Problema VPN su router 877

[alessandrop77]

Buona sera,
scusate sono nuovo nel forum, considerate che non sono certificato CISCO, sono riuscito a configurare una VPN ipsec sul mio Cisco 877, riesco a collegarmi da remoto ma solamente aggiungendo questa riga "crypto map clientmap" anche sulla VLAN 20 e non capisco il motivo sicuramente sbaglierò qualcosa nella conf...ogni aiuto è ben accetto grazie mille....un altro problema è la visibilità della mia rete....una volta collegato anche in locale riesco a pingare solo la default 192.168.3.1 anche disattivando il firewall di Windows
HELP MEEEEEE
vi post la mia conf:


service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rm-adsl-libero-01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret **********
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network ****** local
!
!
aaa session-id common
memory-size iomem 15
clock timezone ITALY 1
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.2
ip dhcp excluded-address 192.168.3.250 192.168.3.255
ip dhcp excluded-address 192.168.3.64
!
ip dhcp pool DHCP-LAN
import all
network 192.168.3.0 255.255.255.0
dns-server 193.70.152.15 193.70.192.25
default-router 192.168.3.1
domain-name DHCP-HOME
lease 0 2
!
ip dhcp pool ST2030
host 192.168.3.100 255.255.255.0
client-identifier ************
default-router 192.168.3.1
lease infinite
!
ip dhcp pool WIFI_1
host 192.168.3.250 255.255.255.0
client-identifier **********
default-router 192.168.3.1
lease infinite
!
ip dhcp pool WIFI_2
host 192.168.3.251 255.255.255.0
client-identifier **********
default-router 192.168.3.1
lease infinite
!
ip dhcp pool PC-HOME
host 192.168.3.6 255.255.255.0
client-identifier **********
default-router 192.168.3.1
!
ip dhcp pool PRINTER
host 192.168.3.64 255.255.255.0
client-identifier **********
default-router 192.168.3.1
lease infinite
!
!
ip cef
ip domain name DHCP-HOME
ip name-server 193.70.152.15
ip name-server 193.70.192.25
ip ddns update method dyndns
HTTP
add http://*****:*****@members.dyndns.org/n ... **&myip=<a>
interval maximum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ***** password ******
username ***** password ******
!
crypto logging session
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ******
key ******
dns 193.70.152.15 193.70.192.25
domain DHCP-HOME
pool VPN-POOL
acl 158
save-password
include-local-lan
max-users 100
max-logins 10
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set security-association idle-time 3600
set transform-set myset
reverse-route
!
!
crypto map clientmap local-address Dialer1
crypto map clientmap client authentication list ******
crypto map clientmap isakmp authorization list ******
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan20
!
!
!
interface ATM0
description "ADSL LIBERO"
no ip address
no ip unreachables
no ip proxy-arp
logging event subif-link-status
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description "WAN ADSL LIBERO"
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description "INTERFACCIA VOIP"
switchport access vlan 20
load-interval 30
!
interface FastEthernet1
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet2
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet3
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description "VLAN 20 DATI"
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
crypto map clientmap
!
interface Dialer1
description "WAN LIBERO"
ip ddns update hostname *********
ip ddns update dyndns
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence output
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname *******
ppp chap password *******
ppp chap refuse
ppp pap sent-username ****** password ******
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool VPN-POOL 192.168.100.2 192.168.100.102
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.100.0 255.255.255.128 Dialer1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 150
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source static tcp 192.168.3.2 22 interface Dialer1 22
ip nat inside source static tcp 192.168.3.2 80 interface Dialer1 45080
ip nat inside source static tcp 192.168.3.2 20 interface Dialer1 20
ip nat inside source static tcp 192.168.3.2 21 interface Dialer1 21
ip nat inside source static udp 192.168.3.2 5060 interface Dialer1 5060
ip nat inside source list 100 interface Dialer1 overload
!
logging trap errors
logging facility local5
access-list 100 remark ***********************************************************
access-list 100 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 158 remark ***********************************************************
access-list 158 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 158 permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
exec-timeout 5 0
modem DTR-active
transport input all
line vty 0 4
logging synchronous
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 207.46.197.32
sntp server 192.43.244.18
end




ahh scusate la mia IOS è la seguente c870-advipservicesk9-mz.124-24.T8.bin

[alessandrop77]

Buon giorno,
ho risolto alcune cose, ora riesco a raggiungere la mia rete ma le porte del PAT non vengono inoltrate in locale avete una soluzione a tale problema.....
Grazie mille.....ah la conf è cambiata di poco

[paolomat75]

Buon giorno,
ho risolto alcune cose, ora riesco a raggiungere la mia rete ma le porte del PAT non vengono inoltrate in locale avete una soluzione a tale problema.....
Grazie mille.....ah la conf è cambiata di poco

Ciao,
se fai

Codice: Seleziona tutto

sh ip nat translation

cosa vedi?

Paolo

[alessandrop77]

Buon giorno,
ho risolto alcune cose, ora riesco a raggiungere la mia rete ma le porte del PAT non vengono inoltrate in locale avete una soluzione a tale problema.....
Grazie mille.....ah la conf è cambiata di poco

Ciao,
se fai

Codice: Seleziona tutto

sh ip nat translation

cosa vedi?

Paolo

Ciao Paolo sono Alessandro, queste sono le info del show ip nat translation

tcp 151.25.124.164:20 192.168.3.2:20 --- ---
tcp 151.25.124.164:21 192.168.3.2:21 --- ---
tcp 151.25.124.164:22 192.168.3.2:22 --- ---
tcp 151.25.124.164:45080 192.168.3.2:80 --- ---
udp 151.25.124.164:5060 192.168.3.2:5060 2.227.229.80:50352 2.227.229.80:50352
udp 151.25.124.164:5060 192.168.3.2:5060 212.52.82.27:5060 212.52.82.27:5060
udp 151.25.124.164:5060 192.168.3.2:5060 --- ---
tcp 151.25.124.164:38366 192.168.3.2:38366 193.206.139.37:80 193.206.139.37:80


il problema è che il PAT dall'esterno va ma se mi collego in VPN non mi si aprono le porte, ho provato a togliere le regole di PAT e funziona in VPN ma ovviamente non funzionano dall'esterno, come posso risolvere....Grazie mille

[alessandrop77]

Buon giorno,
ho risolto alcune cose, ora riesco a raggiungere la mia rete ma le porte del PAT non vengono inoltrate in locale avete una soluzione a tale problema.....
Grazie mille.....ah la conf è cambiata di poco

Ciao,
se fai

Codice: Seleziona tutto

sh ip nat translation

cosa vedi?

Paolo

Ciao Paolo sono Alessandro, queste sono le info del show ip nat translation

tcp 151.25.124.164:20 192.168.3.2:20 --- ---
tcp 151.25.124.164:21 192.168.3.2:21 --- ---
tcp 151.25.124.164:22 192.168.3.2:22 --- ---
tcp 151.25.124.164:45080 192.168.3.2:80 --- ---
udp 151.25.124.164:5060 192.168.3.2:5060 2.227.229.80:50352 2.227.229.80:50352
udp 151.25.124.164:5060 192.168.3.2:5060 212.52.82.27:5060 212.52.82.27:5060
udp 151.25.124.164:5060 192.168.3.2:5060 --- ---
tcp 151.25.124.164:38366 192.168.3.2:38366 193.206.139.37:80 193.206.139.37:80


il problema è che il PAT dall'esterno va ma se mi collego in VPN non mi si aprono le porte, ho provato a togliere le regole di PAT e funziona in VPN ma ovviamente non funzionano dall'esterno, come posso risolvere....Grazie mille

Questa è la mia conf aggiornata:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rm-adsl-libero-01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret *******
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network ******* local
!
!
aaa session-id common
memory-size iomem 15
clock timezone ITALY 1
clock summer-time summertime recurring last Sun Mar 3:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.2
ip dhcp excluded-address 192.168.3.250 192.168.3.255
ip dhcp excluded-address 192.168.3.64
!
ip dhcp pool DHCP-LAN
import all
network 192.168.3.0 255.255.255.0
dns-server 193.70.152.15 193.70.192.25
default-router 192.168.3.1
domain-name DHCP-HOME
lease 0 2
!
ip dhcp pool ST2030
host 192.168.3.100 255.255.255.0
client-identifier *******
default-router 192.168.3.1
lease infinite
!
ip dhcp pool WIFI_1
host 192.168.3.250 255.255.255.0
client-identifier *******
default-router 192.168.3.1
lease infinite
!
ip dhcp pool WIFI_2
host 192.168.3.251 255.255.255.0
client-identifier *******
default-router 192.168.3.1
lease infinite
!
ip dhcp pool PC-HOME
host 192.168.3.6 255.255.255.0
client-identifier *******
default-router 192.168.3.1
!
ip dhcp pool PRINTER
host 192.168.3.64 255.255.255.0
client-identifier *******
default-router 192.168.3.1
lease infinite
!
!
ip cef
ip domain name DHCP-HOME
ip name-server 193.70.152.15
ip name-server 193.70.192.25
ip ddns update method dyndns
HTTP
add http://*******:*******@members.dyndns.o ... **&myip=<a>
interval maximum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ******* password *******
username ******* password *******
!
crypto logging session
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *******
key ********
pool VPN-POOL
acl 158
save-password
max-users 100
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set security-association idle-time 3600
set transform-set myset
reverse-route
!
!
crypto map clientmap local-address Dialer1
crypto map clientmap client authentication list *****
crypto map clientmap isakmp authorization list ******
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan20
!
!
!
interface ATM0
description "ADSL LIBERO"
mtu 1500
no ip address
no ip unreachables
logging event subif-link-status
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description "WAN ADSL LIBERO"
mtu 1500
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description "INTERFACCIA VOIP"
switchport access vlan 20
load-interval 30
!
interface FastEthernet1
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet2
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface FastEthernet3
description "VLAN 20 DATI"
switchport access vlan 20
load-interval 30
speed 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
description "VLAN 20 DATI"
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
load-interval 30
crypto map clientmap
!
interface Dialer1
description "WAN LIBERO"
ip ddns update hostname **********
ip ddns update dyndns
ip address negotiated
ip accounting output-packets
ip accounting precedence output
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username ***** password *****
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool VPN-POOL 192.168.100.2 192.168.100.102
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.100.0 255.255.255.128 Dialer1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 150
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source static tcp 192.168.3.2 80 interface Dialer1 45080
ip nat inside source static tcp 192.168.3.2 20 interface Dialer1 20
ip nat inside source static udp 192.168.3.2 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.3.2 22 interface Dialer1 22
ip nat inside source static tcp 192.168.3.2 21 interface Dialer1 21
ip nat inside source route-map PETROS interface Dialer1 overload
!
logging trap errors
logging facility local5
access-list 100 remark ***********************************************************
access-list 100 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 158 remark ***********************************************************
access-list 158 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 158 permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
route-map PETROS permit 10
match ip address 100
!
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
exec-timeout 5 0
modem DTR-active
transport input all
line vty 0 4
access-class 100 in
logging synchronous
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 207.46.197.32
sntp server 192.43.244.18
end

[antomi]

Prova a rifare l'access list da:
access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
a
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255

fammi sapere

[alessandrop77]

Ragazzi ho cambiato la conf nuovamente e sembra funzionare la posto:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <quello che vuoi>
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network <nome gruppo VPN> local
!
!
aaa session-id common
memory-size iomem 15
clock timezone Italy 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
!
ip ddns update method dyndns
HTTP
add http://username:[email protected] ... tname=nome hostname&myip=<a>
remove http://username:[email protected] ... tname=nome hostname&myip=<a>
interval maximum 28 0 0 0
!
!
!
ip dhcp pool <scegli nome>
import all
network <network> <subnetmask>
default-router <default gateway>
domain-name <scegli dominio>
dns-server <dns 1 e 2>
lease 0 2

ip domain name <dominio scelto>
!
ip name-server <dns 1>
ip name-server <dns 2>
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username <scegli utente privileggiato> privilege 15 secret <scegli password>

(gli utenti sotto sono per la VPN ovviamente cambiali)

username utente1 password utente1
username utente2 password utente2
username utente3 password utente3
username utente4 password utente4
!
!
!
(ora inizia la parte della VPN)
!
!
crypto logging session
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group <nome gruppo vpn>
key <metti quella che ti pare>
pool <nome pool vpn ip address>
acl 158
save-password
include-local-lan
max-users <metti gli utenti che vuoi>
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set security-association idle-time 3600
set transform-set myset
reverse-route
!
!
crypto map <nome mappa> local-address Dialer 1
crypto map <nome mappa> client authentication list <nome gruppo VPN>
crypto map <nome mappa> isakmp authorization list <nome gruppo VPN>
crypto map <nome mappa> client configuration address respond
crypto map <nome mappa> ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description "quella che hai scelto"
switchport access vlan <quella che hai scelto>
load-interval 30
duplex full
speed 100
!
interface FastEthernet1
description "quella che hai scelto"
switchport access vlan <quella che hai scelto>
load-interval 30
duplex full
speed 100
!
interface FastEthernet2
description "quella che hai scelto"
switchport access vlan <quella che hai scelto>
load-interval 30
duplex full
speed 100
!
interface FastEthernet3
description "quella che hai scelto"
switchport access vlan <quella che hai scelto>
load-interval 30
duplex full
speed 100
!
interface Vlan<quella che vuoi>
ip address <default gateway> <subnetmask>
ip mtu 1492
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto map <nome mappa>
!
!
interface Vlan1
no ip address
shutdown
!
interface ATM0
description "ADSL LIBERO"
no ip address
no ip unreachables
no ip proxy-arp
logging event subif-link-status
no atm ilmi-keepalive
!
!
interface ATM0.1 point-to-point
description "WAN ADSL LIBERO"
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1


ip local pool VPN-POOL <indirizzi pool vpn da> <indirizzi pool vpn a>
ip forward-protocol nd
ip forward-protocol turbo-flood
ip route 0.0.0.0 0.0.0.0 Dialer 1
ip route <network VPN> 255.255.255.240 Dialer 1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 150
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
!
!
ip nat inside source list 100 interface Dialer 1 overload
ip nat inside source static udp <indirizzo per pat> 5060 interface Dialer 1 5060
!
!
logging trap errors
logging facility local5
access-list 100 remark ***************************************************
access-list 100 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 100 deny ip <network lan> 0.0.0.255 <network VPN> 0.0.0.15
access-list 100 deny ip <network VPN> 0.0.0.15 <network lan> 0.0.0.255
access-list 100 permit ip <network lan> 0.0.0.255 any
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny ip any any
access-list 101 permit ip any any
access-list 101 permit gre any any
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any eq 22 any
access-list 101 deny udp any any eq 135 log
access-list 101 deny tcp any any eq 135 log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny tcp any any eq 445 log
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp host 207.46.232.42 eq ntp any
access-list 101 permit udp host 192.43.244.18 eq ntp any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark ***************************************************
access-list 102 remark ************ ACL-PORTE-TCP-UDP-DDNS-WAN ***********
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 deny ip any any log
access-list 158 remark ***********************************************************
access-list 158 remark ********** ACL PER SPLIT-TUNNEL DA VPN-CLIENT *************
access-list 158 permit ip <network lan> 0.0.0.255 <network VPN> 0.0.0.15
access-list 158 permit ip <network VPN> 0.0.0.15 <network lan> 0.0.0.255
!
!
!
!
!
control-plane
line con 0
privilege level 15
logging synchronous
no modem enable
line aux 0
exec-timeout 5 0
modem DTR-active
transport input all
line vty 0 4
privilege level 15
logging synchronous
transport preferred none
transport input telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 207.46.197.32
sntp server 192.43.244.18
end

Ciao ed a presto

[alessandrop77]

Scusate manca la Dialer 1:


interface Dialer1
description "WAN LIBERO"
ip ddns update hostname nome host
ip ddns update dyndns
ip address negotiated
ip accounting output-packets
ip accounting precedence output
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username username password <password>
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap