Aiutino per VPN L2L e traffico router

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

Buonasera a tutti,
questo è il mio scenario:

Router A - Non cisco (Netgear FVX538V2) con connessione ADSL PPPOE
Ethernet (10.0.0.199) - 10.0.0.X 255.255.255.0
VPN L2L verso router B con ip dinamico

Router B - Cisco 2851
ETH 0/0 - PPPOE su Dialer0 e verso modem tuttofibra di telecom
ETH 0/1.1 (10.0.1.254) - VLAN DATI 10.0.1.X 255.255.255.0
ETH 0/1.100 (192.168.2.1) - VLAN VOCE 192.168.2.X 255.255.255.0
VPN L2L verso router A con ip dinamico

La VPN funziona correttamente, i PC di entrambe le reti navigano correttamente in internet e possono raggiungere i PC della rete opposta, ovvero i PC A raggiungono correttamente B e viceversa.
Le due vlan funzionano correttamente e i telefoni (SCCP su VLAN 100 e SIP su 10.0.1.X) si registrano correttamente.
Il problema sta nel router B il cisco 2851, il traffico generato da router non raggiunge gli host della rete A (10.0.0.x) e ovviamente i PC della rete A non raggiungono solo ed esclusivamente l' IP del router B (sia 10.0.1.254 che 192.168.2.1). Questo collegamente mi servirebbe per aggangiare il CME del 2851 via SIP ad un centralino Asterisk sulla rete A.
Se dal 2851 faccio un ping con impostazioni avanzate e specifico come sorgente 10.0.1.254 (IP della ETH 0/1.1) il ping funziona correttamente.

Cosa potrebbe essere ??? esiste un comando per dire al router da quale IP / interfaccia originare le richieste per il traffico generato internamente ??
La configurazione del 2851 è stata fatta un pò da CLI (per i comandi e le sezioni che già conoscevo :wink: ) e un pò utilizzando il Cisco Configuration Professional (per Vpn e Firewall). Premetto anche che al termine della configurazione Vpn, ancora senza firewall attivi il "problema" era già presente.

Se serve posso postare la configurazioni e/o parti.

Grazie anticipatamente.
Mario.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

http://www.cisco.com/c/en/us/td/docs/vo ... 3725679205

Se hai usato il PBR, devi usare anche

Codice: Seleziona tutto

ip local policy route-map map-tag
Ciao
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

Ciao, ho fatto qualche prova e guardato il comando che mi hai suggerito, purtroppo non ho risolto.
Quale parte di configurazione posso pubblicare (Giusto per non fare un post chilometrico) per cercare di capire il problema ????

Grazie anticipatamente.
Mario.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Posta la parte di route e VPN tanto per iniziare.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

Ciao, ecco la configurazione, ho levato tutta la parte di registrazione dei telefono SIP e Cisco e la sezione TFTP tanto quelle funzionano e non influiscono sul problema.

La parte telefonica e dati sulla lan di appartenenza del router funzionano perfettamente, quello che non funziona è il traffico generato dal router verso la VPN e relativi host e viceversa (traffico host su rete remota verso ip router). Se invece dal router faccio un ping su host della VPN in modalità avanzata scegliendo come sorgente 10.0.1.254 il ping risponde.
Gli host di entrambe le reti (locale e remota) si raggiungono perfettamente tra di loro.

La configurazione di FireWall e VPN è stata fatta usando Cisco Configuration Professional.

Grazie in anticipo per il supporto.
Mario.

Codice: Seleziona tutto

!
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <RouterName>
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
!
clock timezone Rome 1 0
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 10.0.1.1 10.0.1.8
ip dhcp excluded-address 10.0.1.241 10.0.1.254
ip dhcp excluded-address 10.0.1.13
ip dhcp excluded-address 10.0.1.11
ip dhcp excluded-address 10.0.1.169
!
ip dhcp pool Voice
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 option 150 ip 192.168.2.1 
 domain-name miodominio.it
 dns-server 10.0.1.6 
!
ip dhcp pool Lan
 import all
 network 10.0.1.0 255.255.255.0
 domain-name miodominio.it
 option 150 ip 10.0.1.6 
 default-router 10.0.1.254 
 dns-server 10.0.1.6 
 lease 0 2
!
!
ip domain name miodominio.it
ip name-server 10.0.1.6
ip name-server 208.67.220.222
ip name-server 208.67.220.220
ip ddns update method NoIP
 HTTP
  add http://<user>:<password>@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 interval maximum 0 0 5 0
!
login block-for 360 attempts 3 within 90
login delay 10
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group FXO-PSTN
 description ***Analog Trunk Group***
 hunt-scheme sequential both down
!
!
!
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 sip
  bind control source-interface GigabitEthernet0/1.100
  bind media source-interface GigabitEthernet0/1.100
  registrar server expires max 600 min 60
  no call service stop
!
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
 codec preference 3 g729r8
!
!
voice register global
 mode cme
 source-address 192.168.2.1 port 5060
 max-dn 35
 max-pool 10
 authenticate register
 authenticate realm miodominio.it
 timezone 23
 time-format 24
 date-format D/M/Y
 tftp-path flash:
 create profile sync 0001883490243681
 network-locale IT
 user-locale IT
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
! 
license udi pid CISCO2851 sn XXXXXXXXXXX
username <user> privilege 15 secret 5 <password>
username <user1> privilege 15 secret 4 <password1>
!
redundancy
!
!
ip ssh version 1
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 104
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 103
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 102
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect 
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <vpn key> hostname <remote.end.point> 
crypto isakmp identity hostname
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to RemoteEndPoint
 set peer <remote.end.point> dynamic
 set transform-set ESP-3DES-SHA 
 match address 100
!
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description $FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 10.0.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface GigabitEthernet0/1.100
 description $FW_INSIDE$
 encapsulation dot1Q 100
 ip address 192.168.2.1 255.255.255.0
 zone-member security in-zone
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface FastEthernet1/1
 no ip address
!
interface FastEthernet1/2
 no ip address
!
interface FastEthernet1/3
 no ip address
!
interface FastEthernet1/4
 no ip address
!
interface FastEthernet1/5
 no ip address
!
interface FastEthernet1/6
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface FastEthernet1/7
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface FastEthernet1/8
 switchport access vlan 100
 switchport mode trunk
 no ip address
!
interface FastEthernet1/9
 no ip address
!
interface FastEthernet1/10
 no ip address
!
interface FastEthernet1/11
 no ip address
!
interface FastEthernet1/12
 no ip address
!
interface FastEthernet1/13
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface FastEthernet1/14
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface FastEthernet1/15
 switchport mode trunk
 switchport voice vlan 100
 no ip address
!
interface Vlan1
 no ip address
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 30000
 ip ddns update hostname <ddns host name>
 ip ddns update NoIP
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <username>
 ppp chap password 0 <password>
 ppp pap sent-username <username> password 0 <password>
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/GUI
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
!
logging trap debugging
logging 10.0.1.60
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host <remote end point IP> any
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
!
control-plane
!
!
voice-port 0/2/0
 trunk-group FXO-PSTN
 input gain 6
 output attenuation -3
 connection plar opx 700
 caller-id enable
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
!
!
mgcp profile default
!
!
dial-peer voice 600 voip
 description Asterisk SIP TRUNK
 destination-pattern [45].
 session protocol sipv2
 session target ipv4:10.0.0.8
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 601 voip
 description Asterisk SIP TRUNK IN
 session protocol sipv2
 session target ipv4:10.0.0.8
 incoming called-number 6.
 dtmf-relay rtp-nte
 codec g711alaw
!
dial-peer voice 100 pots
 trunkgroup FXO-PSTN
 description ***Outbound to PSTN***
 destination-pattern 0T
!
dial-peer voice 101 voip
 description ***CME VoIP Destination Pattern***
 destination-pattern 6.
 session target ipv4:192.168.2.1
 dtmf-relay h245-alphanumeric
 no vad
!
!
gateway 
 timer receive-rtp 1200
!
!
!
telephony-service
 max-ephones 100
 max-dn 100
 ip source-address 192.168.2.1 port 2000
 system message <My CME>
 cnf-file location flash:
 user-locale IT
 network-locale IT
 load 7914 S00105000400
 load 7905 CP7905080003SCCP070409A
 load 7920 cmterm_7920.4.0-03-02
 load 7960-7940 P0030801SR02
 load 7961 SCCP41.9-2-1S
 load 7962 SCCP42.9-2-1S
 time-zone 23
 time-format 24
 date-format dd-mm-yy
 max-conferences 8 gain -6
 moh flash:/audio/music-on-hold.au
 web admin system name <username> secret 5 <password>
 dn-webedit 
 time-webedit 
 transfer-system full-consult
 create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server ntp1.inrim.it prefer
end
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

Qualche idea ????

Grazie.
Mario.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Sono in un periodo un po' incasinato. Appena ho tempo ci do un occhio.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

Ciao, hai avuto modo di dare uno sguardo alla configurazione ??? Hai visto qualcosa di sbagliato ??

Grazie in anticipo.
Mario.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

No.
Vedo stasera di fare 2 prove.

Ciao
Non cade foglia che l'inconscio non voglia (S.B.)
mariom79
n00b
Messaggi: 21
Iscritto il: ven 25 apr , 2008 11:07 am

OK, grazie mille in anticipo.

Mario.
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao.
Hai provato a mettere l'IP del dialer nel ACL 100?
Se no cambia la configurazione in IPSEC VTI.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Hai risolto?

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Rispondi