Pagina 1 di 1
Aiutino per VPN L2L e traffico router
Inviato: dom 21 ago , 2016 9:24 pm
da mariom79
Buonasera a tutti,
questo è il mio scenario:
Router A - Non cisco (Netgear FVX538V2) con connessione ADSL PPPOE
Ethernet (10.0.0.199) - 10.0.0.X 255.255.255.0
VPN L2L verso router B con ip dinamico
Router B - Cisco 2851
ETH 0/0 - PPPOE su Dialer0 e verso modem tuttofibra di telecom
ETH 0/1.1 (10.0.1.254) - VLAN DATI 10.0.1.X 255.255.255.0
ETH 0/1.100 (192.168.2.1) - VLAN VOCE 192.168.2.X 255.255.255.0
VPN L2L verso router A con ip dinamico
La VPN funziona correttamente, i PC di entrambe le reti navigano correttamente in internet e possono raggiungere i PC della rete opposta, ovvero i PC A raggiungono correttamente B e viceversa.
Le due vlan funzionano correttamente e i telefoni (SCCP su VLAN 100 e SIP su 10.0.1.X) si registrano correttamente.
Il problema sta nel router B il cisco 2851, il traffico generato da router non raggiunge gli host della rete A (10.0.0.x) e ovviamente i PC della rete A non raggiungono solo ed esclusivamente l' IP del router B (sia 10.0.1.254 che 192.168.2.1). Questo collegamente mi servirebbe per aggangiare il CME del 2851 via SIP ad un centralino Asterisk sulla rete A.
Se dal 2851 faccio un ping con impostazioni avanzate e specifico come sorgente 10.0.1.254 (IP della ETH 0/1.1) il ping funziona correttamente.
Cosa potrebbe essere ??? esiste un comando per dire al router da quale IP / interfaccia originare le richieste per il traffico generato internamente ??
La configurazione del 2851 è stata fatta un pò da CLI (per i comandi e le sezioni che già conoscevo
) e un pò utilizzando il Cisco Configuration Professional (per Vpn e Firewall). Premetto anche che al termine della configurazione Vpn, ancora senza firewall attivi il "problema" era già presente.
Se serve posso postare la configurazioni e/o parti.
Grazie anticipatamente.
Mario.
Re: Aiutino per VPN L2L e traffico router
Inviato: lun 22 ago , 2016 5:51 pm
da paolomat75
Re: Aiutino per VPN L2L e traffico router
Inviato: mar 30 ago , 2016 7:16 pm
da mariom79
Ciao, ho fatto qualche prova e guardato il comando che mi hai suggerito, purtroppo non ho risolto.
Quale parte di configurazione posso pubblicare (Giusto per non fare un post chilometrico) per cercare di capire il problema ????
Grazie anticipatamente.
Mario.
Re: Aiutino per VPN L2L e traffico router
Inviato: ven 02 set , 2016 2:50 pm
da paolomat75
Ciao.
Posta la parte di route e VPN tanto per iniziare.
Paolo
Re: Aiutino per VPN L2L e traffico router
Inviato: dom 04 set , 2016 7:38 pm
da mariom79
Ciao, ecco la configurazione, ho levato tutta la parte di registrazione dei telefono SIP e Cisco e la sezione TFTP tanto quelle funzionano e non influiscono sul problema.
La parte telefonica e dati sulla lan di appartenenza del router funzionano perfettamente, quello che non funziona è il traffico generato dal router verso la VPN e relativi host e viceversa (traffico host su rete remota verso ip router). Se invece dal router faccio un ping su host della VPN in modalità avanzata scegliendo come sorgente 10.0.1.254 il ping risponde.
Gli host di entrambe le reti (locale e remota) si raggiungono perfettamente tra di loro.
La configurazione di FireWall e VPN è stata fatta usando Cisco Configuration Professional.
Grazie in anticipo per il supporto.
Mario.
Codice: Seleziona tutto
!
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <RouterName>
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone Rome 1 0
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 10.0.1.1 10.0.1.8
ip dhcp excluded-address 10.0.1.241 10.0.1.254
ip dhcp excluded-address 10.0.1.13
ip dhcp excluded-address 10.0.1.11
ip dhcp excluded-address 10.0.1.169
!
ip dhcp pool Voice
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
option 150 ip 192.168.2.1
domain-name miodominio.it
dns-server 10.0.1.6
!
ip dhcp pool Lan
import all
network 10.0.1.0 255.255.255.0
domain-name miodominio.it
option 150 ip 10.0.1.6
default-router 10.0.1.254
dns-server 10.0.1.6
lease 0 2
!
!
ip domain name miodominio.it
ip name-server 10.0.1.6
ip name-server 208.67.220.222
ip name-server 208.67.220.220
ip ddns update method NoIP
HTTP
add http://<user>:<password>@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
login block-for 360 attempts 3 within 90
login delay 10
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
trunk group FXO-PSTN
description ***Analog Trunk Group***
hunt-scheme sequential both down
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface GigabitEthernet0/1.100
bind media source-interface GigabitEthernet0/1.100
registrar server expires max 600 min 60
no call service stop
!
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
codec preference 3 g729r8
!
!
voice register global
mode cme
source-address 192.168.2.1 port 5060
max-dn 35
max-pool 10
authenticate register
authenticate realm miodominio.it
timezone 23
time-format 24
date-format D/M/Y
tftp-path flash:
create profile sync 0001883490243681
network-locale IT
user-locale IT
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2851 sn XXXXXXXXXXX
username <user> privilege 15 secret 5 <password>
username <user1> privilege 15 secret 4 <password1>
!
redundancy
!
!
ip ssh version 1
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <vpn key> hostname <remote.end.point>
crypto isakmp identity hostname
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to RemoteEndPoint
set peer <remote.end.point> dynamic
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description $FW_INSIDE$
encapsulation dot1Q 1 native
ip address 10.0.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface GigabitEthernet0/1.100
description $FW_INSIDE$
encapsulation dot1Q 100
ip address 192.168.2.1 255.255.255.0
zone-member security in-zone
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet1/0
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface FastEthernet1/1
no ip address
!
interface FastEthernet1/2
no ip address
!
interface FastEthernet1/3
no ip address
!
interface FastEthernet1/4
no ip address
!
interface FastEthernet1/5
no ip address
!
interface FastEthernet1/6
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface FastEthernet1/7
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface FastEthernet1/8
switchport access vlan 100
switchport mode trunk
no ip address
!
interface FastEthernet1/9
no ip address
!
interface FastEthernet1/10
no ip address
!
interface FastEthernet1/11
no ip address
!
interface FastEthernet1/12
no ip address
!
interface FastEthernet1/13
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface FastEthernet1/14
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface FastEthernet1/15
switchport mode trunk
switchport voice vlan 100
no ip address
!
interface Vlan1
no ip address
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 30000
ip ddns update hostname <ddns host name>
ip ddns update NoIP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/GUI
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap debugging
logging 10.0.1.60
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host <remote end point IP> any
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
!
control-plane
!
!
voice-port 0/2/0
trunk-group FXO-PSTN
input gain 6
output attenuation -3
connection plar opx 700
caller-id enable
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
!
!
mgcp profile default
!
!
dial-peer voice 600 voip
description Asterisk SIP TRUNK
destination-pattern [45].
session protocol sipv2
session target ipv4:10.0.0.8
dtmf-relay rtp-nte
codec g711alaw
!
dial-peer voice 601 voip
description Asterisk SIP TRUNK IN
session protocol sipv2
session target ipv4:10.0.0.8
incoming called-number 6.
dtmf-relay rtp-nte
codec g711alaw
!
dial-peer voice 100 pots
trunkgroup FXO-PSTN
description ***Outbound to PSTN***
destination-pattern 0T
!
dial-peer voice 101 voip
description ***CME VoIP Destination Pattern***
destination-pattern 6.
session target ipv4:192.168.2.1
dtmf-relay h245-alphanumeric
no vad
!
!
gateway
timer receive-rtp 1200
!
!
!
telephony-service
max-ephones 100
max-dn 100
ip source-address 192.168.2.1 port 2000
system message <My CME>
cnf-file location flash:
user-locale IT
network-locale IT
load 7914 S00105000400
load 7905 CP7905080003SCCP070409A
load 7920 cmterm_7920.4.0-03-02
load 7960-7940 P0030801SR02
load 7961 SCCP41.9-2-1S
load 7962 SCCP42.9-2-1S
time-zone 23
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
moh flash:/audio/music-on-hold.au
web admin system name <username> secret 5 <password>
dn-webedit
time-webedit
transfer-system full-consult
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server ntp1.inrim.it prefer
end
Re: Aiutino per VPN L2L e traffico router
Inviato: lun 12 set , 2016 7:32 am
da mariom79
Qualche idea ????
Grazie.
Mario.
Re: Aiutino per VPN L2L e traffico router
Inviato: lun 12 set , 2016 11:29 am
da paolomat75
Ciao.
Sono in un periodo un po' incasinato. Appena ho tempo ci do un occhio.
Paolo
Re: Aiutino per VPN L2L e traffico router
Inviato: mer 28 set , 2016 8:12 pm
da mariom79
Ciao, hai avuto modo di dare uno sguardo alla configurazione ??? Hai visto qualcosa di sbagliato ??
Grazie in anticipo.
Mario.
Re: Aiutino per VPN L2L e traffico router
Inviato: gio 29 set , 2016 1:14 pm
da paolomat75
No.
Vedo stasera di fare 2 prove.
Ciao
Re: Aiutino per VPN L2L e traffico router
Inviato: gio 29 set , 2016 5:59 pm
da mariom79
OK, grazie mille in anticipo.
Mario.
Re: Aiutino per VPN L2L e traffico router
Inviato: gio 29 set , 2016 8:21 pm
da paolomat75
Ciao.
Hai provato a mettere l'IP del dialer nel ACL 100?
Se no cambia la configurazione in IPSEC VTI.
Paolo
Re: Aiutino per VPN L2L e traffico router
Inviato: gio 06 ott , 2016 10:02 am
da paolomat75
Hai risolto?
Paolo