Creare VPN su 2 cisco 877

[Fenshu]

Ciao a tutti.
Sono nuovo e sto cercando di informarmi su come creare una vpn tra 2 cisco 877.

Dunque, sono appunto 2 router identici:
1) Vlan1 ip 192.168.1.254/24
2) Vlan2 ip 192.168.2.254/24

Potreste gentilmente indicarmi i passaggi base da dover fare per fare in modo che i client collegati a "2" possano collegarsi alla rete di "1"?

Ringrazio in anticipo

[unixvsnt]

da che punto ti interessa la configurazione....?

[Fenshu]

da che punto ti interessa la configurazione....?

Mha, io sono in questa situazione.
Ho installato il router 1 a Novara ed il router 2 a Milano.
Da milano riesco ad accedere a novara tramite SDM (ho abilitato l'interfaccia di manutenzione).

Questo è quanto... dovrei creare una vpn tra le 2 reti

[unixvsnt]

Beh intanto usa l'SDM per crearti la VPN con Easy VPN e poi guardati su questo forum il de-nat come ben spiegato in altri post da Wizard

[Fenshu]

Ok, grazie per i consigli.
Visto che non ho mai fatto una vpn ti farei qualche rapida domanda in modo da poter leggere le guide con qualche base in piu.

Posso fare la vpn tra 2 lan "uguali"? Cioè, cia a novara che a milano la lan è su rete 192.168.1.x.

dall'sdm devo creare una vpn SITE to SITE, giusto?

[unixvsnt]

te lo sconsiglio vivamente!!!!

si site-to-site

[Wizard]

Le 2 subnet devono essere diverse!

[Fenshu]

Le 2 subnet devono essere diverse!

Ho rifatto le subnet.
PErdonami... come faccio a NON NATTARE il traffico sulla vpn?
Mi spiego. Quando attivo la vpn questa funziona (e di questo sono contento), ma nessun pc in rete riesce piu a navigare. Tutta la rete è nattata con indirizzo 212.97.x.x, quindi come faccio a mantenere il nat verso l'esterno in maniera corretta? (se non ho capito male devo inserire l'acl per il de-nat.. ma in che modo?)

SDM mi ha fatto presente che c'è gia una regola di nat e, per far convivere il tutto con la vpn, andava impostata la map-route. Ho detto "SI" a configura la map-route. Non sembra essere il nat0 il problema.
Qui sotto la conf:

Building configuration...

Current configuration : 12495 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco877pv
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$kgMi$kFwvF4KjXSEBMZfh5m0yP.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name ********
ip name-server 212.97.32.2
ip name-server 212.97.32.7
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
!
appfw policy-name DEFAULT100
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application im msn
service default action reset
service text-chat action reset
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail off
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
crypto pki trustpoint TP-self-signed-1180440029
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1180440029
revocation-check none
rsakeypair TP-self-signed-1180440029
!
!
crypto pki certificate chain TP-self-signed-1180440029
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313830 34343030 3239301E 170D3032 30333031 30303035
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383034
34303032 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA87 85F791EC 89CB2ED9 CB06F14A A4BA7429 591FA62C 932D35F8 E0435563
B6CFEC6F 8BE306AF 53F2CCBB 9D62DC65 87881230 A2745A2C 24DF9DCE 74881F6D
7DDE0924 D2D4CF0A 6760E35F 0756AB34 80BE6DD0 2FEC5EE0 307BBDE4 FD3BFFD9
522CD60E FA7E3B8D 1654715C 6AA68705 135E7053 4AB170C6 B1D3B507 710B851B
7DE30203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15636973 636F3837 3770762E 696E666F 72656C2E 6974301F
0603551D 23041830 16801486 FDDFAB1C CB068AB2 90E3AFF0 4712A52B BC108630
1D060355 1D0E0416 041486FD DFAB1CCB 068AB290 E3AFF047 12A52BBC 1086300D
06092A86 4886F70D 01010405 00038181 00CBF2A6 D3DB80CA 229832F2 E73C1CCF
B2F6787A 56F54D88 40246E32 E6D96F3B 6A95624A 40CF5C77 529282B0 E9779E77
4E99D547 70D3F068 ED892AA1 DF1B8609 EF4D59D0 3DA1B138 1060F578 14CDC31B
606E9FE3 EEBF166B 22C4DDC5 42827FCF F2987E4D 19A6E760 9DD79EC8 ADA92440
EF9CC2D1 B5374604 FBD38F46 77F31E1D 2C
quit
username r877pv privilege 15 secret 5 $1$Fi6j$MYYmGwea6N43kUBk8BxPi/
username amministratore privilege 15 secret 5 $1$os.X$YN5mnCyOGwYHn.lZ9KtIU0
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_DEFAULT100
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key testtest address 212.97.42.42
crypto isakmp key testtest address 21.97.42.42
!
crypto isakmp client configuration group ********-remoti
key z@pp1n0
dns 212.97.32.2 212.97.32.7
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group ********-remoti
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ********-Transform-Set esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ********-Transform-Set
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to212.97.42.42
set peer 212.97.42.42
set transform-set ESP-3DES-SHA2
match address 105
!
!
!
!
interface Loopback0
ip address 192.168.2.253 255.255.255.0
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip address 77.93.228.62 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip 77.93.228.61 broadcast
encapsulation aal5snap
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.2.100 192.168.2.110
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1000
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Pool1 212.97.43.174 212.97.43.174 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_1 pool Pool1
ip nat inside source static 192.168.1.59 212.97.43.169
ip nat inside source static 192.168.1.159 212.97.43.170
ip nat inside source static 192.168.1.99 212.97.43.171
ip nat inside source static 192.168.1.199 212.97.43.172
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any host 192.168.1.254 eq non500-isakmp
access-list 100 permit udp any host 192.168.1.254 eq isakmp
access-list 100 permit esp any host 192.168.1.254
access-list 100 permit ahp any host 192.168.1.254
access-list 100 deny ip 77.93.228.60 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 212.97.42.42 host 77.93.228.62 eq non500-isakmp
access-list 101 permit udp host 212.97.42.42 host 77.93.228.62 eq isakmp
access-list 101 permit esp host 212.97.42.42 host 77.93.228.62
access-list 101 permit ahp host 212.97.42.42 host 77.93.228.62
access-list 101 permit udp any host 77.93.228.62 eq non500-isakmp
access-list 101 permit udp any host 77.93.228.62 eq isakmp
access-list 101 permit esp any host 77.93.228.62
access-list 101 permit ahp any host 77.93.228.62
access-list 101 permit tcp any host 212.97.43.171 eq 443
access-list 101 permit tcp any host 212.97.43.171 eq ftp
access-list 101 permit tcp any host 212.97.43.171 eq ftp-data
access-list 101 permit tcp any host 212.97.43.170 eq pop3
access-list 101 permit tcp any host 212.97.43.170 eq smtp
access-list 101 permit tcp any host 212.97.43.169 eq www
access-list 101 permit tcp any host 212.97.43.172 eq pop3
access-list 101 permit tcp any host 212.97.43.172 eq smtp
access-list 101 permit tcp any host 212.97.43.171 eq www
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 77.93.228.62 echo-reply
access-list 101 permit icmp any host 77.93.228.62 time-exceeded
access-list 101 permit icmp any host 77.93.228.62 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 101 remark IPSec Rule
access-list 101 remark IPSec Rule
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
snmp-server community public RO
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

[zot]

Armati di pazienza,butta nel cesso SDM e chiedi qui per rifare tutto a manina...i passaggi non sono poi così complicati.....giusto per cominciare.....tu hai impostato un NAT 1:1 su alcuni PC della tua rete interna...ma ti occorre?calcola che è una cosa che si fa con Server ed impostando per benino ACL e Firewall perchè così ti esponi a Virus,Trojan,spyware...trik e trak e pinzillachere....
Con un PAT fai comunque navigare tutti PC ed ottinei un livello di sicurezza maggiore.

[Fenshu]

Sante parole, ma il router è sempre "in produzione", non posso staccarlo per fare molte prove. Al di la che la conf non è sicuramente ottimale, non avete consigli per sistemare il problema della navigazione quando è su la vpn?

Poi, appena avrò tempo, rifarò la conf

[spidermanz]

credo tu dovresti fare un acl nonat, per non far nattare tutto il traffico destinato a tirare su la vpn,

per fare questo devi fare un deny del traffico (che nell'acl della crypto map hai messo come permit per tirar su la vpn) sull'acl del nat.

spero di essermi spiegato