Vpn cisco 1841 su interfaccia Fe0/0

[zorro77]

Salve a tutti
sto cercando di realizzare una vpn su un cisco 1841, vpn che deve passare sulla Fe0/0

Il collegamento del cisco è il seguente

Ip pubblico
Router Pirelli telecom
192.168.1.1
|
|
|
|
Cisco Fe0/0 192.168.1.254


Le porte sul pirelli per la gestione della VPN sono girate sull'indirizzo della interfaccia Fe0/0 del cisco

Collegandomi con un client remoto non riesco neanche a collegarmi

Di seguito le info dell'IOS e della configurazione


cisco1841#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 14:54 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

cisco1841 uptime is 10 minutes
System returned to ROM by reload at 10:31:18 Berlin Fri Sep 17 2010
System restarted at 10:32:20 Berlin Fri Sep 17 2010
System image file is "flash:c1841-adventerprisek9-mz.124-9.T1.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 1841 (revision 6.0) with 118784K/12288K bytes of memory.
Processor board ID FCZ094038N0
2 FastEthernet interfaces
1 ATM interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

cisco1841#


************************************************************************

cisco1841#sh conf
Using 4336 out of 196600 bytes
!
! Last configuration change at 10:38:37 Berlin Fri Sep 17 2010 by admin
! NVRAM config last updated at 10:38:39 Berlin Fri Sep 17 2010 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot system flash:c1841-adventerprisek9-mz.124-9.T1.bin
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication login userauthen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip cef
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2910638223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2910638223
revocation-check none
rsakeypair TP-self-signed-2910638223
!
!
crypto pki certificate chain TP-self-signed-2910638223
certificate self-signed 01 nvram:IOS-Self-Sig#3305.cer
username XXXXXXXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXX
username XXXXXXXXXXXXXX privilege 15 XXXXXXXXXXXXXX
username XXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXX
!
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group remote-vpn
key XXXXXXXXXXXXXX
dns 8.8.8.8
wins 192.168.1.1
domain mydomain.local
pool remote-pool
acl 158
save-password
split-dns mydomain.local
max-users 10
max-logins 10
banner ^C
--------------------------------------------------------------
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
--------------------------------------------------------------
^C
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address FastEthernet0/0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
speed auto
half-duplex
no mop enabled
crypto map remotemap
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip local pool remote-pool 192.168.100.0 192.168.100.105
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.100.0 255.255.255.0 FastEthernet0/0
!
!
ip http server
ip http secure-server
!
access-list 101 remark ************************************************************
access-list 101 remark *** ACL PER PAT ***
access-list 101 remark ************************************************************
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 158 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 158 remark *************************************************************
access-list 158 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 158 remark *************************************************************
snmp-server community public RO
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login authentication local_authen
line aux 0
login authentication local_authen
line vty 0 4
session-timeout 30
password 7 XXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
sntp server 193.204.114.232
end

cisco1841#

[CiscoBGP]

Ciao

Manca una parte fondamentale,

Puoi postare la configurazione dell'altro Router?

Bye

[zorro77]

Ciao,
spero di non aver fatto confusione...ma al 1841 si devono collegare pc con client VPN Cisco Client, pertanto non ho nessun'altra configurazione

[CiscoBGP]

Ciao

Per la mia esperienza, nel realizzare una VPN Ipsec Hub-to-Spoke per client VPN occorre avere un IP Pubblico fisso

Nel tuo caso non c'è perchè passi per un IP dinamico pubblico

Quel 192.168.1.1 è una classe C della Lan del Router Alice Gate di telecom quindi è un IP privato.

Quando configuri il client Cisco devi inseire l'IP dell'Host che deve essere un IP fisso

Acquista l'IP fisso da Telecom e togli quel router bianco utilizzando come GW il Cisco 1841

saluti

[zorro77]

Ciao

Per la mia esperienza, nel realizzare una VPN Ipsec Hub-to-Spoke per client VPN occorre avere un IP Pubblico fisso

Nel tuo caso non c'è perchè passi per un IP dinamico pubblico

Quel 192.168.1.1 è una classe C della Lan del Router Alice Gate di telecom quindi è un IP privato.

Quando configuri il client Cisco devi inseire l'IP dell'Host che deve essere un IP fisso

Acquista l'IP fisso da Telecom e togli quel router bianco utilizzando come GW il Cisco 1841

saluti

Ciao
uso dynamic dns, quindi raggiungo l'ip come se fosse fisso

[CiscoBGP]

Dove?

la configurazione Dyn DNS non è presente sul 1841

[zorro77]

Dyn DNS è presente sul router pirelli.
Infatti la connessione internet arriva al cisco attraverso la Fe0/0 a cui è collegato il modem pirelli di alice

[zorro77]

Cmq sono riuscito a risolvere per il problema del collegamento del client Cisco. Ho aperto tutte le porte verso l'ip privato del cisco.
Premetto che avevo già aperto le seguenti porte


IPSec UDP 500 Attivo
SSH TCP 22 Attivo
Port_1720 ALL 1720 Attivo
Port_4500 ALL 4500 Attivo

Ora il mio problema è che il client acquisisce l'ip, ma non naviga nella intranet e su internet attraverso l'ip della VPN