sto da un po' lottando per creare una vpn site 2 site con una rete posta dietro fastweb senza ip pubblico, con un firewall vpn netgear prosafe fvs114.
Dopo varie prove sono giusto alla conclusione che la vpn con nat-t che mi permette di connettere le due reti, non è possibile instaurarla tra il mio cisco e il netgear; ho rimediato perciò un fw netgear da mettere in ufficio per instaurare la vpn, facendo prima delle prove avevo visto che configurando solamente il fw netgear senza usare il cisco la vpn funzionava bene; per configurare il netgear al momento ho configurato come segue il cisco:
Codice: Seleziona tutto
!This is the running config of the router: 192.168.0.254
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HT_CISCO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 5 **********************
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3672678414
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3672678414
revocation-check none
rsakeypair TP-self-signed-3672678414
!
!
crypto pki certificate chain TP-self-signed-3672678414
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363732 36373834 3134301E 170D3131 30323132 31323130
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36373236
37383431 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C7AC FE698EE4 10E08175 1412B82C 30F61DB3 8A43B7AA 4803BBFA 000F7D21
3FA1449E 1AD9AC75 D527AEF2 36A5FE0B D7CD83C3 D5DC3DBB 1CE64AB0 3BF1C061
E395A99B 5D971279 EF9D8581 D2FB971B CFCC074B 547B0401 A7941BE6 58B3D415
35AF3C26 3F235165 8E102CB9 8990B356 86B07C64 9E5A8C65 F6E004F9 18ABBD4F
B6BD0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 0848545F 43495343 4F301F06 03551D23 04183016 8014E5EC
92088C8F B8EB609E 57DC41F9 1FC7B59B B34A301D 0603551D 0E041604 14E5EC92
088C8FB8 EB609E57 DC41F91F C7B59BB3 4A300D06 092A8648 86F70D01 01040500
03818100 4D9BD9D9 D1C9EB25 45D2F383 FAE23F36 F34EA027 2A35404A 8E3F73A5
64E8DC33 B098167D 33DF11CC AF6889FB 1B527647 1CA431AE 901A5528 DB61890E
F173AAC9 ED4CC644 C92F7ECF 805024B5 5A9D8E64 9C098BDE DDDF7C27 0232D1FE
602F93CD 12DBC865 8C6764A3 549D1EB6 30955225 90E76A26 4ED22680 8FACC35A 0A440B01
quit
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
ip cef
!
!
no ip bootp server
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
multilink bundle-name authenticated
!
!
username gmoretti privilege 15 secret 5 **********************
!
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec df-bit clear
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address ***.***.***.17 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface Null0
no ip unreachables
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport access vlan 2
!
interface ATM0
description ALICE BUSINESS 20 Mbps - TGU:
mtu 1500
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description INTERFACCIA PER ACCESSO AD INTERNET
mtu 1500
ip address 88.48.29.178 255.255.255.252
ip access-group sdm_atm0.1_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip inspect IDS out
ip virtual-reassembly
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
!
!
interface Vlan1
description CONNESSIONE LAN HT$ES_LAN$
ip address 192.168.0.254 255.255.255.0
ip access-group sdm_vlan1_in in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface Vlan2
description VPN
ip address 10.10.10.254 255.255.255.0
ip access-group sdm_vlan1_in in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool INTERNET ***.***.***.18 ***.***.***.18 netmask 255.255.255.240
ip nat pool VPN ***.***.***.29 ***.***.***.29 netmask 255.255.255.240
ip nat inside source list 100 pool INTERNET overload
ip nat inside source list 111 pool VPN overload
ip nat inside source static 192.168.0.100 ***.***.***.20
ip nat inside source static 192.168.0.99 ***.***.***.21
ip nat inside source static 192.168.0.253 ***.***.***.22
ip nat inside source static 192.168.0.95 ***.***.***.23
ip nat inside source static 192.168.0.98 ***.***.***.24
ip nat inside source static 192.168.0.104 ***.***.***.25
ip nat inside source static 192.168.0.105 ***.***.***.26
ip nat inside source static 192.168.0.106 ***.***.***.27
ip nat inside source static 10.10.10.1 ***.***.***.28
!
ip access-list extended sdm_atm0.1_in
remark SDM_ACL Category=1
permit ip host ***.***.***.28 any
permit tcp any host ***.***.***.28
permit icmp any host ***.***.***.28
permit udp any host ***.***.***.28
remark HTTPS
permit tcp any host ***.***.***.27 eq 443
remark HTTP
permit tcp any host ***.***.***.27 eq www
permit ip any host ***.***.***.25
remark HTTP
permit tcp any host ***.***.***.24 eq 443
remark HTTP
permit tcp any host ***.***.***.24 eq www
remark HTTP
permit tcp any host ***.***.***.23 eq 443
remark HTTP
permit tcp any host ***.***.***.23 eq www
remark VOIP-3cx
permit udp any host ***.***.***.22 range 9000 9049
remark SIP
permit tcp any host ***.***.***.22
remark SIP
permit udp any host ***.***.***.22 eq 5090
remark SIP
permit udp any host ***.***.***.22 eq 5060
remark HTTP
permit tcp any host ***.***.***.22 eq 443
remark HTTP
permit tcp any host ***.***.***.22 eq www
remark HTTP
permit tcp any host ***.***.***.21 eq 443
remark HTTP
permit tcp any host ***.***.***.21 eq www
remark HTTP
permit tcp any host ***.***.***.20 eq 443
remark VPN
permit tcp any host ***.***.***.20 eq 1723
permit tcp any host ***.***.***.20 eq smtp
remark HTTP
permit tcp any host ***.***.***.20 eq 987
remark HTTP
permit tcp any host ***.***.***.20 eq www
remark RDP
permit tcp any any eq 3389
permit ip 192.168.0.0 0.0.0.255 any
remark FTP
permit tcp any host ***.***.***.27 eq ftp
permit ip ***.***.***.0 0.0.0.16 any
!
access-list 100 remark *************************************************************
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 remark *************************************************************
access-list 111 remark *** ACL PER PAT E NAT0 ***
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map nonat permit 10
match ip address 111
!
!
!
!
control-plane
!
banner motd ^CCCCC
****************************************************************
----------------------------------------------------------------
* *** ROUTER PERIMETRALE ---- *** *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *
****************************************************************
^C
!
line con 0
exec-timeout 120 0
transport output ssh
stopbits 1
line aux 0
transport output telnet ssh
line vty 0 4
login
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
devo fare in modo di configurare la WAN del mio netgear direttamente con un indirizzo io pubblico ed evitare altre regole di nat... potete dirmi se con il cisco che ho si riesce a fare una simile configurazione?
grazie mille