VPN Cisco 1841 - si collega ma non naviga su internet

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
zorro77
Cisco power user
Messaggi: 84
Iscritto il: mer 02 gen , 2008 11:12 am

Salve a tutti
con il mio 1841 ho avuto la brillante idea di utilizzare anche l'interfaccia eth0/1 per altra lan, avendo così
eth 0/0 192.168.1.0
eth 0/1 192.168.2.0

Prima di tale modifica la mia VPN funzionava una meraviglia....mi collegavo e navigavo in internet non con la connessione della VPN ma la mia, ora invece riesco sempre a collegarmi alla VPN, ad accedere a CamIP sia della eth0 che eth1, ma non riesco a navigare su internet :cry:

Specifico che mi collego al router 1841 da pc con il client cisco

Di seguito la configurazione

Cisco1841#sh conf
Using 7115 out of 196600 bytes
!
! Last configuration change at 21:14:12 CET Thu Jan 3 2013 by admin
! NVRAM config last updated at 21:14:22 CET Thu Jan 3 2013 by admin
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1841
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXXXXX
enable password XXXXXXXXXX
!
aaa new-model
!
!
!
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CET recurring
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.201 192.168.1.254
ip dhcp excluded-address 192.168.1.100 192.168.1.120
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp excluded-address 192.168.2.201 192.168.2.254
ip dhcp excluded-address 192.168.2.100 192.168.2.120
!
ip dhcp pool POOL_DHCP
import all
network 192.168.1.0 255.255.255.0
dns-server 212.216.172.62 212.216.112.112
default-router 192.168.1.254
!
ip dhcp pool POOL_DHCP_eth1
import all
network 192.168.2.0 255.255.255.0
dns-server 212.216.172.62 212.216.112.112
default-router 192.168.2.254
!
!
ip domain name domain.com
ip host members.dyndns.org 204.13.248.112
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ddns update method DynDNS
HTTP
add http://[email protected]/n ... h>&myip=<a>
remove http://[email protected]/n ... h>&myip=<a>
interval maximum 0 0 30 0
!
!
!
crypto pki trustpoint TP-self-signed-2910638223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2910638223
revocation-check none
rsakeypair TP-self-signed-2910638223
!
!
crypto pki certificate chain TP-self-signed-2910638223
certificate self-signed 01 nvram:IOS-Self-Sig#3317.cer
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
username rdie77 secret 5 XXXXXXXXXXXXXXXx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUP_VPN
key dierad
dns 8.8.8.8
pool SDM_POOL_2
acl 101
include-local-lan
pfs
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-2
match identity group GROUP_VPN
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address initiate
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.254 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1
description ETH-LAN1
ip address 192.168.2.254 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
dsl lom 30
hold-queue 224 in
!
interface ATM0/0/0.1 point-to-point
no ip route-cache
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Dialer0
ip ddns update hostname XXXXXXXXXXXXx
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip directed-broadcast
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXXXXXXxx password 0 XXXXXXXXXXXx
!
ip local pool SDM_POOL_2 20.10.10.100 20.10.10.200
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.1 80 interface Dialer0 8090
ip nat inside source static udp 192.168.1.191 9 interface Dialer0 10
ip nat inside source static tcp 192.168.1.191 21 interface Dialer0 9921
ip nat inside source static udp 192.168.1.191 7 interface Dialer0 8
ip nat inside source static udp 192.168.1.190 9090 interface Dialer0 9090
ip nat inside source static tcp 192.168.1.190 9090 interface Dialer0 9090
ip nat inside source static udp 192.168.1.190 9 interface Dialer0 9
ip nat inside source static udp 192.168.1.190 2304 interface Dialer0 2304
ip nat inside source static tcp 192.168.1.190 2304 interface Dialer0 2304
ip nat inside source static udp 192.168.1.190 43833 interface Dialer0 43833
ip nat inside source static tcp 192.168.1.129 39989 interface Dialer0 39989
ip nat inside source static udp 192.168.1.129 7806 interface Dialer0 7806
ip nat inside source static tcp 192.168.1.99 8080 interface Dialer0 9099
ip nat inside source static tcp 192.168.1.190 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.190 3389 interface Dialer0 3389
ip nat inside source static udp 192.168.1.190 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.190 24158 interface Dialer0 24158
ip nat inside source static tcp 192.168.1.89 36017 interface Dialer0 36017
ip nat inside source static udp 192.168.1.89 44786 interface Dialer0 44786
ip nat inside source static udp 192.168.1.88 21856 interface Dialer0 21856
ip nat inside source static tcp 192.168.1.88 11251 interface Dialer0 11251
ip nat inside source static tcp 192.168.1.87 36018 interface Dialer0 36018
ip nat inside source static udp 192.168.1.87 44787 interface Dialer0 44787
ip nat inside source static udp 192.168.1.190 7 interface Dialer0 7
ip nat inside source static tcp 192.168.1.102 80 interface Dialer0 9092
ip nat inside source static tcp 192.168.2.101 80 interface Dialer0 9091
ip nat inside source static tcp 192.168.2.103 80 interface Dialer0 9093
ip nat inside source static tcp 192.168.1.160 36184 interface Dialer0 36184
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit tcp any any
access-list 100 permit udp any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 40 0
password XXXXXXX
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 193.204.114.232
end

Leggendo un pò, ho notato che con il comando "show crypto ipsec sa" il valore local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) non ha indirizzo. Potrebbe essere questo il problema?


Cisco1841#show crypto ipsec sa

interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr XXXXXXXXXXX

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (20.10.10.100/255.255.255.255/0/0)
current_peer XXXXXXXXXXX port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 6

local crypto endpt.: XXXXXXXXXXXX, remote crypto endpt.: XXXXXXXXXXXXXX
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4
current outbound spi: 0xF1350527(4046783783)

inbound esp sas:
spi: 0x66C3BF52(1724104530)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4442053/3460)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF1350527(4046783783)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4442062/3451)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Grazie a tutti per l'aiuto
zorro77
Cisco power user
Messaggi: 84
Iscritto il: mer 02 gen , 2008 11:12 am

Nessuno riesce a darmi un aiuto?

Grazie in anticipo ancora
zorro77
Cisco power user
Messaggi: 84
Iscritto il: mer 02 gen , 2008 11:12 am

Ho fatto la prova ad aggiungere le seguenti ACL

access-list 101 permit ip 30.0.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

ed in questo modo navigo su internet....ma pur accedendo alla VPN, non raggiungo più le IpCam come anche lo stesso cisco

A questo punto immagino che sia un problema di acl...che per sbaglio devo averla eliminata :(

Nessuna idea?
Grazie ancora
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Ciao,
nella ACL 101 devi permettere tutto il traffico che deve passare nel tunnel.

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
zorro77
Cisco power user
Messaggi: 84
Iscritto il: mer 02 gen , 2008 11:12 am

paolomat75 ha scritto:Ciao,
nella ACL 101 devi permettere tutto il traffico che deve passare nel tunnel.

Paolo

quindi devo mettere
access-list 101 permit ip any any

Grazie ancora
zorro77
Cisco power user
Messaggi: 84
Iscritto il: mer 02 gen , 2008 11:12 am

Problema risolto con questa acl

access-list 101 permit ip 192.168.1.0 0.0.0.255 20.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 20.10.10.0 0.0.0.255

grazie a tutti
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

zorro77 ha scritto:Problema risolto con questa acl

access-list 101 permit ip 192.168.1.0 0.0.0.255 20.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 20.10.10.0 0.0.0.255

grazie a tutti
Ottimo!

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Rispondi