Convivenza site to site e client vpn

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
NetRunner009
n00b
Messaggi: 14
Iscritto il: sab 18 ott , 2014 3:45 pm

Ciao a tutti,
Mi è stato chiesto di verificare una situazione creatasi tra due uffici.
Ad oggi due uffici di una stessa ditta hanno sfruttato due Cisco serie 800 con ios 15.2 k9 security per la gestione della connettività verso internet e per l'accesso da esterno degli utenti tramite client VPN.
Ora la ditta vorrebbe creare un tunnel vpn tra le due sedi (fino ad ora non c'era necessità).

Ho configurato tutto come penso si debba ma non sale il site to site...

Vi allego sh run di entrambi:

Ufficio A

Current configuration : 5413 bytes
!
! Last configuration change at 09:32:44 UTC Mon Aug 31 2015 by puccio
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE A
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220561722
revocation-check none
rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722
certificate self-signed 01

quit
!
!
!
!


!
!
ip dhcp pool WIRED
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 8.8.8.8
!
!
!
ip name-server 10.0.0.200
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362LV
!
!
username DBDADMIN
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain
username puccio
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remote-bdb
key xxxxxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 20
set transform-set myset
!
crypto isakmp policy 20
hash md5
authentication pre-share
!
crypto isakmp key xxxxxx address IP UFFICIO B

crypto map clientmap 20 ipsec-isakmp
set peer IP UFFICIO B
set transform-set myset
match address 115

crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
!
!
!
!
!
!

!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description INTERNAL
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!

!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 remark *** ACL NONAT ***
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

UFFICIO B

Building configuration...

Current configuration : 6953 bytes
!
! Last configuration change at 10:43:18 UTC Mon Aug 31 2015
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UFFICIO B
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514396900
revocation-check none
rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900

quit
!
!
!
!


!
!
ip dhcp pool WIRED
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.200
!
!
!
ip name-server 192.168.1.200
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key xxxx address IP UFFICIO A
!
crypto isakmp client configuration group remote-bdb
key xxxxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP UFFICIO A
set transform-set myset
match address 115
!
!
!
!
!
!

!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10

!
interface Vlan20

interface Vlan30
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username @alicebiz.routed password 0 @alicebiz.routed
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
match ip address 150 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end


Grazie a chi avrà voglia e tempo di aiutarmi
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Ho dato una letta veloce. A prima vista manca la ACL 115 nel router UFFICIO A (quella che decide quale traffico va mandato tra le IPSEC).

Fammi sapere
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
NetRunner009
n00b
Messaggi: 14
Iscritto il: sab 18 ott , 2014 3:45 pm

Ciao e grazie per la risposta.
ho aggiunto sul router A

access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any

Ma la situazione non cambia
Dando sh crypto session ho questo output

Interface: Dialer0
Username: remoteuser
Group: remoteusers
Assigned address: 10.16.20.4
Session status: UP-ACTIVE
Peer: 79.47.91.73 port 59857
Session ID: 0
IKEv1 SA: local 79.0.238.28/4500 remote 79.47.91.73/59857 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.16.20.4
Active SAs: 2, origin: dynamic crypto map

Interface: Dialer0
Session status: DOWN
Peer: 79.29.3.79 port 500
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Il primo tunnel è up ed è quello usato da me collegato in vpn ma il secondo non sale...
Grazie in anticipo per l'eventuale risposta.
NetRunner009
n00b
Messaggi: 14
Iscritto il: sab 18 ott , 2014 3:45 pm

Ho pulito un po' le conf

OFFICE A

Current configuration : 6589 bytes
!
! Last configuration change at 07:58:18 UTC Tue Sep 1 2015 by puccio
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE A
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514396900
revocation-check none
rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900
certificate self-signed 01

quit

!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!

!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key XXXX address IP OFFICE B

!
crypto isakmp client configuration group remoteusers
key XXXXXX
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP OFFICE B
set transform-set myset
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
match ip address 150 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password Password02
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

OFFICE B
Building configuration...

Current configuration : 5778 bytes
!
! Last configuration change at 07:39:44 UTC Tue Sep 1 2015 by puccio
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE B
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220561722
revocation-check none
rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722
certificate self-signed 01
3
quit
!
!
!
!


!
!

!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362LV
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key XXXXXX address IP OFFICE A
!
crypto isakmp client configuration group REMOTEUSERS
key XXXXX
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP OFFICE A
set transform-set myset
match address 115
!
!
!
!
!
!
interface Loopback0
ip address 10.0.99.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description INTERNAL
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 remark *** ACL NONAT ***
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao,
nel OFFICE B cambia la ACL 101 con i 2 deny prima. Nel office A hai il nat su 2 ACL che non esistono.
Questo solo a prima vista.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
NetRunner009
n00b
Messaggi: 14
Iscritto il: sab 18 ott , 2014 3:45 pm

Ciao,
Grazie per le risposte.
Ho dato una ripulita alle configurazioni.
Ho inserito sul router A anche un nonat per evitare il natting tra le reti del tunnel ma zero...
Vi allego nuove conf sperando nel vostro gentile aiuto:

UFFICIO A

Building configuration...

Current configuration : 6443 bytes
!
! Last configuration change at 09:30:58 UTC Fri Sep 4 2015 by puccio
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE_A_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$.PeW$xoiJGVmsyl4AIPrpsO2jR/
enable password Password02
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220561722
revocation-check none
rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722

quit
!
!
!
!


!
!
ip dhcp pool WIRE
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 8.8.8.8
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362LV
!
!

!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain
username
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key @Kuma888 address 79.29.3.79
!
crypto isakmp client configuration group remote-users
key xxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP_OFFICE_B
set transform-set myset
match address 115
!
!
!
!
!
!
interface Loopback0
ip address 10.0.99.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description INTERNAL
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Dialer0
!
ip access-list extended nonat
deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!
!
route-map nonat permit 1
match ip address 101
!
route-map nonat permit 2
match ip address 101
!
route-map nonat permit 10
match ip address 101 nonat
!
route-map nonat permit 20
match ip address 101 nonat
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

UFFICIO B

Current configuration : 6821 bytes
!
! Last configuration change at 09:32:53 UTC Fri Sep 4 2015 by puccio
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE_B_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514396900
revocation-check none
rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900
certificate self-signed 01

quit
!
!
!
!


!
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!

!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key xxxx address IP_OFFICE_A
!
crypto isakmp client configuration group remote-users
key xxxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP_OFFICE_A
set transform-set myset
match address 115
!
!
!
!
!
!
interface Loopback0
ip address 10.0.99.254 255.255.255.0
!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static tcp 192.168.1.100 3389 interface Dialer0 3389
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
match ip address 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password Password02
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Rispondi