Ciao a tutti,
configurato il tunnel da entrambi i lati, rimane down
(ho il sospetto di non avere le licenze corrette lato 1700)
posto la configurazione di entrambi i router sperando che qualcuno possa darmi una mano
Grazie
Configurazione CISCO 1700
Current configuration : 4005 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
no service dhcp
!
hostname IT0587
!
no logging buffered
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login console-in local
aaa session-id common
enable secret 5 $1$mNDA$Z6nEq4BboN..pujTkDSN5/
!
username xxxx password 7 104D061509121502030D2B
memory-size iomem 20
clock timezone GMT 1
ip subnet-zero
no ip source-route
!
!
!
no ip bootp server
ip inspect name firewall cuseeme timeout 3600
ip inspect name firewall ftp timeout 3600
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall rcmd timeout 3600
ip inspect name firewall realaudio timeout 3600
ip inspect name firewall tftp timeout 30
ip inspect name firewall udp timeout 15
ip inspect name firewall tcp timeout 7200
ip audit notify log
ip audit po max-events 100
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit name IDS info action alarm drop
ip audit name IDS attack action alarm drop reset
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXX address A.B.C.97
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description tunnel to A.B.C.97
set peer A.B.C.97
set transform-set ESP-3DES-SHA
match address SDM_1
!
!
!
interface FastEthernet0
ip address 10.66.158.1 255.255.255.0
no ip redirects
ip nat inside
ip inspect firewall in
speed auto
no cdp enable
!
interface Serial0
no ip address
encapsulation frame-relay
no ip route-cache
no ip mroute-cache
no fair-queue
!
interface Serial0.1 point-to-point
ip address D.E.F.246 255.255.255.252 secondary
ip address G.H.I.173 255.255.255.252
ip access-group Firewall in
no ip unreachables
no ip proxy-arp
ip nat outside
ip audit IDS in
no ip route-cache
no ip split-horizon
no ip mroute-cache
no arp frame-relay
no cdp enable
frame-relay interface-dlci 111 IETF
crypto map SDM_CMAP_1
!
ip nat inside source route-map MAP-Internet interface Serial0.1 overload
ip nat inside source static tcp 10.66.158.2 4081 G.H.I.173 4081 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip http server
ip pim bidir-enable
!
!
ip access-list extended Firewall
permit tcp 198.208.39.0 0.0.0.255 host G.H.I.173 eq 4081
permit icmp any host G.H.I.173 echo
permit icmp any host G.H.I.173 echo-reply
permit icmp any host G.H.I.173 ttl-exceeded
permit tcp any host G.H.I.173 eq telnet
permit tcp any host G.H.I.173 eq 22
permit tcp any host G.H.I.173 eq www
permit tcp any host G.H.I.173 eq 443
deny ip any any
ip access-list extended SDM_1
remark CCP_ACL category=4
remark IPSec Rule
permit ip G.H.I.172 0.0.0.3 A.B.C.0 0.0.0.7
ip access-list extended firewall
permit tcp A.B.C.0 0.0.0.255 host G.H.I.173 eq 4081
no logging trap
access-list 1 permit 10.66.158.0 0.0.0.255
access-list 100 remark CCP_ACL category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip G.H.I.172 0.0.0.3 A.B.C.96 0.0.0.7
no cdp run
!
route-map MAP-Internet permit 10
match ip address 1
match interface Serial0.1
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
line con 0
exec-timeout 0 0
password 7 0601062E454F
login authentication console-in
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 13021E1D020D
login authentication console-in
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 151502030D2B
login authentication console-in
transport input telnet ssh
transport output telnet ssh
!
no scheduler allocate
CONFIGURAZIONE CISCO 1941
Current configuration : 5126 bytes
!
! Last configuration change at 16:04:59 UTC Sun Apr 7 2013 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TTTTTTTT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 ysKHi.xZonaeGmz75Zzc1bLNZZPKcQKQbt.kPKMF9x.
enable password xxxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
ip name-server 151.99.125.2
ip name-server 151.99.125.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1942094951
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1942094951
revocation-check none
rsakeypair TP-self-signed-1942094951
!
!
crypto pki certificate chain TP-self-signed-1942094951
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393432 30393439 3531301E 170D3133 30313137 30363533
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39343230
39343935 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BA23 427BDA9F 4280FAAD D687047C A77A08F6 C29EDB3B 86456816 D80B7595
9B4C9A69 A2E7E777 3711908B 961B3CAE 6E21F630 E77B78D1 C8CE0A13 C238E6BD
E6C64AEA 762BBCBC D15E2D69 8D19E5CD 9FA63B2D 3545D4BF 9AB5B281 B5376717
ED591C6C 1B00AEE4 50C21B5B 2C935C41 20AC4D4E 6B81B71C 0B0350E7 435AC267
9CCB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1456B8A3 E8CD64C0 195949AE 2B6DF556 F8DC51B5 6B301D06
03551D0E 04160414 56B8A3E8 CD64C019 5949AE2B 6DF556F8 DC51B56B 300D0609
2A864886 F70D0101 05050003 818100A6 E8EA80C0 0ACF6962 53D4DDDE B43C7EC8
9C3EF169 3BB01AC8 EA6D6947 1457E31E F0D8E87C 25958E0A 9E665D61 C24052B3
556DC7E4 14959946 F26292C9 454B528A 1B79C9C6 1595182D 24196D03 209AD583
6CCD4216 75F7A87A 36F6A27E 13C9CAEC A718C256 5A87AC1E F827B98F 4F12CCB8
082525B5 B167207D 497114C7 F6D024
license udi pid CISCO1941/K9 sn FCZ1703C32Y
license boot module c1900 technology-package securityk9
!
!
username root privilege 15 secret 4 ysKHi.xZonaeGmz75Zzc1bLNZZPKcQKQbt.kPKMF9x.
!
!
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address G.H.I.173
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to G.H.I.173
set peer G.H.I.173
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface Loopback0
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$
ip address 192.168.167.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description HDSL LIBERTY 2M POINT-TO-POINT
bandwidth 2048
ip address xx.xx.xx.248 255.255.255.240 secondary
ip address A.B.C.97 255.255.255.248
ip nat outside
ip virtual-reassembly in
frame-relay interface-dlci 305 IETF
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0.1 overload
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip sla auto discovery
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.167.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip A.B.C.96 0.0.0.7 G.H.I.172 0.0.0.3
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip A.B.C.96 0.0.0.7 G.H.I.172 0.0.0.3
access-list 101 permit ip 192.168.167.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map MAP-internet permit 10
match ip address 1
match interface Serial0/0/0.1
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password xxxxxxxxxx
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password xxxxxxxxxx
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
end
VPN SITE TO SITE tra CISCO 1941 E CISCO 1700
Moderatore: Federico.Lagni
-
antomi
- Cisco fan
- Messaggi: 48
- Iscritto il: mer 20 mag , 2009 11:24 am
Ciao,uno sguardo veloce alla configurazione noto questo:
prova ad consentire nelle access list extended Firewall anche il traffico esp, ed isakmp(nel secondo router mi sembra che non cè nemmeno)
controlla che la crypto isakmp Key sia uguale in entrambi i peer.
poi posta il debug crypto isakmp.
prova ad consentire nelle access list extended Firewall anche il traffico esp, ed isakmp(nel secondo router mi sembra che non cè nemmeno)
controlla che la crypto isakmp Key sia uguale in entrambi i peer.
poi posta il debug crypto isakmp.
