router 7200 collegato mediante fastethernet 1/0 non naviga

ErGasti · ven 18 set , 2009 8:53 am

Buon giorno, ho un router 7200 con tre fastethernet collegato ad una antenna wifi mediante cavo cross sulla fastethernet 1/0 e alla mia rete sulla Fastethernet 3/0, ora il problema è che
Non naviga, non pinga nulla fuori dalla lan.
pingo le interfacce ed entro in telnet su entrambe, se cambio gli ip per la mia rete locale, la connessione e UP dato che attaccando direttamente il cavo cross al portatile navigo perfettamente impostando gli stessi ip del router, ma con il router nulla, inoltre cosa che mi appare strana facendo il ping con le estese non mi prende fastethernet 1/0 come interfaccia.

Ho provato anche a resettare la conf. e rifare da capo ma nulla.
Cosa ancora più strana è che ieri mi era andato up, ho iniziato la conf. per la vpn, terminata provo non pinga più nulla

questa è la conf. dopo l'azzeramento che ho rifatto (e non pinga nulla):

Codice: Seleziona tutto

#ping
Protocol [ip]:
Target IP address: 151.99.125.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FASTETHERNET 1/0
% Invalid source
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 151.99.125.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

configurazione attuale:

Codice: Seleziona tutto

#sh run
Building configuration...

Current configuration : 1880 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxx.
!
no aaa new-model
ip subnet-zero
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip name-server 195.47.199.18
ip name-server 195.25.178.30
ip name-server 151.99.125.2
!
!
multilink bundle-name authenticated
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet1/0
 ip address 94.xxx.xxx.xxx 255.255.255.240
 ip nat outside
 duplex full
 no keepalive
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet3/0
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
 duplex full
 no keepalive
!
router rip
 network 192.168.6.0
!
ip default-gateway 94.xxx.xxx.xxx
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet1/0
ip route 192.168.1.30 255.255.255.255 FastEthernet1/0
ip route 192.168.254.0 255.255.255.0 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 any
access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 110 permit ip 192.168.6.0 0.0.0.255 any
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
 shutdown
!
!

end

#

Grazie MIlle a Tutti!

danny webber · ven 18 set , 2009 9:25 am

Ma ad occhio manca la regola per il nat
ip nat inside source list 1 interface fast 1/0 overload

cosi la rete 192.168.6.0 sara' abilitata al nat
Se devi far nattare altre reti aggiungi nuove entry alla acl 1

poi controlla quel def gateway, essendo una connessione eth quindi broad devi mettere come next hop l ip pubb che sta dietro l'antenna wireless o.

Per cio che concerne il ping, giusto per conferma prova usando l ind ip
al posto dell interfaccia, se non funziona nemmeno cosi potrebbe essere perche' l interfaccia e' down.
se non sai cosa significa, dai uno show interface fastethernet 1/0 e postalo

ErGasti · ven 18 set , 2009 9:57 am

danny webber ha scritto:Ma ad occhio manca la regola per il nat
ip nat inside source list 1 interface fast 1/0 overload

cosi la rete 192.168.6.0 sara' abilitata al nat
Se devi far nattare altre reti aggiungi nuove entry alla acl 1

poi controlla quel def gateway, essendo una connessione eth quindi broad devi mettere come next hop l ip pubb che sta dietro l'antenna wireless o.

Per cio che concerne il ping, giusto per conferma prova usando l ind ip
al posto dell interfaccia, se non funziona nemmeno cosi potrebbe essere perche' l interfaccia e' down.
se non sai cosa significa, dai uno show interface fastethernet 1/0 e postalo

ciao e innanzi tutto Grazie

le interfacce sono up e funzionanti tanto è vero che mettendo l'indirizzo lan le pingo senza problemi.
per l'acl nella conf. prima c'era, ora non c'è perchè ho ressettato e rifatto da capo ma è propio il router che non pinga nulla fuori dalla lan.

il gw in teoria è giusto dato che dal portatile con quell'indirizzo di rete e quel gw navigo

Codice: Seleziona tutto

#show interfaces fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
  Hardware is DEC21140, address is 00d0.c019.781c (bia 00d0.c019.781c)
  Internet address is 94.xxx.xxx.xxx/28
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:21, output 00:00:39, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3731 packets input, 287472 bytes, 0 no buffer
     Received 3555 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     3896 packets output, 771977 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     1 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

danny webber · ven 18 set , 2009 10:11 am

riposta la configurazione che il router ha attualmente,
se cmq non metti il nat le reti lan non navigheranno.

hai provato il ping esteso usando l indirizzo ip invece dell interfaccia?

ErGasti · ven 18 set , 2009 10:32 am

si provato nulla

ecco la conf:

Codice: Seleziona tutto

#sh run
Building configuration...

Current configuration : 1985 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxrTKj4YeXGGnQ8A.
!
no aaa new-model
ip subnet-zero
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip name-server 195.47.199.18
ip name-server 195.25.178.30
ip name-server 151.99.125.2
!
!
multilink bundle-name authenticated
call rsvp-sync
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet1/0
 ip address 94.xxx.xxx.210 255.255.255.240
 ip nat outside
 duplex full
 no keepalive
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet3/0
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
 duplex full
 no keepalive
!
router rip
 network 192.168.6.0
!
ip default-gateway 94.xxx.xxx.209
ip nat inside source list 1 interface FastEthernet1/0 overload
ip classless
ip route 192.168.1.0 255.255.255.0 FastEthernet1/0
ip route 192.168.1.30 255.255.255.255 FastEthernet1/0
ip route 192.168.254.0 255.255.255.0 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny   ip 192.168.6.0 0.0.0.255 any
access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 110 permit ip 192.168.6.0 0.0.0.255 any
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 password 7 xxxxxxxxxxxxxxB5E
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 2 in
 password 7 xxxxxxxxxxxxx84957
 login
!
end

danny webber · ven 18 set , 2009 10:38 am

ok aggiungi questo commando

ip route 0.0.0.0 0.0.0.0 94.73.100.209

dopo il ping esteso, prova anceh il trace esteso e posta tutto quanto, thanks

ErGasti · ven 18 set , 2009 10:48 am

Codice: Seleziona tutto

(config)#ip route 0.0.0.0 0.0.0.0 94.73.100.209
router(config)#exit
router#wr
Building configuration...
[OK]
*Sep 18 10:50:39.976: %SYS-5-CONFIG_I: Configured from console by console
#ping 216.239.59.99

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.59.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/97/128 ms
router#
[code]

[/quote]

GRANDE! funge anche senza le estese!

danny webber · ven 18 set , 2009 10:51 am

dai questo commando,

show ip route

posta il risultato.

ErGasti · ven 18 set , 2009 2:56 pm

ciao scusa ho avuto altre rogne da risolvere.

ora il router naviga perfettamente, ti allego comunque la tabella di routing:

Codice: Seleziona tutto

show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route



Gateway of last resort is 94.xxx.xxx.209 to network 0.0.0.0



S*    0.0.0.0/0 [1/0] via 94.xxx.xxx.209

      94.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        94.xxx.xxx.xxx/28 is directly connected, FastEthernet1/0

L        94.xxx.xxx.xxx/32 is directly connected, FastEthernet1/0

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

S        192.168.1.0/24 is directly connected, FastEthernet1/0

S        192.168.1.30/32 is directly connected, FastEthernet1/0

      192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.6.0/24 is directly connected, FastEthernet3/0

L        192.168.6.1/32 is directly connected, FastEthernet3/0

S     192.168.254.0/24 is directly connected, FastEthernet1/0

ora però non mi va su la vpn, forse perchè la connessione è mostruosamente lenta, ti allego conf così mi dai un'occhiata:

Codice: Seleziona tutto


router>sh run

                     ^

% Invalid input detected at '^' marker.



router>conf t

                    ^

% Invalid input detected at '^' marker.



router>en

Password:

Password:

Password:

% Bad secrets



router>en

Password:

router#sh run

Building configuration...



Current configuration : 2573 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxXGGnQ8A.

!

no aaa new-model

ip subnet-zero

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip name-server 195.47.199.18

ip name-server 195.25.178.30

ip name-server 151.99.125.2

!

!

multilink bundle-name authenticated

call rsvp-sync

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

crypto isakmp key router address 82.xxx.xxx.xxx 255.255.255.0

!

!

crypto ipsec transform-set VPN_router esp-3des esp-sha-hmac

!

crypto map STATIC_router 1 ipsec-isakmp

 set peer 82.xxx.xxx.xxx

 set transform-set VPN_router

 match address 101

!

crypto map STATIC_router local-address FastEthernet1/0

!

!

!

!

!

interface FastEthernet1/0

 ip address 94.xxx.xxx.210 255.255.255.240

 ip nat outside

 duplex full

 no keepalive

 crypto map STATIC_router

!

interface FastEthernet2/0

 no ip address

 shutdown

 duplex half

!

interface FastEthernet3/0

 ip address 192.168.6.1 255.255.255.0

 ip nat inside

 duplex full

 no keepalive

!

router rip

 network 192.168.6.0

!

ip default-gateway 94.xxx.xxx.209

ip nat inside source list 1 interface FastEthernet1/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 94.xxx.xxx.209

ip route 192.168.1.0 255.255.255.0 FastEthernet1/0

ip route 192.168.1.30 255.255.255.255 FastEthernet1/0

ip route 192.168.254.0 255.255.255.0 FastEthernet1/0

no ip http server

no ip http secure-server

!

!

!

access-list 1 permit 192.168.6.0 0.0.0.255

access-list 2 permit 192.168.6.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 101 deny   ip 192.168.6.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 110 permit ip 192.168.6.0 0.0.0.255 any

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

!

gatekeeper

 shutdown

!

!

line con 0

 password 7 xxxxxxxxxxxxxxx35B5E

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 access-class 2 in

 password 7 xxxxxxxxxxxxx957

 login

!

end



router#

questo è uno show crypto:

Codice: Seleziona tutto



     local crypto endpt.: 82.xxx.xxx.xxx, remote crypto endpt.: 94.xxx.xxx.210

     path mtu 1500, media mtu 1500

     current outbound spi: 3C96EB2C



     inbound esp sas:

      spi: 0x8F04C1FE(2399453694)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2048, flow_id: 49, crypto map: STATIC_router

        sa timing: remaining key lifetime (k/sec): (4480156/157)

        IV size: 8 bytes

        replay detection support: Y

*May 14 00:57:19.767: YPTO-6-PRINTABORT: deletion caused early termination of show output for identity











Crypto Map "STATIC_router" 8 ipsec-isakmp

        Peer = 94.xxx.xxx.210

        Extended IP access list 106

            access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

            access-list 106 permit ip 192.168.254.0 0.0.0.255 192.168.6.0 0.0.0.255

        Current peer: 94.xxx.xxx.210

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                VPN_router,

        }

        Interfaces using crypto map STATIC_router:

                FastEthernet0/0

GRAZIE MILLE

Gianremo.Smisek · ven 18 set , 2009 7:40 pm

e' mostruosamente lenta perche' per uscire passi per la VPN.

nella rule del nat prima del permit metti un deny verso la rete VPN.

ciao

ErGasti · sab 19 set , 2009 12:47 pm

no no è lenta uguale anche con il portatile attaccato direttamente all'antenna, ho già aperto un ticket.

Per la vpn con il show crypto ipsec sa , sembra che del traffico passi fra le vpn mi sà che è un problema di routing anche qui.

Apro un nuovo tread?

ecco lo show crypto ipsec sa (lato client):

Codice: Seleziona tutto

router#show crypto ipsec sa



interface: FastEthernet1/0

    Crypto map tag: STATIC_router, local addr 94.xxx.xxx.xxx



   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

   current_peer 82.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0



     local crypto endpt.: 94.xxx.xxx.xxx, remote crypto endpt.: 82.xxx.xxx.xxx

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none



     inbound esp sas:



     inbound ah sas:



     inbound pcp sas:



     outbound esp sas:



     outbound ah sas:



     outbound pcp sas:



   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   current_peer 82.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0



     local crypto endpt.: 94.xxx.xxx.xxx, remote crypto endpt.: 82.xxx.xxx.xxx

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none



     inbound esp sas:



     inbound ah sas:



     inbound pcp sas:



     outbound esp sas:



     outbound ah sas:



     outbound pcp sas:



   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer 82.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 961, #pkts decrypt: 961, #pkts verify: 961

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 141



     local crypto endpt.: 94.xxx.xxx.xxx, remote crypto endpt.: 82.xxx.xxx.xxx

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x80D40784(2161379204)

     PFS (Y/N): N, DH group: none



     inbound esp sas:

      spi: 0xEAEC056F(3941336431)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 59, flow_id: 59, sibling flags 80000040,  crypto map: STATIC_router

        sa timing: remaining key lifetime (k/sec): (4527573/1862)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE



     inbound ah sas:



     inbound pcp sas:



     outbound esp sas:

      spi: 0x80D40784(2161379204)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 60, flow_id: 60, sibling flags 80000040,  crypto map: STATIC_router

        sa timing: remaining key lifetime (k/sec): (4527578/1862)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE



     outbound ah sas:



     outbound pcp sas:

router#

router#

router#ping

Protocol [ip]:

Target IP address: 192.168.1.21

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 97.xxx.xxx.xxx

% Invalid source

Source address or interface: 192.168.6.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.21, timeout is 2 seconds:

Packet sent with a source address of 192.168.6.1

.....

Success rate is 0 percent (0/5)

router#ping

Protocol [ip]:

Target IP address: 192.168.1.21

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 94.xxx.xxx.xxx

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.21, timeout is 2 seconds:

Packet sent with a source address of 94.xxx.xxx.xxx

.....

Success rate is 0 percent (0/5)

router#ping 192.168.1.1



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

router#ping 192.168.1.1



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

router#ping 192.168.1.21



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.21, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

router#

lato server:

Codice: Seleziona tutto

   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   current_peer: 94.xxx.xxx.xxx:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0



     local crypto endpt.: 82.xxx.xxx.xxx, remote crypto endpt.: 94.xxx.xxx.xxx

     path mtu 1500, media mtu 1500

     current outbound spi: 0



     inbound esp sas:



     inbound ah sas:



     inbound pcp sas:



     outbound esp sas:



     outbound ah sas:



     outbound pcp sas:







   protected vrf:

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   current_peer: 94.xxx.xxx.xxx:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1536, #pkts encrypt: 1536, #pkts digest 1536

    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 4, #recv errors 0



     local crypto endpt.: 82.xxx.xxx.xxx, remote crypto endpt.: 94.xxx.xxx.xxx

     path mtu 1500, media mtu 1500

     current outbound spi: EAEC056F



     inbound esp sas:

      spi: 0x80D40784(2161379204)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2030, flow_id: 31, crypto map: STATIC_router

        sa timing: remaining key lifetime (k/sec): (4530481/1408)

        IV size: 8 bytes

        replay detection support: Y



     inbound ah sas:



     inbound pcp sas:



     outbound esp sas:

      spi: 0xEAEC056F(3941336431)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 2031, flow_id: 32, crypto map: STATIC_router

        sa timing: remaining key lifetime (k/sec): (4530476/1408)

        IV size: 8 bytes

        replay detection support: Y



     outbound ah sas:



     outbound pcp sas:



   protected vrf:

  

router#ping 192.168.6.1



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.6.1, timeout is 2 seconds:

.U.U.

Success rate is 0 percent (0/5)

router#

Da quello che nella mia ignoranza posso capire la vpn tra client e server è andata up ma il traffico non viene instradato correttamente.
il ping dal client al router server 192.168.1.1 al secondo tentativo dall'80% è andato al 100% ma se pingo un qualunque ip (che sono sicuro essere up) che non sia il router non lo pinga.

Dal router server al client non pinga nulla.

Avevo già avuto lo stesso problema con un 857W che mi avete aiutato a risolvere, ho provato tutto quello che mi veniva in mente ma non va.

La tabella di routing è sempre quella sopra.

Grazie Mille!

Gianremo.Smisek · sab 19 set , 2009 2:58 pm

ti ho detto sopra, come fare

devi negare il NAT per il traffico che va in VPN.

ErGasti · dom 20 set , 2009 12:57 pm

intel ha scritto:ti ho detto sopra, come fare

devi negare il NAT per il traffico che va in VPN.

ammetto la mia ignoranza, stò imparando, non chiedo la pappa pronta, ma, se sapessi tutto non chiederei aiuto in questo forum, qui mi son arenato, ho provato, ma, con il traceroute esteso continua a darmi come primo punto di passaggio il gw e ovviamente non mi pinga nulla.

Ho fatto queste modifiche:
tolte queste:

Codice: Seleziona tutto

ip route 192.168.1.0 255.255.255.0 FastEthernet1/0

ip route 192.168.1.30 255.255.255.255 FastEthernet1/0

ip route 192.168.254.0 255.255.255.0 FastEthernet1/0

aggiunto (ma era un tentativo di fare quello che mi hai chiesto, sicuramente Sbagliato) un:

Codice: Seleziona tutto

ip nat inside source list 110 pool router overload

grazie

Gianremo.Smisek · dom 20 set , 2009 3:54 pm

Codice: Seleziona tutto

ip nat inside source list 120 interface FastEthernet1/0 overload
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 120 permit ip 192.168.6.0 0.0.0.255 any

elimina il precedente NAT e prova cosi'. vediamo se risolvi.

ciao

ErGasti · dom 20 set , 2009 4:32 pm

ciao e grazie, ho tolto il nat di prima e messo questo e ora al ping dal server dietro al router centrale ho 2/4

lato router client con le estese e source 192.168.6.1 ho 2/5

per capire dato che io il nat così lo avevo fatto mettendo però 110 e non 120
che sono sempre estese perchè col 120 va (almeno in parte) e 110 no?

Oltre alla documentazione sul sito della cisco hai qualche libro, magari in italiano da consigliarmi?

Grazie

router 7200 collegato mediante fastethernet 1/0 non naviga

Login • Iscriviti