VPN su Cisco 877
Inviato: mar 13 mag , 2008 2:33 pm
Ciao a tutti,
chiedo il vostro aiuto per il seguente problema:
ho configurato un 877 come terminatore di vpn un pò scopiazzando dalle varie configurazioni postate ed un pò utilizzando SDM. Utilizzo il vpn-vlient versione 5.
Purtroppo riesco solo a collegarmi e a fare pingare router e client-vpn, il resto della rete è inesistente.
Potreste darmi una mano ? Grazie
Building configuration...
Current configuration : 6696 bytes
!
! Last configuration change at 15:17:00 MEDT Tue May 13 2008 by Admin
! NVRAM config last updated at 14:57:52 MEDT Tue May 13 2008 by Admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname routercisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3980331111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3980331111
revocation-check none
rsakeypair TP-self-signed-3980331111
!
!
crypto pki certificate chain TP-self-signed-3980331111
certificate self-signed 01
xxx
quit
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name xxx.local
ip name-server 213.140.2.49
!
!
!
username Admin privilege 15 secret 5 xxx
username User01 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key xxx
pool SDM_POOL_1
acl split-tunnel
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteUsers
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address IP_VPN 255.255.255.255
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address IP_ROUTER 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip IP_PTP broadcast
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.0.0.49 10.0.0.54
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.51 255.255.255.255 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list nat0 interface ATM0.1 overload
!
ip access-list extended nat0
remark SDM_ACL Category=3
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended split-tunnel
remark SDM_ACL Category=4
permit ip 10.0.0.0 0.0.0.255 10.0.0.48 0.0.0.7
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
BANNER
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end
chiedo il vostro aiuto per il seguente problema:
ho configurato un 877 come terminatore di vpn un pò scopiazzando dalle varie configurazioni postate ed un pò utilizzando SDM. Utilizzo il vpn-vlient versione 5.
Purtroppo riesco solo a collegarmi e a fare pingare router e client-vpn, il resto della rete è inesistente.
Potreste darmi una mano ? Grazie
Building configuration...
Current configuration : 6696 bytes
!
! Last configuration change at 15:17:00 MEDT Tue May 13 2008 by Admin
! NVRAM config last updated at 14:57:52 MEDT Tue May 13 2008 by Admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname routercisco
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3980331111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3980331111
revocation-check none
rsakeypair TP-self-signed-3980331111
!
!
crypto pki certificate chain TP-self-signed-3980331111
certificate self-signed 01
xxx
quit
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name xxx.local
ip name-server 213.140.2.49
!
!
!
username Admin privilege 15 secret 5 xxx
username User01 secret 5 xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key xxx
pool SDM_POOL_1
acl split-tunnel
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group RemoteUsers
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address IP_VPN 255.255.255.255
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address IP_ROUTER 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip IP_PTP broadcast
oam-pvc manage
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.0.0.49 10.0.0.54
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.51 255.255.255.255 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list nat0 interface ATM0.1 overload
!
ip access-list extended nat0
remark SDM_ACL Category=3
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended split-tunnel
remark SDM_ACL Category=4
permit ip 10.0.0.0 0.0.0.255 10.0.0.48 0.0.0.7
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
BANNER
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
end