configurazione VPN server su 877

[Wizard]

E' chiaro che finchè non riconfiguri le regole di nat il router non ti farà accedere ad internet. Devi fare così da riga di comando:

clear ip nat translation *

no ip nat inside source list 1 interface Dialer0 overload
no ip nat inside source list 101 interface Dialer0 overload

access-l 101 remark *** ACL PER NAT ***
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

[md1946]

... scusami, ho inserito i comandi, le righe di configurazione adesso sono ...

!
crypto pki trustpoint TP-self-signed-1663544984
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1663544984
revocation-check none
rsakeypair TP-self-signed-1663544984
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ************
key *************
pool SDM_POOL_1
acl 102
max-users 2
crypto isakmp profile sdm-ike-profile-1
match identity group **********
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
mtu 1500
no snmp trap link-status
pvc 8/75
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.20 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address **************255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ********************* password ****************
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.50
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.248 29978 interface Dialer0 29978
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host ************* eq non500-isakmp
access-list 101 permit udp any host ************* eq isakmp
access-list 101 permit esp any host *************
access-list 101 permit ahp any host *************
access-list 101 permit udp host 212.48.4.11 eq domain any
access-list 101 permit udp host 195.110.128.1 eq domain any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq 29978
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 101 remark *** ACL PER NAT ***
access-list 102 remark SDM_ACL Category=4
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!

... riprovo

[md1946]

... stesso risultato, pingo tutti ma mi connetto soltanto alla stampante. Ho riprovato a cancellare la riga di comando

ip nat inside source list 1 interface Dialer0 overload

e poi a riconfigurare le regole di nat, ma il router non si connetteva ad internet, mentre il tentativo di connessione dal vpn client dava gli stessi risultati di prima, connessione soltanto alla stampante. Davanti al comando "clear ip nat translation" ho messo "do" altrimenti lo ios non lo accettava, va bene lo stesso?

[Wizard]

Per il nat cerca di mettere a posto (x il do va bene, se non sei in configure terminal ci vuole). Per la condivisione delle risorse di rete prova a mettere il protocollo netbios nella config del ip inspect.

[md1946]

... anche inserento il protocollo netbios nell'inspect la situazione non cambia, il vpn client non fa traffico internet perchè esce criptato (il numero dei pacchetti ricevuti aumenta ogni volta che si cerca di accedere ad internet), e l'unica periferica raggiugibile rimane la stampante, ma le pingo tutte.

Ho anche provato per gradi, caricando la configurazione antecedente alla configurazione della split tunneling, inserendo una modifica alla volta e facendo tutte le prove ogni volta, ma senza risultati.

Scusami wizard se sto abusando della tua pazienza e cortesia, ma senza le tue dritte non so proprio cosa fare.

[md1946]

... ho provato anche ad inserire le seguenti righe di comando ...

access-list 101 permit udp any host IP FISSO DEL SERVER eq netbios-dgm
access-list 101 permit udp any host IP FISSO DEL SERVER eq netbios-ns
access-list 101 permit udp any host IP FISSO DEL SERVER eq netbios-ss

... con gli stessi risultati delle prove precedenti

[md1946]

... con "net view \\IP DEL PC DIETRO AL VPN SERVER CISCO" riesco a vedere le risorse condivise, ma se provo ad accedervi tramite browser o esplora risorse mi da errore

[md1946]

... non so se serve a qualcosa, ma riguardando il log della connessione, mi sono accorto di un errore "AddRoute failed to add route: code 87", segue il dettaglio ...

54 00:55:09.968 08/10/07 Sev=Info/4 CM/**********
The Virtual Adapter was enabled:
IP=192.168.1.6/255.255.255.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=
Split DNS Names=

55 00:55:09.968 08/10/07 Sev=Warning/2 CVPND/**********
AddRoute failed to add a route: code 87
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 192.168.1.6
Interface 192.168.1.6

56 00:55:09.968 08/10/07 Sev=Warning/2 CM/**********
Unable to add route. Network: ********, Netmask: ********, Interface: ********, Gateway: ********.

57 00:55:09.968 08/10/07 Sev=Info/4 CM/**********
Successfully saved route changes to file.

... per oggi è tutto, sperando che la notte porti consiglio

[Wizard]

Codice: Seleziona tutto

ip router 192.168.1.0 255.255.255.0 dialer0

[md1946]

... ultimo aggiornamento dal fronte. Ho rismontato tutto e ricominciato da capo caricando soltanto l'indispesabile, senza attivare il firewall. La situazione è migliorata, nel senso che vengono criptati soltanto i dati che il vpn client trasmette al vpn server e non tutti, quindi il vpn client riesce a fare traffico internet col il tunnel up mentre con il comando "net view" vedo le risorse condivise di ognuno dei nodi della rete che sta dietro al cisco.

Purtroppo non riesco a capire il risultato del tentativo di connessione perchè la persona che sta sul vpn client non riesce a spiegarmelo, ma è diverso dal solito messaggio di impossibilità a trovare il server.

La configurazione attuale è :

Building configuration...

Current configuration : 5709 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ************
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$MvCj$3a2m04VJcqA8Axmg.zgws.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 192.168.0.20
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.20
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 195.110.128.1
ip name-server 212.48.4.11
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1663544984
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1663544984
revocation-check none
rsakeypair TP-self-signed-1663544984
!
!
crypto pki certificate chain TP-self-signed-1663544984
certificate self-signed 01

..........................................

quit
username ******** privilege 15 view root secret ********************************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group **********
key *************
pool SDM_POOL_2
acl 100
max-users 2
crypto isakmp profile sdm-ike-profile-1
match identity group **********
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 8/75
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
ip address IP FISSO 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ********************* password ****************
!
ip local pool SDM_POOL_2 192.168.1.0 192.168.1.20
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!

... stiamo migliorando. Wizard, non mi ci mandare, mi sei stato di enorme aiuto, se mi dai un'altra mano ce la faccio. Grazie.

[Wizard]

Se vuoi fare una cosa come Dio comanda abbandona SDM ed inizia a lavorare in riga di comando (telnet). Se vuoi fare così elimina tutta la parte non indispensabile e quindi della vpn dopo progegiuremo con:

- pulizia config base
- config vpn client
- config firewall
- ottimizzazioni

Se non sei pratico di Cisco sarà un lavoro lungo ma dopo avrai un router configurato perfettamente!

[md1946]

... per me va benissimo, se tu hai la pazienza di seguirmi, ti ho già rotto le balle all'inverosimile. Carico la configurazione base, quella che mi sono salvato con la sola connessione internte attiva, questa :

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ********
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$MvCj$3a2m04VJcqA8Axmg.zgws.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 192.168.0.20
!
ip dhcp pool sdm-pool1
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.20
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 195.110.128.1
ip name-server 212.48.4.11
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1663544984
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1663544984
revocation-check none
rsakeypair TP-self-signed-1663544984
!
!
crypto pki certificate chain TP-self-signed-1663544984
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363633 35343439 3834301E 170D3037 30383037 31333532
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36363335
34343938 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100990D 146277BE 9D9E46FE 588D90B9 111C84A3 C398B160 7B96DBC3 58D80AE1
ED0144D0 15A61792 CD6EEB7E B4ADA313 5369BFA0 73E1872C D69EC420 E383FB01
80B193A7 24EAF8EB F6E52613 68E3DC86 5D1DE4E7 FF8EA9BA E7716F68 670AE958
B075DDCF BCF3B332 FACA5226 E3872900 FECABB70 3F7B19A9 3BE17D36 ACE04613
32990203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 143A7788 83695199 963F484A 03090BB7 18B7612C
CF301D06 03551D0E 04160414 3A778883 69519996 3F484A03 090BB718 B7612CCF
300D0609 2A864886 F70D0101 04050003 81810002 1BB1A419 DCE12D66 A395C1FB
32774359 6263BB4A C1C7E686 A109C84D E624C190 8C96A44B 0583A06F 96C97BE3
8AD6D51C 4EBC11CB 22C9C9B9 5B039584 8AD93E8C 55C37724 665800D9 080EA819
EDBD27B4 8A683C9B C4F81F3C 2AA75518 35B67A75 931522D1 EF71D562 6168EAC6
4DB2F4D2 B56774F9 FD4F3093 5450A1F7 DB0464
quit
username ********* privilege 15 view root secret *******************************.
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 8/75
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
ip address IP FISSO 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ********************* password ****************
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

... sono pronto, possiamo iniziare quando vuoi, grazie ancora

[Wizard]

Puliamo la config attuale:

Codice: Seleziona tutto

interface ATM0.1 point-to-point
no description
description INT OUTSIDE
mtu 1500

interface Vlan1
no description 
description INT INSIDE
ip proxy-arp
ip tcp adjust-mss 1452

interface Dialer0
no ip mtu
mtu 1500

int atm0
mtu 1500

clear ip nat translation forced
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload

no access-l 1
access-l 101 remark *** ACL PER NAT ***
access-list 101 permit IP 192.168.0.0 0.0.0.255 ANY

no banner login 

[md1946]

... fatto, davanti al comando "clear ip nat translation forced ... " ho messo il do. Chido la sessione telnet o la lascio aperta ed inserisco i comandi successivi?

P.S. prima di iniziare a scrivere le righe di comando ho digitato "configure"

[Wizard]

... fatto, davanti al comando "clear ip nat translation forced ... " ho messo il do. Chido la sessione telnet o la lascio aperta ed inserisco i comandi successivi?

P.S. prima di iniziare a scrivere le righe di comando ho digitato "configure"

X il "do" OK.
Per il resto ci sentiamo nei prossimi giorni perchè oggi pomeriggio sono un po' incasinato. Se riesco però ti scrivo un template x la vpn client, tu prova ad adattarla alla tua configurazione.
Per il "conf t" certo!