Questo e' lo schemino, spero si achiaro ...
SEDEA cisco 1841
LAN 192.168.23.156
WAN 10.85.229.254
GW WAN : 10.85.229.5
ROUTER INTERNET 192.168.23.129 ( e' il gw dei pc )
SEDEB cisco 877
LAN 192.168.1.10
WAN 10.85.203.254
GW WAN: 10.85.203.5
Io devo far navigare i pc della SEDEB 192.168.1.x attraverso il tunnel vpn arrivando nella sede A nattandoli
con l' ip 192.168.23.156 in quanto internet e' sulla "LAN" della SEDE A. il gateway della lan SEDE A per
navigare e' 192.168.23.129
La vpn e' configurata e funziona correttamente, ovviamente ho messo una rotta statica sui pc di SEDEA
visto che hanno come gw il 192.168.23.129 ( route add 192.168.1.0 mask 255.255.255.0 192.168.23.156 )
Come faccio ? Ho cercato per un sacco di tempo su inetrnet, ma non riesco a trovare una soluzione.
Non capisco se devo usare nat, acl, source route ? Indirizzatemi sulla "retta via" .....
Non posso farli navigare dalle "WAN" perche' e' una mpls e fa solo da collegamento fra le due sedi...
Grazie
posto le config:
SEDE A:
Codice: Seleziona tutto
SEDEA CISCO 1841
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 51200
logging console critical
no aaa new-model
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key PWDVPN address 10.85.203.254
!
!
crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 10.85.203.254
set transform-set vpn1
match address acl_vpn
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.85.229.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
ip address 192.168.23.156 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.85.229.5
!
!
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface FastEthernet0/1 overload
!
ip access-list extended acl_nat
deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.23.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
transport output none
stopbits 1
line aux 0
login local
transport output none
stopbits 1
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
Codice: Seleziona tutto
SEDEB CISCO 877
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname SEDEB
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200
logging console critical
!
no aaa new-model
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key PWDVPN address 10.85.229.254
!
!
crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 10.85.229.254
set transform-set vpn1
match address acl_vpn
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 10.85.203.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
interface Vlan1
ip address 192.168.1.10 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.85.203.5
!
!
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface FastEthernet4 overload
!
ip access-list extended acl_nat
deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
transport output none
stopbits 1
line aux 0
login local
transport output none
stopbits 1
line vty 0 4
privilege level 15
password 7 111D160A05
logging synchronous
login local
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
end