VPN L2L fra due 857... tunel su ma niente ping fra host...

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
giankyfava
Cisco power user
Messaggi: 76
Iscritto il: mar 28 dic , 2004 10:33 am

Salve,
ho appena configurato due 857 in due sedi diverseper ottenere un tunnel vpn. Come ho scritto nel titolo il tunnel è su (come vedo da 'show crypto isakmp'), navigo tranquillamente ma gli host non si pingano... riuscite a trovare l'errore? Ci sto diventando matto...
SEDE A (Lan 192.168.1.0/24)

Codice: Seleziona tutto

!
hostname SEDE-A

ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 62.211.69.150
ip name-server 212.48.4.15
!
!
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key KEY address IP_SEDE_B no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac 
!
crypto map VPN local-address ATM0.1
crypto map VPN 10 ipsec-isakmp 
 set peer IP_SEDE_B
 set transform-set VPN-SET 
 match address ACL-VPN
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description WAN
 ip address IP_SEDE_A 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map VPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip nat inside source list ACL-NAT interface ATM0.1 overload
!
ip access-list ACL-NAT extended
 deny ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list ACL-VPN extended
 permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255
SEDE B (Lan 10.10.1.0/24 (solo questa deve comunicare con la sede A) e 192.168.2.0/24)

Codice: Seleziona tutto

hostname SEDE-B
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 151.99.0.100
ip name-server 151.99.125.1
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key KEY address IP_SEDE_A no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac 
!
crypto map VPN local-address ATM0.1
crypto map VPN 10 ipsec-isakmp 
 set peer IP_SEDE_A
 set transform-set VPN-SET 
 match address ACL-VPN
!
interface ATM0
 no ip address
 no ip redirects
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description WAN
 ip address IP_SEDE_B 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map VPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description LAN
 ip address 10.10.1.0 255.255.255.0
 ip address 192.168.2.0 255.255.225.0 secondary
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip access-list ACL-NAT extended
 deny ip 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 10.10.1.0 0.0.0.255 any
 permit ip 192.168.2.0 0.0.0.255 any
ip access-list ACL-VPN extended
 permit ip 10.10.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Ho già cercato nel forum, ma non riesco a trovare una risposta... sembra banale, ma c'è qualcosa che mi sfugge evidentemente... vi ringrazio da subito per la pazienza...
Top
marco.giuliani
Cisco fan
Messaggi: 42
Iscritto il: mar 06 ott , 2009 8:40 am
Località: Roma

Ciao,
forse mancano le rotte statiche per il traffico VPN...

router sede A
ip route 10.10.1.0 255.255.255.0 IP_WAN_Sede_B


router sede B
ip route 192.168.1.0 255.255.255.0 IP_WAN_Sede_A

ciao!
Top
Rispondi

Torna a “VPN”