Ciao a tutti.
Ho un problema di configurazione di una vpn tra un router 877 e un asa 5510. L'877 in questione deve permettere gestione remota, navigazione su internet, rifiutare attacchi di tipo comune,bloccare ftp e tftp messenger e netmeeting, e permettere icmp. L'asa invece non deve bloccare nulla dall'interno verso l'esterno. I più devo stabilire un tunnel tra i due apparati(nella config ho già preparato l'asa per accettare altri 15 router, che sarà la config a regime).
Inoltre l'asa non deve accettare solo le site-to-site ma anche le remote-to-site.
Quando testo il tunnel dall'interfaccia grafica del router, mi dice che il tunnel è su. Però se provo a pingare la rete interna all'asa mi dice destinazione irraggiungibile e non mi permette di fare desktop remoto.
Inoltre sulla vpn remote dell'asa mi connetto, ma ho lo stesso problema: si collega ma non pingo nè riesco a fare desktop remoto. Se tuttavia la remote la abilito su tcp, mi funziona(per intenderci se dò il comando isakmp ipsec-over-tcp port 10000).
Non riesco a trovare il motivo di questi errori.
Qualcuno può darmi una mano, per favore?
Quelle che seguono sono le config dei due apparati
ASA 5510
hostname xxx
domain-name xxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address <public-ip-asa> 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.50.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 151.99.125.2
dns name-server 151.99.125.3
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.55.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.56.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.57.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.58.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.59.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.62.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.63.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.64.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.65.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.66.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.67.0 255.255.255.0
access-list CRYPTO extended permit ip 192.168.50.0 255.255.255.0 192.168.68.0 255.255.255.0
access-list CRYPTO extended permit ip any 192.168.50.192 255.255.255.224
access-list 101 extended permit udp host <public-ip-Router1> interface outside eq 4500
access-list 101 extended permit udp host <public-ip-Router1> interface outside eq isakmp
access-list 101 extended permit esp host <public-ip-Router1> interface outside
access-list 101 extended permit ah host <public-ip-Router1> interface outside
access-list 101 extended permit udp host <public-ip-Router2> interface outside eq 4500
access-list 101 extended permit udp host <public-ip-Router2> interface outside eq isakmp
access-list 101 extended permit esp host <public-ip-Router2> interface outside
access-list 101 extended permit ah host <public-ip-Router2> interface outside
access-list 101 extended permit udp host <public-ip-Router3> interface outside eq 4500
access-list 101 extended permit udp host <public-ip-Router3> interface outside eq isakmp
access-list 101 extended permit esp host <public-ip-Router3> interface outside
access-list 101 extended permit ah host <public-ip-Router3> interface outside
access-list 101 remark "Acl per blocco attacchi"
access-list 101 extended deny udp any any eq nameserver
access-list 101 extended deny tcp any any eq 42
access-list 101 extended deny udp any any eq bootps
access-list 101 extended deny udp any any eq netbios-ns
access-list 101 extended deny udp any any eq netbios-dgm
access-list 101 extended deny tcp any any eq netbios-ssn
access-list 101 extended deny tcp any any eq 445
access-list 101 extended deny tcp any any eq ftp-data
access-list 101 extended deny tcp any any eq ftp
access-list 101 extended deny tcp any any eq 593
access-list 101 extended deny tcp any any eq 4444
access-list 101 extended deny udp any any eq 1433
access-list 101 extended deny udp any any eq 1434
access-list 101 extended deny tcp any any eq 135
access-list 101 extended deny udp any any eq 135
access-list 101 extended deny tcp any any eq 2049
access-list 101 extended deny udp any any eq 2049
access-list 101 extended deny tcp any any range 6000 6001
access-list 101 extended deny udp any any eq 5554
access-list 101 extended deny udp any any eq 9996
access-list 101 extended deny udp any any eq 113
access-list 101 extended deny udp any any eq 3067
access-list 101 extended deny udp any any eq 3117
access-list 101 extended permit ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool REMOTEVPNPOOL 192.168.50.206-192.168.50.209
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list CRYPTO
nat (inside) 1 192.168.50.0 255.255.255.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 <publicip-gateway> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username francesco.russo password rP1cfNvc7mJQsh7 encrypted privilege 15
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto dynamic-map REMOTEVPNMAP 120 set transform-set VPNSET
crypto map VPNMAP 100 match address CRYPTO
crypto map VPNMAP 100 set peer <public-ip-Router1>
crypto map VPNMAP 100 set transform-set VPNSET
crypto map VPNMAP 109 match address CRYPTO
crypto map VPNMAP 109 set peer <public-ip-Router2>
crypto map VPNMAP 109 set transform-set VPNSET
crypto map VPNMAP 116 match address CRYPTO
crypto map VPNMAP 116 set peer <public-ip-Router3>
crypto map VPNMAP 116 set transform-set VPNSET
crypto map VPNMAP 120 ipsec-isakmp dynamic REMOTEVPNMAP
crypto map VPNMAP interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 2
isakmp policy 100 lifetime 86400
isakmp nat-traversal 20
tunnel-group <public-ip-Router1> type ipsec-l2l
tunnel-group <public-ip-Router1> general-attributes
tunnel-group <public-ip-Router1> ipsec-attributes
pre-shared-key *
tunnel-group <public-ip-Router2> type ipsec-l2l
tunnel-group <public-ip-Router2> general-attributes
tunnel-group <public-ip-Router2> ipsec-attributes
pre-shared-key *
tunnel-group <public-ip-Router3> type ipsec-l2l
tunnel-group <public-ip-Router3> general-attributes
tunnel-group <public-ip-Router3> ipsec-attributes
pre-shared-key *
tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
address-pool REMOTEVPNPOOL
tunnel-group REMOTEVPN ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
877
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname distretto.of.16
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
ip domain name CBC.local
ip name-server 151.99.125.2
ip name-server 151.99.125.3
!
!
crypto pki trustpoint TP-self-signed-1443777611
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1443777611
revocation-check none
rsakeypair TP-self-signed-1443777611
!
!
crypto pki certificate chain TP-self-signed-1443777611
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343433 37373736 3131301E 170D3032 30333031 30303035
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34343337
37373631 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E4F1 4B3DAF5F F5EF6E7F 3C2005EE 79AF56DC 97F806A2 C2966523 9CF1902F
20E4C8E9 9CFBC185 E77B30C0 A68896BF F21B5007 6E877C8D 7C22889B 811A2F3F
1E8848B4 5A89C01B 790F0910 FDE82901 7F8F1C7D A9A93019 38957CB3 79713712
D73B00FB 7AE89BBB BBEDAB62 BEEA4AC7 07D45A53 FF8404CD DCCD6294 907778DC
F0950203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19646973 74726574 746F2E6F 662E3136 2E434243 2E6C6F63
616C301F 0603551D 23041830 16801484 378D1146 72EA63F3 62CC305A 834F51B9
0F62BB30 1D060355 1D0E0416 04148437 8D114672 EA63F362 CC305A83 4F51B90F
62BB300D 06092A86 4886F70D 01010405 00038181 004230EE 87C5FF6E 78104352
8EFAA252 72FAEFB5 F55A47C2 0188BF93 ED96002E 087B8719 82AA7392 7199EC3F
13F601DC 2C3C82C7 A01FF607 EAB298D4 CCF18599 A02F9F8C 3EB4D152 FD6CCF72
63C29FF2 63941B37 51AE12AB E4DDB924 D17C43BD 43CAE557 274C6AD6 2E9C28D1
9AC5699D 53523EE6 BA0841ED B3957AC8 6CA53496 65
quit
username francesco.russo privilege 15 secret 5 $1$Y9u9$H2zGDHgUbUxAn3Uj4wZaV/
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key consorzio address 85.39.124.100
!
!
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
!
crypto map nolan 1 ipsec-isakmp
set peer <public-ip-asa>
set transform-set VPNSET
match address 103
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description "Interfaccia virtuale punto punto"
bandwidth 4096
ip address <public-ip-Router1> 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map nolan
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description "Interfaccia della rete locale"
ip address 192.168.59.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface ATM0.1 overload
ip nat inside source route-map NONAT interface ATM0.1 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.109.0 0.0.0.255
access-list 101 permit udp host <public-ip-asa> host <public-ip-Router1> eq non500-isakmp
access-list 101 permit udp host <public-ip-asa> host <public-ip-Router1> eq isakmp
access-list 101 permit esp host <public-ip-asa> host <public-ip-Router1>
access-list 101 permit ahp host <public-ip-asa> host <public-ip-Router1>
access-list 101 remark "Acl per blocco attacchi"
access-list 101 deny udp any any eq nameserver
access-list 101 deny tcp any any eq 42
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq ftp-data
access-list 101 deny tcp any any eq ftp
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 4444
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
access-list 101 deny tcp any any range 6000 6001
access-list 101 deny udp any any eq 5554
access-list 101 deny udp any any eq 9996
access-list 101 deny udp any any eq 113
access-list 101 deny udp any any eq 3067
access-list 101 deny udp any any eq 3117
access-list 101 remark "Acl per blocco messenger e netmeeting"
access-list 101 deny tcp any any eq 1720
access-list 101 deny tcp any any eq 1503
access-list 101 deny tcp any any range 6891 6901
access-list 101 deny tcp any any eq 1863
access-list 101 deny udp any any eq 1863
access-list 101 deny udp any any eq 5190
access-list 101 deny udp any any eq 6901
access-list 101 permit ip any any
access-list 102 remark "Acl per NAT0 E PAT"
access-list 102 deny ip 192.168.59.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit tcp host 192.168.59.1 any eq www
access-list 102 permit tcp host 192.168.59.1 any eq 443
access-list 102 permit tcp host 192.168.59.1 any eq domain
access-list 102 permit udp host 192.168.59.1 any eq domain
access-list 102 permit tcp host 192.168.59.1 any eq 5222
access-list 102 permit tcp host 192.168.59.1 any eq 5223
access-list 102 deny tcp 192.168.59.0 0.0.0.255 any eq 1720
access-list 102 deny tcp 192.168.59.0 0.0.0.255 any eq 1503
access-list 102 deny tcp 192.168.59.0 0.0.0.255 any range 6891 6900
access-list 102 deny tcp 192.168.59.0 0.0.0.255 any eq 1863
access-list 102 deny udp 192.168.59.0 0.0.0.255 any eq 1863
access-list 102 deny udp 192.168.59.0 0.0.0.255 any eq 6901
access-list 102 deny tcp 192.168.59.0 0.0.0.255 any eq 6901
access-list 102 remark "Acl per collegamenti remoti"
access-list 102 permit ip any host <public-ip-asa>
access-list 102 permit tcp 192.168.59.0 0.0.0.255 host 192.168.109.254 eq telnet
access-list 103 remark "Acl per VPN"
access-list 103 permit ip 192.168.59.0 0.0.0.255 192.168.50.0 0.0.0.255
no cdp run
!
!
!
route-map NONAT permit 10
description "Disabilita Nat per Vpn"
match ip address 102
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
Grazie in anticipo per qualsiasi aiuto
Aiuto per vpn
Moderatore: Federico.Lagni
-
Wizard
- Intergalactic subspace network admin
- Messaggi: 3441
- Iscritto il: ven 03 feb , 2006 10:04 am
- Località: Emilia Romagna
- Contatta:
Intanto di do una bella notizia, tutto quello che vuoi fare si può fare!Ho un problema di configurazione di una vpn tra un router 877 e un asa 5510. L'877 in questione deve permettere gestione remota, navigazione su internet, rifiutare attacchi di tipo comune,bloccare ftp e tftp messenger e netmeeting, e permettere icmp. L'asa invece non deve bloccare nulla dall'interno verso l'esterno. I più devo stabilire un tunnel tra i due apparati(nella config ho già preparato l'asa per accettare altri 15 router, che sarà la config a regime).
Inoltre l'asa non deve accettare solo le site-to-site ma anche le remote-to-site.
Ti do un consiglio, per la vpn l2l tra l'asa e il router elimina tutti gli altri tunnel dal firewall e tieni sono quello con l'877 così la config è più chiara.
Come seconda cosa aggiorna entrambi gli apparati alla ultima ios disponibile.
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
