OK il failover, ma la VPN?

Configurazioni per connettività ADSL, ISDN e switch per privati e piccole network

Moderatore: Federico.Lagni

Rispondi
jbg70
Cisco power user
Messaggi: 75
Iscritto il: sab 23 apr , 2005 9:48 pm

Salve a tutti.
grazie ad alcuni vecchi post di Zot (se non ricordo male) ed a cose trovate un po' in giro, qualche tempo fa sono riuscito a configurare il mio 1721 per fare failover tra due reti.

E' probabile ci siano delle "porcate" nella config, ma funziona!
Ho quindi pensato di usare il 1721 anche come server pptp.

Dall'esterno mi interessa raggiungerlo solo da un'interfaccia (la ethernet0) e non c'e' verso di connettermi.
Sicuramente mancano le acl per la 1723, ma non capisco dove applicarle.
Se apro la vpn dall'interno e anche dall'indirizzo della e0 la connessione vpn viene stabilita, mentre se tento da fuori, nulla. Sono certo che sulla e0 la 1723 e' gia' attiva, perche' se attivo un semplice ip nat inside dalla e0 su altro ip dove c'e' un server pptp, il server risponde e mi fa collegare.

Come dicevo, il 1721 fa failover tra due reti, ognuna sulle wic-enet (ethernet0 ed ethernet1), se cade la e0, il traffico va sulla e1, tranne qualche particolarita'.

Vorrei un aiuto a capire perche' il router non risponde dall'esterno sulla porta 1723!!!

Segue la conf:

Codice: Seleziona tutto

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c1721
!
boot-start-marker
warm-reboot
boot-end-marker
!
enable secret 5 XXXX
!
no aaa new-model
clock timezone UTC 2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip dhcp use vrf connected
!
ip dhcp pool clients
   network 192.168.18.0 255.255.255.0
   dns-server 192.168.18.2 85.37.17.17 
   default-router 192.168.18.1 
   lease 0 0 10
!
ip cef
ip name-server 85.37.17.17
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group cn-vpn
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
username RRRR password 7 XXXXX
username YYYY password 7 XXXXX
! 
!
archive
 log config
  hidekeys
!
!
!
track 10 rtr 1 reachability
 delay down 10 up 20
!
track 20 rtr 2 reachability
 delay down 10 up 20
!
!
!
interface Ethernet0
 description Link to CSN
 ip address 192.168.0.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 half-duplex
!
interface Ethernet1
 description Link to VSL
 ip address 192.168.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 half-duplex
!
interface FastEthernet0
 description Internal LAN
 ip address 192.168.18.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip policy route-map PBR
 no ip mroute-cache
 speed auto
 full-duplex
!
interface Virtual-Template1 
 ip unnumbered FastEthernet0
 peer default ip address pool vpn-pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication ms-chap ms-chap-v2
!
ip local pool vpn-pool 192.168.19.230 192.168.19.240
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1 track 10
ip route 0.0.0.0 0.0.0.0 192.168.2.1 track 20
no ip http server
ip http secure-server
!
ip nat translation timeout 15
ip nat pool INCOMING_PAT 192.168.18.2 192.168.18.2 netmask 255.255.255.0 type rotary
ip nat pool TEST_SERVER 192.168.18.6 192.168.18.6 netmask 255.255.255.0 type rotary
ip nat inside source route-map LINK_CSN interface Ethernet0 overload
ip nat inside source route-map LINK_VSL interface Ethernet1 overload
ip nat inside destination list 110 pool TEST_SERVER
ip nat inside destination list 120 pool INCOMING_PAT
!
!
ip sla 1
 icmp-echo 192.168.0.1 source-interface Ethernet0
 timeout 1000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 192.168.2.1 source-interface Ethernet1
 timeout 1000
 frequency 5
ip sla schedule 2 life forever start-time now
logging history debugging
logging trap debugging
logging 192.168.18.2
access-list 9 permit 192.168.18.6
access-list 10 permit 192.168.18.0 0.0.0.255
access-list 110 permit tcp any any eq 55559
access-list 110 permit tcp any any eq 10001
access-list 110 permit tcp any any eq 8888
access-list 110 permit tcp any any eq 34837
access-list 110 permit tcp any any eq 567
access-list 110 permit tcp any any eq 8088
access-list 110 permit udp any any eq syslog
access-list 120 permit tcp any any eq 22
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 4080
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any range 3389 4000
access-list 120 permit tcp any any eq 143
access-list 120 permit tcp any any eq 2746
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq cmd
access-list 120 permit udp any any eq syslog
access-list 130 permit ip any any
snmp-server community community RO
no cdp run
!
!
!
route-map LINK_VSL permit 10
 match ip address 10
 match interface Ethernet1
!
route-map LINK_CSN permit 10
 match ip address 10
 match interface Ethernet0
!
route-map PBR permit 5
 match ip address 9 110
 set ip next-hop verify-availability 192.168.2.1 2 track 20
!
route-map PBR permit 10
 match ip address 130
 set ip next-hop verify-availability 192.168.0.1 1 track 10
!
route-map PBR permit 30
 match ip address 120 102
 set ip next-hop verify-availability 192.168.2.1 2 track 20
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
sntp server 193.204.114.105
sntp broadcast client
end
Grazie.
Saluti.
Top
Rispondi

Torna a “Configurazioni End User”