ciao a tutti, ho una domandina veloce veloce:
questa è la mia configurazione
tunnel vpn
172.16.199.x/24 <---> 1801 <--------------------------> 877<----> 172.16.201.x/24
wan ip: 88.149.1xx.xx/32 wan ip: 88..... /32
dunque non riesco a capire perche il tunnel si alza quando vuole, ovvero:
se dalla rete 201 pingo un server delle rete 199 allora si alza il tunnel e tutto ha funzionato correttamente, fino a quando si è interrotto il traffico dalla rete 201 alla 199 e il tunnel non è più attivo. ( penso sia esaurito il lifetime, ma perche non è stato negoziata una nuova connesione? visto che nella rete 199 c'è un server asterisk che verifica la raggiungibilità di un telefono voip nella rete 201)
adesso ho provato dalla rete 199 a pingare un host della rete 201 ma il tunnel non si alza.
la linea a capo dell'877 è up, il router mi risponde all'ip.
Se qualcuno, ha due minuti di tempo è ben accetta qualsiasi dritta o consiglio..
Grazie
1801
Codice: Seleziona tutto
Current configuration : 9194 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 debugging
logging console critical
enable secret 5 ***
enable password 7 ***
!
no aaa new-model
!
resource policy
!
clock timezone CET 1
clock summer-time ROMA recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.199.96 172.16.199.254
!
ip dhcp pool voipsi
import all
network 172.16.199.0 255.255.255.0
dns-server 88.149.128.12 208.67.222.222
domain-name ***.localdomain
default-router 172.16.199.254
lease 0 2
!
!
no ip domain lookup
ip domain name ***.localdomain
ip name-server 88.149.128.12
ip name-server 208.67.222.222
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
username admin privilege 15 password 7 ***
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key *** address 78.134.6.xxx no-xauth
crypto isakmp key *** address 78.134.6.yyy no-xauth
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group ***
key ***
pool remote-pool
acl 199
max-users 5
max-logins 3
banner ^C
************************************************************************** Se non siete esplicitamente autorizzati,DISCONNETETEVI
IMMEDIATAMENTE.
Ogni abuso verr` perseguito.
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
************************************************************************* ^C
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-CLI esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI
!
!
crypto map VPN client authentication list ***
crypto map VPN isakmp authorization list ***
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
description Tunnel to ***
set peer 78.134.6.xxx
set security-association lifetime seconds 190
set transform-set VPN-SET
match address 151
crypto map VPN 2 ipsec-isakmp
description Tunnel to ***
set peer 78.134.6.yyy
set security-association lifetime seconds 190
set transform-set VPN-SET
match address 152
crypto map VPN 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
!
interface FastEthernet0
ip address 192.168.0.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
ip broadcast-address 0.0.0.0
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
mtu 1500
no ip address
ip broadcast-address 0.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
ip address 172.16.199.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
no ip mroute-cache
!
interface Dialer0
ip address 88.149.1xx.zzz 255.255.255.252
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no snmp trap link-status
no cdp enable
ppp authentication pap callin
ppp pap sent-username *** password 7 ***
ppp multilink
ppp multilink interleave
crypto map VPN
ip rtp reserve 10000 10000
!
!
router rip
version 1
network 172.16.0.0
!
ip local pool remote-pool 172.16.254.239 172.16.254.243
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT0-RM interface Dialer0 overload
!
!
!
!
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 remark *********************
access-list 1 permit 172.16.199.0 0.0.0.255
access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to chianciano ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to chiusi ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 remark *****************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 remark *****************************
access-list 131 permit udp any any eq ntp
access-list 131 remark *****************************
access-list 131 remark *** ACL SERVER INTERNI ***
access-list 131 remark *****************************
access-list 131 permit tcp any any eq ftp
access-list 131 permit tcp any any eq www
access-list 131 remark *****************************
access-list 131 remark *** ACL TRAFFICO VOIP ***
access-list 131 remark *****************************
access-list 131 permit udp any any range 10000 20000
access-list 131 permit udp any any range 5060 5061
access-list 131 remark *****************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *****************************
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *****************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *****************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 remark *****************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark ************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark ************************************************
access-list 131 deny ip any any log
access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-chiusi--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 152 remark --VPN-chianciano--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 199 remark --VPN-client-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT0-RM permit 1
match ip address 100
!
!
!
!
control-plane
!
!
line con 0
line aux 0
password 7 ***
line vty 0 4
password 7 ***
login
!
ntp clock-period 17179391
ntp server 193.204.114.232
ntp server 193.204.114.233
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Codice: Seleziona tutto
Current configuration : 7677 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000
logging console critical
!
no aaa new-model
clock timezone CET 1
clock summer-time ROMA recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.201.96 172.16.201.254
!
ip dhcp pool voipchs
import all
network 172.16.201.0 255.255.255.0
dns-server 88.149.128.12 208.67.222.222
domain-name ***.localdomain
default-router 172.16.201.254
lease 0 2
!
!
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
no ip domain lookup
ip domain name ***.localdomain
ip name-server 88.149.128.12
ip name-server 208.67.222.222
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
username *** privilege 15 password 0 ***
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key *** address *** no-xauth
crypto isakmp key *** address *** no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN 1 ipsec-isakmp
description Tunnel to ***
set peer ***
set transform-set VPN-SET
match address 151
crypto map VPN 2 ipsec-isakmp
description Tunnel to chianciano
set peer ***
set transform-set VPN-SET
match address 152
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
mtu 1500
no ip address
ip broadcast-address 0.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
mtu 1500
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect FWOUT out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.16.201.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
no ip mroute-cache
!
interface Dialer0
ip address negotiated
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip inspect FWOUT out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no snmp trap link-status
no cdp enable
ppp authentication pap callin
ppp pap sent-username *** password 0 ***
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT0-RM interface Dialer0 overload
!
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 permit 172.16.201.0 0.0.0.255
access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark --- to siena ----
access-list 100 deny ip 172.16.201.0 0.0.0.255 172.16.199.0 0.0.0.255
access-list 100 remark --- to chianciano ----
access-list 100 deny ip 172.16.201.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark --- to translate ----
access-list 100 permit ip 172.16.201.0 0.0.0.255 any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *****************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark ************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ----- to siena ----
access-list 151 permit ip 172.16.201.0 0.0.0.255 172.16.199.0 0.0.0.255
access-list 152 remark ----- to chiusi ----
access-list 152 permit ip 172.16.201.0 0.0.0.255 172.16.200.0 0.0.0.255
!
!
route-map NAT0-RM permit 1
match ip address 100
!
!
control-plane
!
banner login ^C
****************************************************************
Se non siete esplicitamente autorizzati,DISCONNETETEVI
IMMEDIATAMENTE.
Ogni abuso verr` perseguito.
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
****************************************************************
^C
