CiscoForums.it

Ciao ragazzi..sono nuovo in questo forum e non riesco a risolvere il mio problema..non so piu' dove sbattere la testa..
questa la mia stituazione...
- LAN 10.0.10.0/24 con Cisco tunneling server 10.0.10.254
interfaccia di loopback0 10.0.0.254
- client VPN (windows remote access) 10.0.0.1
- pptp - ms-chap - aaa local

Quando attivo la connessione dal client mi prende come server IP add
10.0.0.254,come client IP add 10.0.0.1 ma non riesco neanche a ping
10.0.0.254..di accedere nella LAN 10.0.10.0/24 non se ne parla
proprio.. qualcuno puo' aiutarmi.
Di seguito la mia configurazione.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 **********
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.10.1
ip dhcp excluded-address 10.0.10.254
!
ip dhcp pool Cisco_Scope
network 10.0.10.0 255.255.255.0
default-router 10.0.10.254
dns-server 192.74.65.68 194.72.9.34
!
!
no ip cef
ip inspect name firewall tcp
ip inspect name firewall udp alert on
ip inspect name firewall tftp
ip inspect name firewall ftp timeout 120
ip domain name [email protected]
ip name-server 194.74.65.68
ip name-server 194.72.9.34
vpdn enable
!
vpdn-group clientinit
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-3996847148
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3996847148
revocation-check none
rsakeypair TP-self-signed-3996847148
!
!
crypto pki certificate chain TP-self-signed-3996847148
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101
04050030
*
quit
username ************* privilege 15 secret 5 *************
username test password 7 021201481F
!
!
!
!
!
interface Loopback0
ip address 10.0.0.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ***** Server_room *****
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool dial-in
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
!
interface Vlan1
description ***** Server room VLAN 1 *****
ip address 10.0.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address 81.*.*.* 255.255.255.254
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname **************
ppp chap password 7 082C4D400700514E43
ppp pap sent-username ************ password 7 1104180B190B5F5555
!
ip local pool dial-in 10.0.0.1 10.0.0.10
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 300
ip nat translation tcp-timeout 120
ip nat translation syn-timeout 120
ip nat translation icmp-timeout 180
ip nat translation max-entries 5000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.10.254 22 interface Dialer0 22
ip nat inside source static udp 10.0.10.1 53 interface Dialer0 53
ip nat inside source static tcp 10.0.10.1 20 interface Dialer0 20
ip nat inside source static tcp 10.0.10.1 21 interface Dialer0 21
ip nat inside source static tcp 10.0.10.1 80 interface Dialer0 80
ip nat inside source static tcp 10.0.10.1 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.10.1 5501 interface Dialer0 5501
ip nat inside source static tcp 10.0.10.1 5502 interface Dialer0 5502
ip nat inside source static tcp 10.0.10.1 5503 interface Dialer0 5503
ip nat inside source static tcp 10.0.10.1 5504 interface Dialer0 5504
ip nat inside source static tcp 10.0.10.1 5505 interface Dialer0 5505
!
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 110 remark **** icmp traffic ****
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any traceroute
access-list 110 remark **** dns traffic ****
access-list 110 permit udp any any eq domain
access-list 110 remark **** services ****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any any eq 5501
access-list 110 permit tcp any any eq 5502
access-list 110 permit tcp any any eq 5503
access-list 110 permit tcp any any eq 5504
access-list 110 permit tcp any any eq 5505
access-list 110 remark **** vpn services ****
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
access-list 110 remark **** remote access ****
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq 22
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login Targetgrange Tld
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

Se nel virtual template assumo come ip unnumbered la vlan1 e
attribuisco al pool per la vpn, un range della stessa subnet della
LAN..tutto funziona...
ma io vorrei avere una subnet differente per la mia vpn..come posso
fare?

Ciao e grazie

Allora ragazzi..ci sono 8000 post in internet con questo problema..ma mai nessuno lo risolve..o se lo risolvono..non postano la chiave..

Vogliamo dare una risposta!Io ci sto provando in tute le maniere..

ciao bisogna configurare il denat per la vpn e la lan di destinazione, cioe bisogna che il traffico verso il pool vpn non venga nattato dal router.
puoi utilizzare qualsiasi network per la vpn basta che inserisci il denat.

allora devi rifare l'access list del nat e la sostituisci con una estesa

no access-list 1 permit ip 10.10.10.0 0.0.0.255

access-list 101 remark *************************************************************
access-list 101 remark *** ACL PER PAT E NAT0 ***
access-list 101 remark *************************************************************
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.15
access-list 101 permit ip 10.10.10.0 0.0.0.255 any

poi di conseguenza cambi lo statement del nat e dovrebbe essere a posto

fammi sapere
Giulio

p.s. spero di aver scritto tutto bene!!

Anzitutto grazie per la risposta..(sei l unico)
la cosa del denat non la sapevo proprio!
cmq non e' cambiato niente.. non funziona..non riesco neanche a pingare il server.. questa la mia configurazione modificata.. e due sh..spero ti possano servire..
version 12.4
.........
!
!
aaa authentication ppp default local
!
aaa session-id common
!
......

no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.10.1
ip dhcp excluded-address 10.0.10.254
!
ip dhcp pool Cisco_Scope
network 10.0.10.0 255.255.255.0
default-router 10.0.10.254
dns-server 192.74.65.68 194.72.9.34
!
!
no ip cef
........

vpdn enable
!
vpdn-group clientinit
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
.........
!
interface Loopback0
ip address 10.0.0.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ***** Server_room *****
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
......
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool dial-in
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
.....
!
interface Vlan1
description ***** Server room VLAN 1 *****
ip address 10.0.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address 81.149.*.* 255.255.255.254
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1 /* devo cambiare anche questo a 101?
dialer-group 1
no cdp enable
.....

ip local pool dial-in 10.0.0.1 10.0.0.253
ip route 0.0.0.0 0.0.0.0 Dialer0
!
......

ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.0.10.1 5505 interface Dialer0 5505
ip nat inside source static tcp 10.0.10.1 5504 interface Dialer0 5504
ip nat inside source static tcp 10.0.10.1 5503 interface Dialer0 5503
ip nat inside source static tcp 10.0.10.1 5502 interface Dialer0 5502
ip nat inside source static tcp 10.0.10.1 5501 interface Dialer0 5501
ip nat inside source static tcp 10.0.10.1 3389 interface Dialer0 3389
ip nat inside source static tcp 10.0.10.1 80 interface Dialer0 80
ip nat inside source static tcp 10.0.10.1 21 interface Dialer0 21
ip nat inside source static tcp 10.0.10.1 20 interface Dialer0 20
ip nat inside source static udp 10.0.10.1 53 interface Dialer0 53
ip nat inside source static tcp 10.0.10.254 22 interface Dialer0 22
!
access-list 101 remark **** ACL x NAT & PAT ****
access-list 101 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
access-list 110 remark **** icmp traffic ****
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any traceroute
access-list 110 remark **** dns traffic ****
access-list 110 permit udp any any eq domain
access-list 110 remark **** services ****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 permit tcp any any eq 5501
access-list 110 permit tcp any any eq 5502
access-list 110 permit tcp any any eq 5503
access-list 110 permit tcp any any eq 5504
access-list 110 permit tcp any any eq 5505
access-list 110 remark **** vpn services ****
access-list 110 permit tcp any any eq 1723
access-list 110 permit gre any any
access-list 110 remark **** remote access ****
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any eq 22
dialer-list 101 protocol ip permit
no cdp run
!
......

Questi alcuni sh:

Cisco#sh vpdn

%No active L2F tunnels

%No active L2TP tunnels

PPTP Tunnel and Session Information Total tunnels 1 sessions 1

LocID Remote Name State Remote Address Port Sessions VPDN Group
4 estabd 217.35.*.* 1477 1 clientinit

LocID RemID TunID Intf Username State Last Chg Uniq ID
4 256 4 Vi5 test estabd 00:05:29 4


Cisco#sh vpdn session all

%No active L2F tunnels

%No active L2TP tunnels

PPTP Session Information Total tunnels 1 sessions 1

Call id 4 is up on tunnel id 4
Remote tunnel name is
Internet Address is 217.35.*.*
Session username is test, state is estabd
Time since change 00:06:09, interface Vi5
Remote call id is 256
58 packets sent, 80 received, 1463 bytes sent, 5478 received
Last clearing of "show vpdn" counters never
Ss 59, Sr 87, Remote Nr 58, peer RWS 64
0 out of order packets
Flow alarm is set.
Unique ID is 4

allora io intanto unificherei l'interfaccia atm0 per evitare di confonderti, elimina la point to point tanto utilizzi la dialer, poi elimina qualsiasi accesslist applicata alle interfaccie, successivamente elimina anche ip inspect firewall out in modo da eliminare eventuali blocchi da parte del firewall o altro.

fammi sapere
Giulio

Allora..Ho risolto tutto..di seguito i passi effettuati e i ragionamenti in merito (con l aiuto di un certo erny)..

- Ho cambiato anzitutto la subnet per la VPN in 172.16.0.0/16 perchè avevo fatto un casino con le subnet mask..

- Dunque 172.16.0.254 per l interfaccia di loopback e 172.16.0.1 - 172.16.0.253 come pool per la VPN.

- DENAT per evitare che il router natti il traffico diretto alla VPN

access-list 101 remark **** ACL x NAT & PAT ****
access-list 101 deny ip 10.0.10.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any

- Quando si crea una connessione remota (in windows) che funga da client VPN, all attivazione di questa, di default windows, imposta il gateway
sul remote network attraverso l interfaccia client VPN.. nel mio caso 172.16.0.1
In questo modo tutte le richieste verso la LAN dietro la VPN,
saranno indirizzate attraverso l interfaccia client della VPN;ma con esse, anche tutte le richieste verso la WAN, perche' all attivazione della connessione, viene creata una route statica del tipo
0.0.0.0 0.0.0.0 gw "ClientVPN" metric 1 e quindi con precedenza
assoluta.

Soluzione dunque..
Nelle impostazioni della connessione remota del client VPN, si deve
dissattivare il gatway sulla network remota ( proprieta' connessione -> networking -> proprieta' TCP/IP-> advanced -> disabilita' gatway su remote network) e inserire una route statica verso la LAN dietro la VPN,
attraverso il client VPN del tipo: ROUTE ADD "subnet_lan_vpn" MASK "mask_lan_vpn" "ip_client_vpn" METRIC 10

In questo modo il traffico verso la VPN sarà smistato attraverso l interfaccia, il traffico verso la WAN attraverso il gatway di default.

Ora non so se c'è un sistema per evitare la route statica..ma quella suddetta, è l unica soluzione ceh ho trovato.

Gullio correggimi se sbaglio..

si onde evitare di mettere ogni volta a mano le rotte che dipende quante subnet hai sono una rottura puoi utilizzare l'utility che microsoft ha creato per queste problematiche che si chiama cmak permettendoti di creare un profilo in modo da distribuirlo a chi ne deve fare uso senza ulteriori configurazioni.

http://www.microsoft.com/technet/prodte ... 1b088.mspx


ovviamente ci devi perdere un po di tempo ma poi funge alla grande!!!

saluti
Giulio

Perfetto..davvero carino..
Grazie per il supporto gullio e alla prox..