Un mio cliente, pochi giorni fa, è passato a Linkem per la connettività del suo ufficio visto che, nella zona industriale di una zona "fiorente" con il nordest, pare non avesse proprio alternative su rame o su fibra...
Comunque...
Il tecnico del suo nuovo ISP ha montato le antenne e le ha collegate ad un mini-router di cui mi ha lasciato le credenziali.
Avevo solo necessità di nattare la porta 443 dal router del ISP verso l'ip della porta WAN del router del cliente in modo da rendergli di nuovo accessibile la VPN Anyconnect che alcuni suoi dipendenti "itineranti" usano per collegarsi alla rete aziendale.
Imposto quindi dalla GUI del router del ISP un nat della porta.
L'ip del router del ISP è 172.16.0.1/24 e la wan del router ha il 172.16.0.2/24
Non rilevo messaggi di errore.
Nonostante questo però anyconnect si rifiuta di funzionare (connection attempt fail)
Vi allego lo sh run (purgato) del router.
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DG01
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint my-trustpoint
enrollment selfsigned
serial-number
subject-name CN=
revocation-check crl
rsakeypair my-rsa-keys
!
!
crypto pki certificate chain my-trustpoint
certificate self-signed 02
3082026D 308201D6 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
quit
!
!
!
!
!
!
!
!
ip name-server 192.168.0.27
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn
!
!
username netadmin privilege 15 secret 5
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.2.01022-k9.pkg sequence 1
!
!
!
!
!
controller VDSL 0
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
description INSIDE
switchport access vlan 10
no ip address
!
interface FastEthernet3
description ISP
switchport access vlan 20
no ip address
!
interface Vlan1
no ip address
!
!
interface Vlan10
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description ISP
ip address 172.16.0.2
ip nat outside
ip virtual-reassembly in
!
!
ip local pool webvpn-pool 192.168.0.240 192.168.0.252
ip default-gateway 172.16.0.1
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list mylan interface Vlan20 overload
!
ip access-list standard mylan
permit 192.168.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway Cisco-WebVPN-Gateway
ip address 172.16.0.2 port 443
ssl encryption rc4-md5
ssl trustpoint my-trustpoint
inservice
!
webvpn context Cisco-WebVPN
title "VPN GATEWAY"
!
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
login-message "WebVpn"
aaa authentication list sslvpn
gateway Cisco-WebVPN-Gateway
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy webvpnpolicy
!
end

