route vpn client to lan to lan remote

[kese87]

Ciao a tutti,
avrei bisogno di un piccolo aiutino.

ho un cisco 1801 configurato con 2 vpn |2| e un accesso vpn client.

vorrei far si che gli utenti vpn client possano navigare sulle lan remote connesse al cisco.

mi spiego meglio:

cisco 1801:

1 lan to lan : network remota 172.16.200.0 / 24 ( cisco 877 )
2 lan to lan : network remota 172.16.201.0 / 24 ( cisco 877 )

network locale: 172.16.199.0 / 24

vpn client: 172.16.254.0 / 24

ho moficato l'ACL che del vpn client:

che è diventata cosi:

access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

e adesso se guardo dalle secured route del vpn client vedo tutte e tre le reti, ma riesco solo a raggiungere gli host della rete 172.16.199.0/24.

un piccolo aiuto??

posto la configurazione riguardante i tunnel vpn:


ip nat inside source route-map NAT0-RM interface Dialer0 overload
!
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 remark *********************
access-list 1 permit 172.16.199.0 0.0.0.255
access-list 1 permit 172.16.254.0 0.0.0.255


access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to chianciano ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to chiusi ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any
access-list 100 permit ip 172.16.254.0 0.0.0.255 any


access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-chiusi--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 152 remark --VPN-chianciano--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT0-RM permit 1
match ip address 100

GRAZIE IN ANTICIPO, spero che qualche anima pia abbia due minuti per darmi qualche indicazione...

[alkol75]

Ciao a tutti, anche io ho lo stesso problema ma su un PIX 515e.
Ho la necessità che i client che si collegano con il Client Cisco VPN, possano raggiungere una LAN remota connessa in L2L tra il PIX 515e e un ASA che però non è in mia gestione.

Sapete dirmi come posso fare?

Grazie in anticipo a tutti.

[kese87]

Nessuna sa darci un piccolo indizio?
ho letto qua e la che devo lavorare con il nat0 e le crypto acl....

quindi mi viene mente:

1) la mia crypto acl per il vpn client è la 199 e quindi devo aggiungere le net degli altri tunnel qui, quindi:

access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

2) devo lavorare con il nat0 e quindi il mio dovrebbe diventare:

access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to chianciano ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to chiusi ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any

ma ancora non funziona.... ho sbagliato qualcosa o mi sono dimenticato qualcosa?

[kese87]

ci sono riuscito domani posto la configurazione dei router... per chi può essere interessato !!

[zot]

Uu..siamo interessati....

[erotodo63]

kese97

ti posso chiedere la configurazione funzionante?

[alkol75]

Ho la necessità di fare in modo che chi si collega in VPN tramite Client Cisco, raggiunga anche delle VPN Site-to-Site. Le VPN vengono stabilite su un PIX 515e.
Le VPN singolarmente funzionano tranquillamente.
Vi posto la parte di configurazione interessata.
IL PIX ha versione sw 6.3(4)
Grazie in anticipo.

access-list nonat permit ip 172.20.0.0 255.255.0.0 172.10.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.48 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.128 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.112 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.2.144 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.100.1.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.129.3.176 255.255.255.240
access-list nonat permit ip 172.20.0.0 255.255.0.0 host 10.1.1.1
access-list nonat permit ip 172.20.0.0 255.255.0.0 172.255.0.0 255.255.255.192
access-list nonat permit ip 172.20.0.0 255.255.0.0 10.66.224.16 255.255.255.240
access-list nonat permit ip host qf010_dmz 172.255.0.0 255.255.255.192
access-list ServerFarm permit ip 172.20.0.0 255.255.0.0 172.10.1.0 255.255.255.0
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.48 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.128 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.112 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.2.144 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.129.3.176 255.255.255.240
access-list Barberino permit ip 172.20.0.0 255.255.0.0 10.66.224.16 255.255.255.240
access-list Q-Usr-VPN_splitTunnelAcl permit ip 172.20.0.0 255.255.0.0 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.10.1.0 255.255.255.0 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.48 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.112 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.128 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.2.144 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.129.3.176 255.255.255.240 any
access-list Q-Usr-VPN_splitTunnelAcl permit ip 10.66.224.16 255.255.255.240 any
access-list outside_cryptomap_dyn_20 permit ip any 172.100.1.0 255.255.255.0
access-list SEmilia permit ip 172.20.0.0 255.255.0.0 172.30.1.0 255.255.255.0
access-list Agr permit ip 172.20.0.0 255.255.0.0 host 10.1.1.1

sysopt connection permit-ipsec
crypto ipsec transform-set Q_3DES_set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set Q_3DES_set
crypto map VPN_map 20 ipsec-isakmp
crypto map VPN_map 20 match address ServerFarm
crypto map VPN_map 20 set peer 1.1.1.1
crypto map VPN_map 20 set transform-set Q_3DES_set
crypto map VPN_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 21 ipsec-isakmp
crypto map VPN_map 21 match address Barberino
crypto map VPN_map 21 set peer 2.2.2.2
crypto map VPN_map 21 set transform-set Q_3DES_set
crypto map VPN_map 21 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 22 ipsec-isakmp
crypto map VPN_map 22 match address SEmilia
crypto map VPN_map 22 set peer 3.3.3.3
crypto map VPN_map 22 set transform-set Q_3DES_set
crypto map VPN_map 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 23 ipsec-isakmp
crypto map VPN_map 23 match address Agr
crypto map VPN_map 23 set peer 4.4.4.4
crypto map VPN_map 23 set transform-set Q_3DES_set
crypto map VPN_map 23 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map VPN_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map VPN_map client authentication partnerauth
crypto map VPN_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Q-Usr-VPN address-pool Q-VPN-Pool
vpngroup Q-Usr-VPN dns-server 172.20.2.2 qs014_inside
vpngroup Q-Usr-VPN default-domain q.local
vpngroup Q-Usr-VPN split-tunnel Q-Usr-VPN_splitTunnelAcl
vpngroup Q-Usr-VPN idle-time 1800
vpngroup Q-Usr-VPN password ********

[alkol75]

Nessuno riesce a darmi un aiutino-ino-ino.
Nel client Cisco vedo le Secured Route ma non le riesco a pingare ne a raggiungere i PC di quelle reti.

Grazie in anticipo.

[kese87]

Ciao, questa è la mia configurazione:

posto solo la parte delle access list in quanto a me è stato sufficiente sistemare quelle:

access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to prima vpn ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to seconda vpn ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 deny ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any


access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-prima vpn--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 151 permit ip 172.16.254.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 152 remark --VPN-seconda vpn--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 152 permit ip 172.16.254.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.200.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 199 permit ip 172.16.201.0 0.0.0.255 172.16.254.0 0.0.0.255

in poche parole ho messo deny e permit della classe di rete del vpn client verso le altre vpn gestite dal router.

stessa cosa ( deny e permit della classe del vpn client ) l'ho fatta sui router che terminano le vpn prima e seconda.

se è necessario posto l'intera configurazione dei router

spero di esssere stato utile