su un cisco 881 (c880data-universalk9-mz.124-24.T3.bin), ho la vpn che si connette con successo; il traffico tra sede e filiale funziona correttamente avendo configurato le acl che bloccano il nat sulle reti interne.
Ho un problema su un routing esterno: dalla filiale 100.100.100.0 non riesco a vedere la rete 10.20.20.0 che ovviamente riesco a vedere dalla sede.
Un ringraziamento a chi mi darà qualche suggerimento.
Gianluca
Posto estratto la conf:
Codice: Seleziona tutto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router_internet
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
!
!
ip source-route
!
!
ip cef
no ip domain lookup
ip accounting-list 0.0.0.0 255.255.255.255
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key sharedkey address 88.88.88.88 255.255.255.255
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-sha-hmac
!
crypto map vpn_map 1 ipsec-isakmp
description filiale1
set peer 88.88.88.88
set transform-set cm-transformset-1
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
description $ETH-WAN$
ip address 192.168.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_map
crypto ipsec df-bit clear
!
interface Vlan1
ip address 10.10.10.10 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.20.20.0 255.255.255.0 10.10.10.1
no ip http server
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended no_nat
deny ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address no_nat
!
snmp-server community PUBLIC RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end