nat ipsec su interfaccia con nat overload

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
gullio23
Cisco fan
Messaggi: 38
Iscritto il: gio 08 mar , 2007 8:37 pm

ciao a tutti,

non so se e il posto giusto dove postare questa richiesta cmq cerco di spiegare:

ho un router c1800 che accede ad internet attraverso un ulteriore router su cui l'ip privato e nattato. su questa interfaccia che e la fastethernet 0/0 ho applicato una crypto-map per una vpn-ipsec.

la controparte della vpn mi dice che devo natale i miei client con una /30 che deve essere la sorgente della vpn ipsec.
ora, la vpn viene stabilita con successo e riesco a fare dei ping con la destinazione remota. ma appena faccio un ping su internet con la stessa macchina che sta pingando la vpn vengo lattato con la classe riservata alla vpn. se non lo faccio tutto funziona regolarmente.

allego la configurazione:

Codice: Seleziona tutto

TestRouter#show run
Building configuration...

Current configuration : 3118 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestRouter
!
boot-start-marker
boot system flash:c180x-advipservicesk9-mz.123-14.YT1.bin
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto pki token default removal timeout 0
!
!
archive
 log config
  hidekeys
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2  
crypto isakmp key xxxx address x.x.x.x
!
!
crypto ipsec transform-set t3 esp-3des esp-md5-hmac 
!
crypto map psmdc-vpn 925 ipsec-isakmp 
 description VPN A
 set peer x.x.x.x
 set transform-set t3 
 match address trafficoVPN
!
!
!
interface FastEthernet0
 description WAN
 ip address 10.10.10.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map psmdc-vpn
!
interface BRI0
 no ip address
 shutdown
!
interface FastEthernet1
 switchport access vlan 3
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface FastEthernet4
 switchport access vlan 2
!
interface FastEthernet5
 switchport access vlan 2
!
interface FastEthernet6
 switchport access vlan 2
!
interface FastEthernet7
 switchport access vlan 2
!
interface FastEthernet8
 switchport access vlan 2
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface Vlan1
 no ip address
!
interface Vlan2
 description inside
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description Rete-A
 ip address 192.168.225.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 10.103.8.26 255.255.255.255 192.168.225.1
!
!
no ip http server
no ip http secure-server
ip nat pool VPNPool 172.31.128.245 172.31.128.246 netmask 255.255.255.252
ip nat inside source list 111 pool VPNPool
ip nat inside source static tcp 10.0.0.20 3389 interface FastEthernet0 33899
ip nat inside source route-map NAT-A interface Vlan3 overload
ip nat inside source route-map NATuscita interface FastEthernet0 overload
ip nat inside source static tcp 10.0.0.23 80 interface FastEthernet0 80
ip nat inside source static tcp 10.0.0.23 443 interface FastEthernet0 443
!
ip access-list extended trafficoVPN
 permit ip 172.31.128.244 0.0.0.3 161.27.243.160 0.0.0.15
!
access-list 110 deny   ip 10.0.0.0 0.0.0.255 161.27.243.160 0.0.0.15
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 112 permit ip 10.0.0.0 0.0.0.255 any
!
route-map NAT-A permit 11
 match ip address 112
 match interface Vlan3
!
route-map NATuscita permit 10
 match ip address 110
 match interface FastEthernet0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password 7 
 login
 transport input all
!
no scheduler allocate
end

Grazie a tutti per un eventuale supporto
Rispondi