VPN Cisco1801 - ASA 5505

f0llia · lun 30 giu , 2008 8:51 am

Ciao a tutti,
ho un problema con una VPN tra un 1801 e un ASA 5505: il tunnel sembra salire, ma non passa traffico. Ho provato a diminuire l'MTU sulle due interfacce di VPN ma non cambia niente... non riesco a raggingere la rete remota...
Avete qualche idea?
Grazie mille

Wizard · lun 30 giu , 2008 10:43 am

La sfera di cristallo purtroppo ancora non la ho...
Se ci fai vedere le config magari...

f0llia · lun 30 giu , 2008 6:43 pm

Sorry, mi son dimenticato di allegare i file.. scusate

Cisco 1801 (Centro Stella)

Codice: Seleziona tutto


Building configuration...

Current configuration : 16793 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
logging console critical
enable secret 5 $1$hLu2$Hfhr.bI9eS2JKe1OjKMiR0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.169
ip dhcp excluded-address 192.168.0.181 192.168.0.254
ip dhcp excluded-address 100.100.100.1 100.100.100.169
ip dhcp excluded-address 100.100.100.181 100.100.100.254
!
ip dhcp pool lan192
   import all
   network 192.168.0.0 255.255.255.0
   domain-name matrix
   dns-server 208.67.222.222 208.68.220.200 
   default-router 192.168.0.254 
!
ip dhcp pool lan100
   import all
   network 100.100.100.0 255.255.255.0
   domain-name matrix
   dns-server 208.67.222.222 208.68.220.200 
   default-router 100.100.100.254 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name matrix
ip name-server 212.216.112.222
ip name-server 212.216.112.112
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip inspect name sdm_ins_in_100 appfw sdm_ins_in_100
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 icmp
!
appfw policy-name SDM_HIGH
  application im aol
    service default action reset alarm
    service text-chat action reset alarm
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail on
  application http
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action reset alarm
  application im yahoo
    service default action reset alarm
    service text-chat action reset alarm
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail on
!
appfw policy-name sdm_ins_in_100
  application im aol
    service default action reset 
    service text-chat action reset 
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail off
  application im msn
    service default action reset 
    service text-chat action reset 
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail off
  application http
    port-misuse im action reset alarm
  application im yahoo
    service default action reset 
    service text-chat action reset 
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
    audit-trail off
!
!
crypto pki trustpoint TP-self-signed-43613823
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-43613823
 revocation-check none
 rsakeypair TP-self-signed-43613823
!
!
crypto pki certificate chain TP-self-signed-43613823
 certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34333631 33383233 301E170D 30383031 32303133 33353230 
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343336 31333832 
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100E3F8 
  6305615B 1BB33D35 40E05FD6 94884678 1EEB52D1 2E584528 DE65B921 164F4116 
  E08C0651 DE008C28 B1865D22 249B81A0 0B4579B2 65F1BC6D 89D718B8 CDE18CC9 
  59B407B0 4EFEB3F7 33052339 E7652855 78621431 33025BA4 96D663FF 566853F0 
  7B974E8E 0B2003CD 446001E7 EF8946AC 317BD2A4 0532DE37 DCD61B5E C4470203 
  010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603 551D1104 
  12301082 0E636973 636F3031 2E6D6174 72697830 1F060355 1D230418 30168014 
  8C599E22 71257E74 3F30BDCB 2B5749FD 255BE7F0 301D0603 551D0E04 1604148C 
  599E2271 257E743F 30BDCB2B 5749FD25 5BE7F030 0D06092A 864886F7 0D010104 
  05000381 8100C73B 55A1832C 6B6A565A 081C9E42 EBBB57DD DA0AD526 FFB417A3 
  6ACA2A2F 023A4D59 14BFEC57 B37732FE 4A9A933C 72056342 7580C4DC F32733D5 
  E4E00AC9 5DD71715 A8B113D6 04091AE4 FEC99431 2D7903A3 C9C649AE 74A98B1A 
  F63C8560 0651BE56 9726F219 CDC659AD 6AE4865C 08DA5802 E4C94920 DD2611F0 
  347792A1 44EB
  quit
username admin privilege 15 secret 5 $1$opAA$pzEHnJDP6UdKJfFXflKpN.
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_sdm_ins_in_101
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_bittorrent
   drop
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_kazaa
   drop
policy-map sdmappfwp2p_SDM_HIGH
 class sdm_p2p_gnutella
   drop
 class sdm_p2p_bittorrent
   drop
 class sdm_p2p_edonkey
   drop
 class sdm_p2p_kazaa
   drop
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key KEY address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1 
 match address 108
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
 switchport access vlan 2
!
interface FastEthernet6
 switchport access vlan 2
!
interface FastEthernet7
 switchport access vlan 2
!
interface FastEthernet8
 switchport access vlan 2
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect SDM_HIGH in
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
interface Vlan2
 description $FW_INSIDE$
 ip address 100.100.100.254 255.255.255.0
 ip access-group 104 in
 ip nat inside
 ip inspect dmzinspect out
 ip virtual-reassembly
 service-policy input sdmappfwp2p_sdm_ins_in_101
 service-policy output sdmappfwp2p_sdm_ins_in_101
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 105 in
 ip nat outside
 ip inspect SDM_HIGH out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 0611083144181D
 ppp pap sent-username USER password PASS
 crypto map SDM_CMAP_1
 service-policy input sdmappfwp2p_SDM_HIGH
 service-policy output sdmappfwp2p_SDM_HIGH
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.40 9999 interface Dialer0 9999
ip nat inside source static udp 192.168.0.40 47156 interface Dialer0 47156
ip nat inside source static tcp 192.168.0.40 33437 interface Dialer0 33437
ip nat inside source static tcp 192.168.0.50 8081 interface Dialer0 8081
ip nat inside source static tcp 192.168.0.200 20 interface Dialer0 20
ip nat inside source static tcp 192.168.0.200 21 interface Dialer0 21
!
ip access-list extended sdm_vlan1_in
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_vlan2_in
 remark SDM_ACL Category=1
 remark l
 permit ip any any
!
logging trap warnings
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 100.100.100.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 100.100.100.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark emule udp
access-list 102 permit udp any any eq 47156
access-list 102 remark emule tcp
access-list 102 permit tcp any any eq 33437
access-list 102 permit tcp any any eq 9999
access-list 102 permit udp host 208.67.220.200 eq domain any
access-list 102 permit udp host 208.67.222.222 eq domain any
access-list 102 permit udp host 212.216.112.222 eq domain any
access-list 102 permit udp host 212.216.112.112 eq domain any
access-list 102 deny   ip 100.100.100.0 0.0.0.255 any
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit tcp any host 100.100.100.1 eq ftp
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any any eq 9999
access-list 103 permit udp any any eq 47156
access-list 103 permit tcp any any eq 33437
access-list 103 permit udp host 212.216.112.222 eq domain any
access-list 103 permit udp host 212.216.112.112 eq domain any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit udp any any eq isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 105 remark ping
access-list 105 permit icmp any any
access-list 105 remark sdm esterno udp
access-list 105 permit udp any any eq 443 log
access-list 105 remark sdm esterno tcp
access-list 105 permit tcp any any eq 443 log
access-list 105 permit tcp any any eq 8081
access-list 105 permit tcp any any eq ftp
access-list 105 permit tcp any any eq 9999
access-list 105 permit udp any any eq 47156
access-list 105 permit tcp any any eq 33437
access-list 105 permit udp host 212.216.112.222 eq domain any
access-list 105 permit udp host 212.216.112.112 eq domain any
access-list 105 deny   ip 100.100.100.0 0.0.0.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 remark SDM_ACL Category=2
access-list 107 remark IPSec Rule
access-list 107 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 107 permit ip 100.100.100.0 0.0.0.255 any
access-list 107 permit ip 192.168.0.0 0.0.0.255 any
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 107
!
!
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn install csd flash:/webvpn/sdesktop.pkg
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

ASA 5505 (periferico):

Codice: Seleziona tutto

: Saved
:
ASA Version 7.2(3) 
!
hostname CiscoASA-01
domain-name default.domain.invalid
enable password OfNv9dpMpO8hZAcR encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.32.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd OfNv9dpMpO8hZAcR encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1380
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 82.50.230.30 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 195.137.128.1 195.137.128.33 interface inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
username admin password zVHP/SBaFbZa6/fw encrypted privilege 15
tunnel-group 82.50.230.30 type ipsec-l2l
tunnel-group 82.50.230.30 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:d9f606c8532a87c60aac92813f4f1544
: end

Grazie mille

Wizard · lun 30 giu , 2008 9:17 pm

Fai una cosa intanto...
Da un pc dietro al router o firewall fai un ping ad una macchina remota poi da entrambi gli apparati fai un bel

sh cry isa sa

così vediamo se la fase 1 è su

f0llia · mar 01 lug , 2008 10:22 am

phase1 ok:
Eccoli:

Asa:

Codice: Seleziona tutto

CiscoASA-01# sh cry isa sa                

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 82.50.230.30
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE

Cisco1801:

Codice: Seleziona tutto

cisco01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
82.50.230.30    81.208.31.209   QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

Wizard · mar 01 lug , 2008 3:35 pm

OK la fase 1 è su!
Il ping non è andato a buon fine giusto...
A sto punto mi sa che devi rifare quello appena fatto però prima attiva il debug su ipsec su un apparato alla volta

f0llia · mar 01 lug , 2008 5:24 pm

Un podi dati in piu:
Asa:

Codice: Seleziona tutto

CiscoASA-01# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 1.227.23.53

      access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer: 82.50.230.30

      #pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.227.23.53, remote crypto endpt.: 82.50.230.30

      path mtu 1380, ipsec overhead 58, media mtu 1500
      current outbound spi: E6728E75

    inbound esp sas:
      spi: 0x87CA43B0 (2278179760)
         transform: esp-3des esp-sha-hmac none 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 20, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/2209)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE6728E75 (3866267253)
         transform: esp-3des esp-sha-hmac none 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 20, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274971/2209)
         IV size: 8 bytes
         replay detection support: Y

1801:

Codice: Seleziona tutto

cisco01#show crypto ipsec sa 

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr 82.50.230.30

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 81.208.31.209 port 12915
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 82.50.230.30, remote crypto endpt.: 81.208.31.209
     path mtu 1400, ip mtu 1400
     current outbound spi: 0x87CA43B0(2278179760)

     inbound esp sas:
      spi: 0xE6728E75(3866267253)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4515241/2299)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x87CA43B0(2278179760)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4515241/2265)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

idee :S ?

Wizard · mer 02 lug , 2008 9:22 am

Da questi log sembra che vada...

Ma stai provando solo un ping o anche ad esempio una connessione via terminal server...?

f0llia · mer 02 lug , 2008 10:05 am

Wizard ha scritto:Da questi log sembra che vada...

esatto.. sembra

Wizard ha scritto: Ma stai provando solo un ping o anche ad esempio una connessione via terminal server...?

sto provando anche una connessione FTP ma non funziona ..

Wizard · mer 02 lug , 2008 11:26 am

Controlla su entrambi:

- nat e nat 0
- crypto acl

Tutto il resto deve andare bene senò la fase 1 non va su...

f0llia · mer 02 lug , 2008 12:01 pm

1801:

Codice: Seleziona tutto

cisco01#sh run | section include nat
 ip nat inside
 ip nat outside
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.254 443 interface Dialer0 443

Codice: Seleziona tutto

cisco01#sh access-lists 
Standard IP access list 1
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Extended IP access list 101
    10 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.235
    20 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.236
    30 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.237
    40 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.238
    50 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.239
    60 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.240
    70 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.241
    80 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.242
    90 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.243
    100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.244
    110 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.245
    120 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    130 permit ip 192.168.0.0 0.0.0.255 any (631 matches)
Extended IP access list 102
    10 permit ip 192.168.0.0 0.0.0.255 any

asa:

Codice: Seleziona tutto

sh nat 

NAT policies on Interface inside:
  match ip inside 192.168.1.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 outside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 1293, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 dmz 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (1.227.23.53 [Interface PAT])
    translate_hits = 12773, untranslate_hits = 2163
  match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)

Codice: Seleziona tutto

CiscoASA-01# sh access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_1_cryptomap; 1 elements
access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=2543) 0x8ccf29ab 
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 (hitcnt=0) 0xdaf4a510

aiutooo

Wizard · mer 02 lug , 2008 1:47 pm

che acl è associata alla SDM_RMAP_1?

f0llia · mer 02 lug , 2008 2:00 pm

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
route-map SDM_RMAP_1 permit 1
match ip address 101access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Wizard · mer 02 lug , 2008 3:47 pm

A parte che odio sta gestione del pdm x questa cosa...
Perchè usare una policy map x gestire il NAT?!

Cmq, la acl

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

matcha?

f0llia · mer 02 lug , 2008 4:59 pm

si le due reti son giuste..

VPN Cisco1801 - ASA 5505

Login • Iscriviti