Ebbene appena hanno fatto cio' si sono verificati dei malfunzionamenti (in particolare non appena e' stato configurato il firewall dell'837 chiamato host X)..in pratica attraverso la VPN passano solo i dati di CITRIX (terminal server) ma quando provo a sfogliare la rete non vedo nessun computer (prima vedevo i PC come appartenenti ad una stessa lan, come deve essere per una VPN site2site) non riesco piu' a pingare, e non riesco piu ad accedere al server attraverso remote desktop per questioni di manutenzione ( Io mi trovo collegato al Host Y)...non ho fatto io la configurazione..ma me la sono fatta postare.Io non sono certo uno specialista cisco.. ma a me sembra ci sia qualche cosa di sbagliato ...che pero' mi sfugge...potete darmi una mano ..I ho le mansioni di responsabile IT, ...ma possibile che debba fare anche il lavoro di uno Cisco Certified ??
spero che la conf sia chiara
Potete aiutarmi ??? sono disperato
P.S.
Y e' la sede centrale (dove sono io)
ecco la conf:
Codice: Seleziona tutto
Current configuration : 2919 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname X
!
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username xxxxx password yyyyyyyyyyyyyyyy
no aaa new-model
ip subnet-zero
ip domain name YYYYYYYYY.it
ip name-server x.y.z.k.
ip name-server a.b.c.d
!
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW cuseeme
ip inspect name FW ftp
ip inspect name FW h323
ip inspect name FW rcmd
ip inspect name FW realaudio
ip inspect name FW smtp
ip inspect name FW streamworks
ip inspect name FW vdolive
ip inspect name FW sqlnet
ip inspect name FW tftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key [key] address [indirizzo IP di Y]
!
!
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
!
crypto map Y 11 ipsec-isakmp Y
set peer [indirizzo IP di Y]
set transform-set TSET
match address 120
!
!
!
!
interface Ethernet0
ip address 192.168.150.254 255.255.255.0
ip nat inside
ip inspect FW in
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 640
ip address [IP statico di X] 255.255.255.252
ip access-group 110 in
ip nat outside
pvc 8/35
encapsulation aal5snap
!
crypto map Y
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source route-map web interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
no ip http secure-server
!
access-list 5 permit 192.168.120.0 0.0.0.255
access-list 110 permit ip [8 ip statici credo del provider ] 0.0.0.7 host [ip statico X ]
access-list 110 permit ahp any any
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 120 permit ip 192.168.150.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 deny ip 192.168.150.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 permit ip 192.168.150.0 0.0.0.255 any
snmp-server community public RO
snmp-server enable traps tty
no cdp run
route-map web permit 10
match ip address 130
match interface ATM0.1
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
password XXXXXXXXXXXXXXXXXXXXXX
login local
length 0
!
scheduler max-task-time 5000
!
end