VPN Cisco 1721

f4kinup · lun 23 lug , 2007 11:14 pm

Ciao,
ho configurato il mio router 1721 in modo da potermi collegare tramite VPN alla lan che c'è dietro, il problema e che dopo essermi regolarmente autenticato, riesco a pingare solo il primo IP che provo a pingare, sucate il gioco di parole, mi spiego meglio subito dopo essermi loggato da dos provo a pingare il 192.168.1.200 e mi risponde regolarmente se porvo a pingare il 192.168.1.254(router) non riesco a pingarlo sul .200 vi è un server ftp e vnc non riesco ad'accedervi in nessuno dei due modi.
la cosa ancora piu' strana è che come GW dell'interfaccia VPN sul pc client ho lo stesso ip della macchina, mi date una mano pls ??
ecco la conf:

Building configuration...
Current configuration : 3339 bytes
!
! Last configuration change at 23:32:39 MET Mon Jul 23 2007 by XXXXXXXXX
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXXXXXXX
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-21.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
clock timezone MET 1
clock summer-time MET recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login home_vpn local
aaa authorization network vpn_group local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip domain name open1
ip dhcp excluded-address 192.168.1.240 192.168.1.254
!
ip dhcp pool Open1
network 192.168.1.0 255.255.255.0
domain-name Open1
dns-server 213.140.2.43 213.140.2.49
default-router 192.168.1.254
!
ip cef
ip audit po max-events 100
!
!
username XXXXXXXXX password 0 XXXXXXXXX
username XXXXXXXXX password 0 XXXXXXXXX
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group home_vpn
key XXXXXXXXX
dns 213.140.2.43
domain open1
pool clientmap
!
!
crypto ipsec transform-set vpn_home esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpn_home
reverse-route
!
!
crypto map clientmap client authentication list home_vpn
crypto map clientmap isakmp authorization list vpn_group
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Ethernet0
description #### Collegamento WAN ####
ip address XXXXXXXXX 255.255.255.0
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0
description #### Collegamento LAN ####
ip address 192.168.1.254 255.255.255.0
ip nat inside
speed 100
full-duplex
!
router rip
passive-interface default
no passive-interface FastEthernet0
network 192.168.1.0
no auto-summary
!
ip local pool clientmap 10.24.4.57 10.24.4.59 group baba
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source list 101 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.200 139 XXXXXXXXX 139 extendable
ip nat inside source static tcp 192.168.1.200 5900 XXXXXXXXX 8000 extendable
ip nat inside source static tcp 192.168.1.200 4663 XXXXXXXXX 4663 extendable
ip nat inside source static udp 192.168.1.200 4673 XXXXXXXXX 4673 extendable
ip nat inside source static tcp 192.168.1.200 21 XXXXXXXXX 21 extendable
ip nat inside source static tcp 192.168.1.100 3724 XXXXXXXXX 3724 extendable
ip nat inside source static tcp 192.168.1.100 6881 XXXXXXXXX 6881 extendable
ip nat inside source static tcp 192.168.1.100 6112 XXXXXXXXX 6112 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XXXXXXXXX
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.24.4.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 10.24.4.0 0.0.0.255
access-list 111 permit ip any any
!
tftp-server flash:c1700-k9o3sy7-mz.123-21.bin
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
!
sntp server XXXXXXXXX
sntp server XXXXXXXXX
sntp server XXXXXXXXX
end

HELP ME PLS con questa è la 3° notte che non dormo :PpPp

Grazie.

paolo563 · mer 25 lug , 2007 7:38 am

Che tu abbia sul client il Default GW identico all'indirizzo IP non è strano ..... deve essere così!

Scusa ma non ho capito bene la storia dei ping; cosa vuol dire che il ping funziona solo al primo IP che provi ?

Se provi per primo il router funziona ?

f4kinup · mer 25 lug , 2007 7:42 am

si funziona correttamente ma se dopo aver fatto il ping verso il router .254 provo a pingare un altro ip della lan va in richiesta scaduta.
il telnet verso il router non funziona.

Ciao e grazie.

paolo563 · gio 26 lug , 2007 10:11 am

Credo che prima sia necessario circoscrive il più possibile il problema, quindi, mi sai dire se dal router i ping funzionano correttamente verso la rete locale e verso il client in VPN?
Ho un dubbio sulla route che viene creata al momento dell'attivazione della VPN.
Purtroppo non ho un cisco come il tuo, quindi non posso simulare la tua condizione.

f4kinup · gio 26 lug , 2007 10:50 am

no dal router non riesco a pingare il pc in vpn ...
la conf attuale è :

Building configuration...

Current configuration : 3775 bytes
!
! Last configuration change at 18:15:17 MET Wed Jul 25 2007 by XXXXX
! NVRAM config last updated at 18:15:19 MET Wed Jul 25 2007 by XXXXX
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Homer
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-21.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
clock timezone MET 1
clock summer-time MET recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login home_vpn local
aaa authorization network vpn_group local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip domain name open1
ip dhcp excluded-address 192.168.1.240 192.168.1.254
!
ip dhcp pool Open1
network 192.168.1.0 255.255.255.0
domain-name Open1
dns-server 213.140.2.43 213.140.2.49
default-router 192.168.1.254
!
ip cef
ip audit po max-events 100
!
!
username X.XXX.XXX.XXX password 0 X.XXX.XXX.XXX
username X.XXX.XXX.XXX password 0 X.XXX.XXX.XXX
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group home_vpn
key XXXXXXXX
dns X.XXX.XXX.XXX
domain local
pool vpn_pool
acl 108
!
!
crypto ipsec transform-set vpn_home esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpn_home
reverse-route
!
!
crypto map clientmap client authentication list home_vpn
crypto map clientmap isakmp authorization list vpn_group
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
description #### Collegamento WAN ####
ip address X.XXX.XXX.XXX 255.255.255.0
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0
description #### Collegamento Switch ####
ip address 192.168.1.254 255.255.255.0
ip nat inside
speed 100
full-duplex
!
router rip
passive-interface default
no passive-interface FastEthernet0
network 192.168.1.0
no auto-summary
!
ip local pool vpn_pool 192.168.0.1 192.168.0.10 group vpn_group
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source list 108 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.200 139 X.XXX.XXX.XXX 139 extendable
ip nat inside source static tcp 192.168.1.200 5900 X.XXX.XXX.XXX 8000 extendable
ip nat inside source static tcp 192.168.1.200 4663 X.XXX.XXX.XXX 4663 extendable
ip nat inside source static udp 192.168.1.200 4673 X.XXX.XXX.XXX 4673 extendable
ip nat inside source static tcp 192.168.1.200 21 X.XXX.XXX.XXX 21 extendable
ip nat inside source static tcp 192.168.1.100 3724 X.XXX.XXX.XXX 3724 extendable
ip nat inside source static tcp 192.168.1.100 6881 X.XXX.XXX.XXX 6881 extendable
ip nat inside source static tcp 192.168.1.100 6112 X.XXX.XXX.XXX 6112 extendable
ip nat inside source static tcp 192.168.1.106 3724 X.XXX.XXX.XXX 3724 extendable
ip nat inside source static tcp 192.168.1.106 6881 X.XXX.XXX.XXX 6881 extendable
ip nat inside source static tcp 192.168.1.106 6112 X.XXX.XXX.XXX 6112 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 X.XXX.XXX.XXX
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 108 permit tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 108 permit icmp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 108 permit udp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
tftp-server flash:c1700-k9o3sy7-mz.123-21.bin
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
sntp server X.XXX.XXX.XXX
sntp server X.XXX.XXX.XXX
sntp server X.XXX.XXX.XXX
end

Homer#

[email protected] · gio 26 lug , 2007 2:55 pm

E' sbagliata la regola del NAT. Devi negare così:
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

questo perchè il traffico non deve essere nattato.

Ciao

f4kinup · gio 26 lug , 2007 3:31 pm

ciao adesso la conf è cosi...

!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
!

ho provato fa re un tracert da un pc dentro la lan verso un ip della VPN con questo risultato:

>tracert 192.168.0.1(ip pc in vpn)

Rilevazione instradamento verso 192.168.0.1 su un massimo di 30 punti di passagg
io

1 1 ms 1 ms 1 ms 192.168.1.254
2 * * * Richiesta scaduta.
3 * * * Richiesta scaduta.
4 * * * Richiesta scaduta.
5 ^C
>

arrivo sul router e poi il router non sa dove inviare le richieste...

paolo563 · gio 26 lug , 2007 3:52 pm

Perché non provi a terminare la VPN sulla FastEthernet ?

[email protected] · gio 26 lug , 2007 4:02 pm

no ip nat inside source list 1 interface Ethernet0 overload

f4kinup · gio 26 lug , 2007 4:05 pm

[email protected] ha scritto:no ip nat inside source list 1 interface Ethernet0 overload

ma facendo questo non naviga piu' l'intera lan....

[email protected] · gio 26 lug , 2007 4:06 pm

Naviga perchè hai dentro questa:

ip nat inside source list 108 interface Ethernet0 overload

f4kinup · gio 26 lug , 2007 4:18 pm

[email protected] ha scritto:Naviga perchè hai dentro questa:

ip nat inside source list 108 interface Ethernet0 overload

già vero

pero' rimane il fatto che non riesco a raggiungere la lan dalla vpn e viceversa neanche dal router raggiungo il pc collegato in vpn ...

un po' di sho:

Homer# sho crypto isakmp sa
dst src state conn-id slot
x.x.x.x X.X.X.X QM_IDLE 1 0

Homer# sho crypto map
Crypto Map "clientmap" 10 ipsec-isakmp
Dynamic map template tag: dynmap

Crypto Map "clientmap" 65536 ipsec-isakmp
Peer = X.X.X.X
Extended IP access list
access-list permit ip any host 192.168.0.7
dynamic (created from dynamic map dynmap/10)
Current peer: X.X.X.X
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
vpn_home,
}
Reverse Route Injection Enabled
Interfaces using crypto map clientmap:
Ethernet0

Ok adesso funziona il ping LAV->VPN e VPN->LAN
ora pero' non riesco ad'accedere in FTP su un server che è in lan...

[email protected] · gio 26 lug , 2007 4:22 pm

ti fa niente mettere anche uno sh run?

f4kinup · gio 26 lug , 2007 4:25 pm

eccolo....

Building configuration...

Current configuration : 3804 bytes
!
! Last configuration change at 17:09:28 MET Thu Jul 26 2007 by X.X.X.X
! NVRAM config last updated at 17:15:03 MET Thu Jul 26 2007 by X.X.X.X
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Homer
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-21.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
memory-size iomem 25
clock timezone MET 1
clock summer-time MET recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login home_vpn local
aaa authorization network vpn_group local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
ip domain name open1
ip dhcp excluded-address 192.168.1.240 192.168.1.254
!
ip dhcp pool Open1
network 192.168.1.0 255.255.255.0
domain-name Open1
dns-server 213.140.2.43 213.140.2.49
default-router 192.168.1.254
!
ip cef
ip audit po max-events 100
!
!
username X.X.X.X password 0 X.X.X.X
username X.X.X.X password 0 X.X.X.X
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group home_vpn
key X.X.X.X
dns 1.253.128.10
domain local
pool vpn_pool
acl 108
!
!
crypto ipsec transform-set vpn_home esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpn_home
reverse-route
!
!
!
crypto map clientmap client authentication list home_vpn
crypto map clientmap isakmp authorization list vpn_group
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
description #### Collegamento FW ####
ip address X.X.X.X 255.255.255.0
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0
description #### Collegamento Switch ####
ip address 192.168.1.254 255.255.255.0
ip nat inside
speed 100
full-duplex
!
router rip
passive-interface default
no passive-interface Ethernet0
no passive-interface FastEthernet0
network 192.168.1.0
no auto-summary
!
ip local pool vpn_pool 192.168.0.1 192.168.0.10 group vpn_group
ip nat inside source list 108 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.200 139 X.X.X.X 139 extendable
ip nat inside source static tcp 192.168.1.200 5900 X.X.X.X 8000 extendable
ip nat inside source static tcp 192.168.1.200 4663 X.X.X.X 4663 extendable
ip nat inside source static udp 192.168.1.200 4673 X.X.X.X 4673 extendable
ip nat inside source static tcp 192.168.1.200 21 X.X.X.X 21 extendable
ip nat inside source static tcp 192.168.1.100 3724 X.X.X.X 3724 extendable
ip nat inside source static tcp 192.168.1.100 6881 X.X.X.X 6881 extendable
ip nat inside source static tcp 192.168.1.100 6112 X.X.X.X 6112 extendable
ip nat inside source static tcp 192.168.1.106 3724 X.X.X.X 3724 extendable
ip nat inside source static tcp 192.168.1.106 6881 X.X.X.X 6881 extendable
ip nat inside source static tcp 192.168.1.106 6112 X.X.X.X 6112 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
!
tftp-server flash:c1700-k9o3sy7-mz.123-21.bin
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input telnet ssh
!
sntp server X.X.X.X
sntp server X.X.X.X
sntp server X.X.X.X
end

Homer#

[email protected] · gio 26 lug , 2007 4:34 pm

Cambia così:

crypto isakmp client configuration group home_vpn
key X.X.X.X
dns 1.253.128.10
domain local
pool vpn_pool
acl SPLIT

ip access-list extended SPLIT
permit ip 192.168.1.0 0.0.0.255 any

VPN Cisco 1721

Login • Iscriviti