Aiuto per VPN L2L tra Cisco 887VA e ASA5520 8.4x - Risolto

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
fedef63
n00b
Messaggi: 4
Iscritto il: lun 17 set , 2012 7:43 pm

Buonasera,
ho configurato una vpn site to site tra un cisco 887VA collegato con un adsl Alice Business multigroup e un ASA 5520 ver. 8.4. La vpn va su e dal router 877VA partendo dalla Vlan riesco a raggiungere apparati nella intranet dietro all'ASA e viceversa. Invece Non raggiungo i PC della lan se non saltuariamente e anche questi non riescono a raggiungere altri pc sulla rete.
Ho notato che levando le statiche per la gestione del traffico VPN e rimettendole ognitanto i pc partono e iniziano a comunicare con il resto della rete.
Posto la configurazione di ASA e Cisco 887VA con la speraza che qualcuno riesca ad aiutarmi.
Grazie
fedef63

******************Cisco 887VA****************
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXXXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200

!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone italy 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
!
!
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 10.172.50.1 10.172.50.5
!
ip dhcp pool lan
network 10.172.50.0 255.255.255.0
default-router 10.172.50.1
domain-name xxxxxxxx.it
dns-server 10.172.x.xx 10.172.x.xx
!
!
no ip domain lookup
ip domain name xxxxxxxxxxx.it
ip cef
no ipv6 cef
!
!

!
controller VDSL 0
description Deve essere up perche' ADSL funzioni
!
ip ssh authentication-retries 4
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key xxxxxxxxx address 80.80.80.80
!
!
crypto ipsec transform-set L2L esp-aes 256 esp-sha-hmac
!
!
!
crypto map L2L local-address Loopback100
crypto map L2L 1 ipsec-isakmp
description Tunnel to 80.80.80.80
set peer 80.80.80.80
set transform-set im-pisa-to-inasset
set pfs group5
match address 100
!

interface Loopback100
description
ip address 62.100.100.9 255.255.255.255
no keepalive
crypto map l2l
!
interface Ethernet0
no ip address
no keepalive
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ALICE BUSINESS MULTIGROUP 2M PLUS
ip address 32.100.100.10 255.255.255.252
ip flow ingress
ip virtual-reassembly in
ip verify unicast reverse-path
pvc 8/35
vbr-nrt 608 608 1
tx-ring-limit 6
oam-pvc manage 0
encapsulation aal5snap
!
!
interface FastEthernet0
description client DHCP
no ip address
!
interface FastEthernet1
description client DHCP
no ip address
!
interface FastEthernet2
description client DHCP
no ip address
!
interface FastEthernet3
description client DHCP
no ip address
!
interface Vlan1
description Vlan utenti in DHCP
ip address 10.172.50.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 32.100.100.9
ip route 10.172.0.0 255.255.0.0 Loopback100
ip route 172.22.0.0 255.255.0.0 Loopback100
!


access-list 100 remark Traffico VPN
access-list 100 permit ip 10.172.50.0 0.0.0.255 10.172.0.0 0.0.255.255
access-list 100 permit ip 10.172.50.0 0.0.0.255 172.22.0.0 0.0.255.255
!
!
!
!
!
!
!
control-plane

line con 0
line aux 0
line vty 0 4

password XXXXXXXXXX
transport input ssh
escape-character 3
!
end

******************ASA config parziale***************
object network 10.172.50.0
subnet 10.172.50.0 255.255.255.0

object-group network intranet-lan
network-object object 10.172.0.0
network-object object 172.22.0.0

access-list outside_access_in extended permit ip 10.172.50.0 255.255.255.0 object-group intranet-lan
access-list outside_access_out extended permit ip object-group intranet-lan 10.172.50.0 255.255.255.0


access-list L2L_NEW extended permit ip object-group intranet-lan object 10.172.50.0

crypto map outside_map 34 match address L2L_NEW
crypto map outside_map 34 set pfs group5
crypto map outside_map 34 set peer 62.100.100.9
crypto map outside_map 34 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 34 set security-association lifetime seconds 28800

tunnel-group 62.100.100.9 type ipsec-l2l
tunnel-group 62.100.100.9 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 2

nat (inside,outside) source static intranet-lan intranet-lan destination static 10.172.50.0 10.172.50.0

route outside 10.172.50.0 255.255.255.0 router-internet 1
fedef63
n00b
Messaggi: 4
Iscritto il: lun 17 set , 2012 7:43 pm

Buonasera,
dopo svariate prove senza successo, ho deciso di metermi a leggere i post della sezione VPN, partendo dai piu' vecchi e ne ho trovato uno dove veniva descritto e risolto lo stesso problema .... cioe' che la vpn andava up, ma non riuscivo a far comunicare gli host da un capo all'altro della VPN, mentre potevo raggiungere il router e da questo gli host, saltuariamente (quando attivavo il debug sul router, per qualche strano motivo la comunicazione andava).

Il post in questione e' questo: http://www.ciscoforums.it/viewtopic.php?f=16&t=10293

Praticamente avevo assegnato la crypto map alla loopback invece che all'interfaccia ATM0.1 e poi ruotavo le sottoreti da raggiungere via vpn verso la loopback

Qui la configurazione funzionante:
- levato la crypto map dalla loopback
- assegnato crypto map a interfaccia Atm0.1
- rimosso tutte le rotte eccetto quella di default


crypto map L2L local-address Loopback100
crypto map L2L 1 ipsec-isakmp
description Tunnel to 80.80.80.80
set peer 80.80.80.80
set transform-set im-pisa-to-inasset
set pfs group5
match address 100

interface Loopback100
description
ip address 62.100.100.9 255.255.255.255
no keepalive
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ALICE BUSINESS MULTIGROUP 2M PLUS
ip address 32.100.100.10 255.255.255.252
ip flow ingress
ip virtual-reassembly in
ip verify unicast reverse-path
pvc 8/35
vbr-nrt 608 608 1
tx-ring-limit 6
oam-pvc manage 0
encapsulation aal5snap
crypto map l2l
!
!
ip route 0.0.0.0 0.0.0.0 32.100.100.9
!
access-list 100 remark Traffico VPN
access-list 100 permit ip 10.172.50.0 0.0.0.255 10.172.0.0 0.0.255.255
access-list 100 permit ip 10.172.50.0 0.0.0.255 172.22.0.0 0.0.255.255


Ringrazio gli autori del post in questione...avevo quasi perso la speranza di riuscire a far funzionare il collegamento. Spero che possa essere utile ad altri.
Saluti
Fedef63
Configurazione Errata

******************Cisco 887VA****************
crypto map L2L local-address Loopback100
crypto map L2L 1 ipsec-isakmp
description Tunnel to 80.80.80.80
set peer 80.80.80.80
set transform-set im-pisa-to-inasset
set pfs group5
match address 100
!

interface Loopback100
description
ip address 62.100.100.9 255.255.255.255
no keepalive
crypto map l2l

interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ALICE BUSINESS MULTIGROUP 2M PLUS
ip address 32.100.100.10 255.255.255.252
ip flow ingress
ip virtual-reassembly in
ip verify unicast reverse-path
pvc 8/35
vbr-nrt 608 608 1
tx-ring-limit 6
oam-pvc manage 0
encapsulation aal5snap
ip route 0.0.0.0 0.0.0.0 32.100.100.9
ip route 10.172.0.0 255.255.0.0 Loopback100
ip route 172.22.0.0 255.255.0.0 Loopback100
!
access-list 100 remark Traffico VPN
access-list 100 permit ip 10.172.50.0 0.0.0.255 10.172.0.0 0.0.255.255
access-list 100 permit ip 10.172.50.0 0.0.0.255 172.22.0.0 0.0.255.255
Rispondi