Configurazione VPN Cisco 857W
Inviato: lun 20 ago , 2007 12:05 pm
Salve sto cercando di configurare il VPN server di un 857W. Quando provo a collegarmi con il client Cisco non ho nessun problema a creare il collegamento ma quando provo a pingare o fare altre connessioni sui vari server della rete interna non ricevo nessun byte.
Potete darmi un suggeriemento su come modificare la configurazione?
Grazie
configurazione attuale:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname xxxx
!
boot-start-marker
boot system flash:c850-advsecurityk9-mz.124-11.T2.bin
boot system flash
boot-end-marker
!
logging buffered 4096
enable secret 5 xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool mypool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
domain-name xxxx.com
dns-server 192.168.10.11
lease infinite
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM vdolive
ip domain name xxxx.com
ip name-server 194.20.0.24
ip name-server 194.244.116.226
ip name-server 62.196.2.70
ip name-server 213.205.32.70
!
appfw policy-name SDM_MEDIUM
application http
port-misuse p2p action reset alarm
!
!
crypto pki trustpoint TP-self-signed-505814874
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-505814874
revocation-check none
rsakeypair TP-self-signed-505814874
!
!
crypto pki certificate chain TP-self-signed-505814874
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35303538 31343837 34301E17 0D303730 36303931 33343134
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3530 35383134
38373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E14C9F8C F2EEF6ED 7356EC38 F10E417F 24D07DE6 0CF5941F 23071ED7 A6370587
E5BCB326 164D0AA6 39C57DDA A4C8B5E3 BA4196B4 2D78F7C3 03CB2906 5DEB6D9A
C8076F23 DE139842 FE000E11 CE46A29D 59685A51 673ABF3C 3EE4C70E 3D64FA0A
F1673FC5 18DC7566 697CC24A BF5EF877 41D6EB74 B140F40B FE09C413 17631629
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821767 72757070 6F345F61 64736C2E 67727570 706F342E 6974301F
0603551D 23041830 168014F7 83299FF2 5F2F6010 829DD813 65A40A09 C1615130
1D060355 1D0E0416 0414F783 299FF25F 2F601082 9DD81365 A40A09C1 6151300D
06092A86 4886F70D 01010405 00038181 007EB5B6 CD303EA3 205937D8 3A94364B
EB340BD3 7092F5F3 D01FB8D8 8759E68F 23EF5961 17EE1504 ACDF1C02 358FC6ED
D0706246 7410099B 111B79A0 1D665FF0 6A64462A C160D71B 6A1936B1 5B04480A
55CAB47E 4AD6455C FD5FF49D 4BB9BABC D0E533CE DAE284A0 49DE7F32 A9ED2046
56552C57 057FDC1E C5C7D0CE 3EA68EF2 B9
quit
!
!
username root privilege 15 view root secret 5 xxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnuser
key xxxxxx
pool SDM_POOL_1
acl 100
max-users 3
crypto isakmp profile sdm-ike-profile-1
match identity group vpnuser
client authentication list sdm_vpn_xauth_ml_9
isakmp authorization list sdm_vpn_group_ml_9
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA6
set isakmp-profile sdm-ike-profile-1
!
!
interface ATM0
no ip address
ip virtual-reassembly
load-interval 30
atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode itu-dmt
!
interface ATM0.3 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
load-interval 30
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxx password 0 xxxxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.10.90 192.168.10.99
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=18
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 170 remark SDM_ACL Category=17
access-list 170 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_2 permit 1
match ip address 110
!
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 170 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
Potete darmi un suggeriemento su come modificare la configurazione?
Grazie
configurazione attuale:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname xxxx
!
boot-start-marker
boot system flash:c850-advsecurityk9-mz.124-11.T2.bin
boot system flash
boot-end-marker
!
logging buffered 4096
enable secret 5 xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool mypool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
domain-name xxxx.com
dns-server 192.168.10.11
lease infinite
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM vdolive
ip domain name xxxx.com
ip name-server 194.20.0.24
ip name-server 194.244.116.226
ip name-server 62.196.2.70
ip name-server 213.205.32.70
!
appfw policy-name SDM_MEDIUM
application http
port-misuse p2p action reset alarm
!
!
crypto pki trustpoint TP-self-signed-505814874
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-505814874
revocation-check none
rsakeypair TP-self-signed-505814874
!
!
crypto pki certificate chain TP-self-signed-505814874
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35303538 31343837 34301E17 0D303730 36303931 33343134
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3530 35383134
38373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E14C9F8C F2EEF6ED 7356EC38 F10E417F 24D07DE6 0CF5941F 23071ED7 A6370587
E5BCB326 164D0AA6 39C57DDA A4C8B5E3 BA4196B4 2D78F7C3 03CB2906 5DEB6D9A
C8076F23 DE139842 FE000E11 CE46A29D 59685A51 673ABF3C 3EE4C70E 3D64FA0A
F1673FC5 18DC7566 697CC24A BF5EF877 41D6EB74 B140F40B FE09C413 17631629
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821767 72757070 6F345F61 64736C2E 67727570 706F342E 6974301F
0603551D 23041830 168014F7 83299FF2 5F2F6010 829DD813 65A40A09 C1615130
1D060355 1D0E0416 0414F783 299FF25F 2F601082 9DD81365 A40A09C1 6151300D
06092A86 4886F70D 01010405 00038181 007EB5B6 CD303EA3 205937D8 3A94364B
EB340BD3 7092F5F3 D01FB8D8 8759E68F 23EF5961 17EE1504 ACDF1C02 358FC6ED
D0706246 7410099B 111B79A0 1D665FF0 6A64462A C160D71B 6A1936B1 5B04480A
55CAB47E 4AD6455C FD5FF49D 4BB9BABC D0E533CE DAE284A0 49DE7F32 A9ED2046
56552C57 057FDC1E C5C7D0CE 3EA68EF2 B9
quit
!
!
username root privilege 15 view root secret 5 xxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnuser
key xxxxxx
pool SDM_POOL_1
acl 100
max-users 3
crypto isakmp profile sdm-ike-profile-1
match identity group vpnuser
client authentication list sdm_vpn_xauth_ml_9
isakmp authorization list sdm_vpn_group_ml_9
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA6
set isakmp-profile sdm-ike-profile-1
!
!
interface ATM0
no ip address
ip virtual-reassembly
load-interval 30
atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode itu-dmt
!
interface ATM0.3 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
load-interval 30
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxx password 0 xxxxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.10.90 192.168.10.99
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=18
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 170 remark SDM_ACL Category=17
access-list 170 permit ip 192.168.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_2 permit 1
match ip address 110
!
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 170 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end