[RISOLTO]VPN ASA<->1801

[f0llia]

Ciao a tutti.
ho una VPN site-to-site tra una ASA e un cisco 1801 configurata correttamente, le due lan si vedono tranquillamente, adesso però ho la necessità che la lan dietro l'asa veda anche una seconda LAN (10.1.1.0/24) dietro un'altra apparecchiatura direttamente connessa a una fa del router..

se aggiungo la nuova rete in Configuration-> Site-to-site-> Advanced-> Crypto Maps
continuo a non raggiungere la lan ..
come posso fare ?

Grazie mille

[Wizard]

se aggiungo la nuova rete in Configuration-> Site-to-site-> Advanced-> Crypto Maps

Manca sempre la config del nat0...
ASDM li chiama nat exemption se nn erro

Questo va configurato sia lato 1800 che lato ASA

[f0llia]

sull'asa:

Codice: Seleziona tutto

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 

sul 1800:

Codice: Seleziona tutto

access-list 103 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ok ?

[Wizard]

access-list 103 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

[f0llia]

access-list 103 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

come deny ?

il traffico che parte dalla 192.168.1.0/24 deve raggiungere la 10.1.1.0/24.. che sta dietro un'apparato direttamente connesso al 1800

[Wizard]

La acl 103 è quella del nat?
In questo caso ci vuole in deny perchè nn deve esserci nat tra quelle 2 reti

[f0llia]

Extended IP access list 103
10 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 (4670 matches)
20 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 (1698 matches)

[Wizard]

Fammi vedere la config del 1800 cmq confermo che ci vuole il deny x me

[f0llia]

eccola:

Codice: Seleziona tutto

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$gY/u$.iCgNbiQdG8tV.4QDioUJ/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.169
ip dhcp excluded-address 192.168.0.181 192.168.0.254
!
ip dhcp pool dhcpmatrix
   import all
   network 192.168.0.0 255.255.255.0
   domain-name matrix
   dns-server 208.67.222.222 208.67.220.220 
   default-router 192.168.0.254 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name matrix.locale
ip name-server 208.67.222.222
ip name-server 208.67.220.200
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-43613823
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-43613823
 revocation-check none
 rsakeypair TP-self-signed-43613823
!
!
crypto pki certificate chain TP-self-signed-43613823
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34333631 33383233 301E170D 30383037 30313130 33333136 
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343336 31333832 
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C397 
  581E7DD8 1C45EF25 EA014380 70EA5CC9 B4C53FE8 CCF3A6C3 9A836FB6 B975BDB3 
  C0FA383D A42E23C4 5F096D8E 5D511F93 46B8B21F 1389A43E B3A74E5E 4B91A10D 
  15B75C24 FD0BB7E7 B5D8E90A A9817FEC 3C6A7BDF C0C8CB7B 49F798B4 8B44A030 
  BFE1417F 8BA93B28 0BF123A7 473B38BF 949B6606 BE073441 B09B376C 20670203 
  010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603 551D1104 
  19301782 15636973 636F3031 2E6D6174 7269782E 6C6F6361 6C65301F 0603551D 
  23041830 168014A9 60FE5274 8CF68FFF 90819FBE 94780F74 C0A37830 1D060355 
  1D0E0416 0414A960 FE52748C F68FFF90 819FBE94 780F74C0 A378300D 06092A86 
  4886F70D 01010405 00038181 00B92EAD 44A3D4C0 D1690C18 28603FAC F4FCDBCF 
  4D149127 D3CC15F4 0A1E5C6F 26AC38C3 F113E442 B2D9A439 A2A35E35 3B1E2964 
  B4F4BA4A 74C5B96E CEAB964B 6F010BF5 F71C969D 505222FC 10A7E825 388C812E 
  DCD5554C 02B9CF58 374FB517 DCCC8325 43979D2B 50F33EBC 8E3DCF8B E66B7287 
  6FB7C64E 7E3F96F2 A25664F8 3C
  quit
username admin privilege 15 secret 5 $1$FBXm$/S6P82KY2bNgt51TTs6f8.
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 32623262 address X.X.X.X
crypto isakmp key 32623262 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group Admin_VPN_Grp
 key 123456789
 pool SDM_POOL_1
 acl 102
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toX.X.X.X
 set peer X.X.X.X
 set transform-set ESP-3DES-SHA2 
 match address 103
!
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 0211034B03501B
 ppp pap sent-username [email protected] password 7 08364B5E014F11
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
ip local pool SDM_POOL_1 192.168.0.235 192.168.0.245
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 192.168.1.150 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.195 81 interface Dialer0 81
ip nat inside source static tcp 192.168.0.40 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.254 443 interface Dialer0 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.40 33437 interface Dialer0 33437
ip nat inside source static udp 192.168.0.40 47156 interface Dialer0 47156
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

[Wizard]

Che schifo che fa la configurazione del sdm!
Imparate ad usare i router Cisco da riga di comando!!!!

Codice: Seleziona tutto

no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

no access-list 101 
access-list 101 remark *** GESTIONE NAT0 E PAT ***
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any 

ip nat inside source list 101 interface Dialer0 overload

[f0llia]

anche con la conf proposta continuo a non pingare l'altra rete ..

Codice: Seleziona tutto

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark *** GESTIONE NAT0 E PAT *** 
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit

cos'altro posso controllare ?

grazie mille!

[Wizard]

Inizia a debuggare la parte isakmp e ipsec lato fw e router...

[f0llia]

riposto le due conf per sicurezza:
ASA:

Codice: Seleziona tutto

ASA Version 8.0(4) 
!
hostname ciscoasa
domain-name default.domain
enable password OfNv9dpMpO8hZAcR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.240 
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.5.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 151.99.125.2
 name-server 151.99.250.2
 domain-name default.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 82.50.230.30 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer 82.50.230.30 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 82.50.230.30 type ipsec-l2l
tunnel-group 82.50.230.30 ipsec-attributes
 pre-shared-key *
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
!
prompt hostname context 
Cryptochecksum:088965a3fb4ce5f1f73c58904c73b34f
: end
asdm image disk0:/asdm-615.bin
no asdm history enable

1800:

Codice: Seleziona tutto

Building configuration...

Current configuration : 8103 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$gY/u$.iCgNbiQdG8tV.4QDioUJ/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.169
ip dhcp excluded-address 192.168.0.181 192.168.0.254
!
ip dhcp pool dhcpmatrix
   import all
   network 192.168.0.0 255.255.255.0
   domain-name matrix
   dns-server 208.67.222.222 208.67.220.220 
   default-router 192.168.0.254 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name matrix.locale
ip name-server 208.67.222.222
ip name-server 208.67.220.200
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-43613823
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-43613823
 revocation-check none
 rsakeypair TP-self-signed-43613823
!
!
crypto pki certificate chain TP-self-signed-43613823
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34333631 33383233 301E170D 30383037 30313130 33333136 
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343336 31333832 
  3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C397 
  581E7DD8 1C45EF25 EA014380 70EA5CC9 B4C53FE8 CCF3A6C3 9A836FB6 B975BDB3 
  C0FA383D A42E23C4 5F096D8E 5D511F93 46B8B21F 1389A43E B3A74E5E 4B91A10D 
  15B75C24 FD0BB7E7 B5D8E90A A9817FEC 3C6A7BDF C0C8CB7B 49F798B4 8B44A030 
  BFE1417F 8BA93B28 0BF123A7 473B38BF 949B6606 BE073441 B09B376C 20670203 
  010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603 551D1104 
  19301782 15636973 636F3031 2E6D6174 7269782E 6C6F6361 6C65301F 0603551D 
  23041830 168014A9 60FE5274 8CF68FFF 90819FBE 94780F74 C0A37830 1D060355 
  1D0E0416 0414A960 FE52748C F68FFF90 819FBE94 780F74C0 A378300D 06092A86 
  4886F70D 01010405 00038181 00B92EAD 44A3D4C0 D1690C18 28603FAC F4FCDBCF 
  4D149127 D3CC15F4 0A1E5C6F 26AC38C3 F113E442 B2D9A439 A2A35E35 3B1E2964 
  B4F4BA4A 74C5B96E CEAB964B 6F010BF5 F71C969D 505222FC 10A7E825 388C812E 
  DCD5554C 02B9CF58 374FB517 DCCC8325 43979D2B 50F33EBC 8E3DCF8B E66B7287 
  6FB7C64E 7E3F96F2 A25664F8 3C
  quit
username admin privilege 15 secret 5 $1$FBXm$/S6P82KY2bNgt51TTs6f8.
username nicola privilege 15 secret 5 $1$EJgD$vhmxvZvpuG3xhZ/MdgfYV/
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 32623262 address 1.1.1.1
crypto isakmp key 32623262 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group Admin_VPN_Grp
 key ASFfjdks45
 pool SDM_POOL_1
 acl 102
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set transform-set ESP-3DES-SHA2 
 match address 103
!
!
!
!
interface FastEthernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [email protected]
 ppp chap password 7 0211034B03501B
 ppp pap sent-username [email protected] password 7 08364B5E014F11
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
ip local pool SDM_POOL_1 192.168.0.235 192.168.0.245
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 192.168.1.150 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.195 81 interface Dialer0 81
ip nat inside source static tcp 192.168.0.40 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.0.254 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.40 33437 interface Dialer0 33437
ip nat inside source static udp 192.168.0.40 47156 interface Dialer0 47156
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark *** GESTIONE NAT0 E PAT *** 
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.235
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.236
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.237
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.238
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.239
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.240
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.241
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.242
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.243
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.244
access-list 101 deny   ip 192.168.0.0 0.0.0.255 host 192.168.0.245
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

le conf cosi sono corrette giusto ?

[Wizard]

Per la parte ASA guarda qua

http://www.ciscoforums.it/viewtopic.php?t=9185

Per la parte router qui

http://www.ciscoforums.it/viewtopic.php?t=9810

[f0llia]

ho dato un'occhiata alle conf di esempio..
la vpn è ok, la rete A (192.168.0.0 ) sulla Vlan1 del cisco1800 pinga la rete B (192.168.1.0) su una Vlan dell'ASA e viceversa.

Resta il problema iniziale:
la rete B (192.168.1.0) dietro l'asa NON pinga una rete (10.1.1.0/24) dietro un apparato direttamente connesso alla fa0 del 1800 e viceversa..