
line con 0
 logging synchronous
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Top
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Non potrai mai collegarti con una rete con indirizzo netid uguale.
questo perchè i pacchetti vengono visti come ppartenenti alla medesima rete e non routati.
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Top
atomik
n00b
Messaggi: 5
Iscritto il: gio 13 dic , 2007 9:57 am

Io vorrei collegarmi solo alla rete remota, anche rendendo inaccessibili tutte le macchine della rete locale, purche' riesca a vedere la rete remota.

Se mi collego da una rete non di mia proprieta' puo' certamente accadere che entrambe abbiano lo stesso indirizzamento, quindi mi sembra una limitazione troppo stringente, posso capirlo solo se la connessione e' LAN to LAN.
Top
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

per questo motivo io metto come pool vpn una rete che è difficile da trovare del tipo:
192.168.254.x
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Top
atomik
n00b
Messaggi: 5
Iscritto il: gio 13 dic , 2007 9:57 am

In effetti le due reti uguali sono le 192.168.1.x

Il pool VPN e' invece 192.168.2.x

Il problema nel cambiare l'indirizzamento della rete 192.168.1.x e' che esistono alcuni server Windows che hanno Active Directory, e cambiare loro l'indirizzo IP e' un'operazione sconsigliata.


Ho letto in qualche altro post sempre su questo forum, che con gli ASA si puo' fare cio' che ho in mente, quindi credevo e speravo fosse possibile anche con un router con IOS a bordo..
Top
francesco_savona
Cisco enlightened user
Messaggi: 129
Iscritto il: mer 01 apr , 2009 9:58 am

Aggiungi una interfaccia non sostutiire quella di ad.
Poi fai ascoltare il dns anche sul nuovo IP
-------------------------------------------------------
SAVONA FRANCESCO
CCNA
-------------------------------------------------------
Top
Rispondi

Torna a “VPN”