non so se e il posto giusto dove postare questa richiesta cmq cerco di spiegare:
ho un router c1800 che accede ad internet attraverso un ulteriore router su cui l'ip privato e nattato. su questa interfaccia che e la fastethernet 0/0 ho applicato una crypto-map per una vpn-ipsec.
la controparte della vpn mi dice che devo natale i miei client con una /30 che deve essere la sorgente della vpn ipsec.
ora, la vpn viene stabilita con successo e riesco a fare dei ping con la destinazione remota. ma appena faccio un ping su internet con la stessa macchina che sta pingando la vpn vengo lattato con la classe riservata alla vpn. se non lo faccio tutto funziona regolarmente.
allego la configurazione:
Codice: Seleziona tutto
TestRouter#show run
Building configuration...
Current configuration : 3118 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestRouter
!
boot-start-marker
boot system flash:c180x-advipservicesk9-mz.123-14.YT1.bin
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
crypto pki token default removal timeout 0
!
!
archive
log config
hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address x.x.x.x
!
!
crypto ipsec transform-set t3 esp-3des esp-md5-hmac
!
crypto map psmdc-vpn 925 ipsec-isakmp
description VPN A
set peer x.x.x.x
set transform-set t3
match address trafficoVPN
!
!
!
interface FastEthernet0
description WAN
ip address 10.10.10.254 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map psmdc-vpn
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet1
switchport access vlan 3
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
switchport access vlan 2
!
interface FastEthernet5
switchport access vlan 2
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
switchport access vlan 2
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
no ip address
!
interface Vlan2
description inside
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description Rete-A
ip address 192.168.225.254 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 10.103.8.26 255.255.255.255 192.168.225.1
!
!
no ip http server
no ip http secure-server
ip nat pool VPNPool 172.31.128.245 172.31.128.246 netmask 255.255.255.252
ip nat inside source list 111 pool VPNPool
ip nat inside source static tcp 10.0.0.20 3389 interface FastEthernet0 33899
ip nat inside source route-map NAT-A interface Vlan3 overload
ip nat inside source route-map NATuscita interface FastEthernet0 overload
ip nat inside source static tcp 10.0.0.23 80 interface FastEthernet0 80
ip nat inside source static tcp 10.0.0.23 443 interface FastEthernet0 443
!
ip access-list extended trafficoVPN
permit ip 172.31.128.244 0.0.0.3 161.27.243.160 0.0.0.15
!
access-list 110 deny ip 10.0.0.0 0.0.0.255 161.27.243.160 0.0.0.15
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 112 permit ip 10.0.0.0 0.0.0.255 any
!
route-map NAT-A permit 11
match ip address 112
match interface Vlan3
!
route-map NATuscita permit 10
match ip address 110
match interface FastEthernet0
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7
login
transport input all
!
no scheduler allocate
end