CiscoForums.it

Ciao a tutti,
avrei bisogno di un piccolo aiutino.

ho un cisco 1801 configurato con 2 vpn |2| e un accesso vpn client.

vorrei far si che gli utenti vpn client possano navigare sulle lan remote connesse al cisco.

mi spiego meglio:

cisco 1801:

1 lan to lan : network remota 172.16.200.0 / 24 ( cisco 877 )
2 lan to lan : network remota 172.16.201.0 / 24 ( cisco 877 )

network locale: 172.16.199.0 / 24

vpn client: 172.16.254.0 / 24

ho moficato l'ACL che del vpn client:

che è diventata cosi:

access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

e adesso se guardo dalle secured route del vpn client vedo tutte e tre le reti, ma riesco solo a raggiungere gli host della rete 172.16.199.0/24.

un piccolo aiuto??

posto la configurazione riguardante i tunnel vpn:


ip nat inside source route-map NAT0-RM interface Dialer0 overload
!
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 remark *********************
access-list 1 permit 172.16.199.0 0.0.0.255
access-list 1 permit 172.16.254.0 0.0.0.255


access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to chianciano ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to chiusi ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any
access-list 100 permit ip 172.16.254.0 0.0.0.255 any


access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-chiusi--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 152 remark --VPN-chianciano--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT0-RM permit 1
match ip address 100

GRAZIE IN ANTICIPO, spero che qualche anima pia abbia due minuti per darmi qualche indicazione...

Ciao a tutti, anche io ho lo stesso problema ma su un PIX 515e.
Ho la necessità che i client che si collegano con il Client Cisco VPN, possano raggiungere una LAN remota connessa in L2L tra il PIX 515e e un ASA che però non è in mia gestione.

Sapete dirmi come posso fare?

Grazie in anticipo a tutti.

Nessuna sa darci un piccolo indizio?
ho letto qua e la che devo lavorare con il nat0 e le crypto acl....

quindi mi viene mente:

1) la mia crypto acl per il vpn client è la 199 e quindi devo aggiungere le net degli altri tunnel qui, quindi:

access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

2) devo lavorare con il nat0 e quindi il mio dovrebbe diventare:

access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to chianciano ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to chiusi ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any

ma ancora non funziona.... ho sbagliato qualcosa o mi sono dimenticato qualcosa?

ci sono riuscito domani posto la configurazione dei router... per chi può essere interessato !!

Uu..siamo interessati....

kese97

ti posso chiedere la configurazione funzionante?

Ho la necessità di fare in modo che chi si collega in VPN tramite Client Cisco, raggiunga anche delle VPN Site-to-Site. Le VPN vengono stabilite su un PIX 515e.
Le VPN singolarmente funzionano tranquillamente.
Vi posto la parte di configurazione interessata.
IL PIX ha versione sw 6.3(4)
Grazie in anticipo.

access-list nonat permit ip 172.20.0.0 255.255.0.0 172.10.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.48 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.128 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.112 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.144 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.100.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.3.176 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 host 10.1.1.1
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.255.0.0 255.255.255.192
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.66.224.16 255.255.255.240
access-list nonat permit ip host qf010_dmz 172.255.0.0 255.255.255.192
access-list ServerFarm permit ip 172.20.0.0 255.255.0.0 172.10.1.0 255.255.255.0
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.48 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.128 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.112 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.144 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.3.176 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.66.224.16 255.255.255.240
access-list Q-Usr-VPN_splitTunnelAcl permit ip 172.20.0.0 255.255.0.0 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.10.1.0 255.255.255.0 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.48 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.112 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.128 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.144 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.3.176 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.66.224.16 255.255.255.240 any
access-list outside_cryptomap_dyn_20 permit ip any 172.100.1.0 255.255.255.0
access-list SEmilia permit ip 172.20.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list Agr permit ip 172.20.0.0 255.255.0.0 host 10.1.1.1

sysopt connection permit-ipsec
crypto ipsec transform-set Q_3DES_set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set Q_3DES_set
crypto map VPN_map 20 ipsec-isakmp
crypto map VPN_map 20 match address ServerFarm
crypto map VPN_map 20 set peer 1.1.1.1
crypto map VPN_map 20 set transform-set Q_3DES_set
crypto map VPN_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 21 ipsec-isakmp
crypto map VPN_map 21 match address Barberino
crypto map VPN_map 21 set peer 2.2.2.2
crypto map VPN_map 21 set transform-set Q_3DES_set
crypto map VPN_map 21 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 22 ipsec-isakmp
crypto map VPN_map 22 match address SEmilia
crypto map VPN_map 22 set peer 3.3.3.3
crypto map VPN_map 22 set transform-set Q_3DES_set
crypto map VPN_map 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 23 ipsec-isakmp
crypto map VPN_map 23 match address Agr
crypto map VPN_map 23 set peer 4.4.4.4
crypto map VPN_map 23 set transform-set Q_3DES_set
crypto map VPN_map 23 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map VPN_map client authentication partnerauth
crypto map VPN_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Q-Usr-VPN address-pool Q-VPN-Pool
vpngroup Q-Usr-VPN dns-server 172.20.2.2 qs014_inside
vpngroup Q-Usr-VPN default-domain q.local
vpngroup Q-Usr-VPN split-tunnel Q-Usr-VPN_splitTunnelAcl
vpngroup Q-Usr-VPN idle-time 1800
vpngroup Q-Usr-VPN password ********

Nessuno riesce a darmi un aiutino-ino-ino.
Nel client Cisco vedo le Secured Route ma non le riesco a pingare ne a raggiungere i PC di quelle reti.

Grazie in anticipo.

Ciao, questa è la mia configurazione:

posto solo la parte delle access list in quanto a me è stato sufficiente sistemare quelle:

access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to prima vpn ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to seconda vpn ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any


access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-prima vpn--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 151 permit ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 152 remark --VPN-seconda vpn--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 152 permit ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

in poche parole ho messo deny e permit della classe di rete del vpn client verso le altre vpn gestite dal router.

stessa cosa ( deny e permit della classe del vpn client ) l'ho fatta sui router che terminano le vpn prima e seconda.

se è necessario posto l'intera configurazione dei router

spero di esssere stato utile