867VAEK9 - IPsec funzionante, nessun accesso a risorse rete

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
marcocc
n00b
Messaggi: 4
Iscritto il: ven 09 mag , 2014 5:00 pm

Salve a tutti,
sono un novizio di Cisco e di IOS; sono riuscito a configurare felicemente un 867 per l'accesso a internet ecc, studiandomi documentazione e copiando dagli script trovati anche su questo sito.
Ora sto cercando di collegarmi da remoto all'867 tramite il client ipsec (mac per la precisione).
Mi crea il tunnel con successo, mi assegna l'ip, ma non c'è verso di comunicare in alcun modo con la rete (che ha un server Samba, AFP, server videosorveglianza, etc etc)
Non riesco a comunicare con nessuno dei dispositivi collegati.

Ho il sospetto che l'errore risieda nelle regole ACL, ma non capisco dove...

Vi sono grato per qualunque consiglio!

Codice: Seleziona tutto


version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 4 xxxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local 
aaa authorization network vpn_group_ml_1 local 
!         
!         
!         
!         
!         
aaa session-id common
wan mode dsl
clock timezone MET 1 0
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!         
!         
!         
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.90 192.168.1.209
ip dhcp excluded-address 192.168.1.211 192.168.1.254
!         
ip dhcp pool pool1
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.254 
 dns-server 208.67.222.222 4.4.4.4 208.67.220.220 8.8.8.8 
 domain-name xyz.local
!         
ip dhcp pool static
 host 192.168.1.210 255.255.255.0
 client-identifier 01c4.xxxx.xxxx.e0
 default-router 192.168.1.254 
 dns-server 208.67.222.222 4.4.4.4 208.67.220.220 8.8.8.8 
 domain-name xyz.local
!         
!         
!         
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip domain lookup
ip domain name xyz.local
ip name-server 4.4.4.4
ip name-server 8.8.8.8
ip ddns update method dyndns
 HTTP     
  add http://[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
 interval maximum 1 0 0 0
!         
ip cef    
login block-for 60 attempts 3 within 30
no ipv6 cef
!         
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!         
!         
!         
!         
!         
!         
!         
!         
!         
crypto pki trustpoint TP-self-signed-230161162
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-230161162
 revocation-check none
 rsakeypair TP-self-signed-230161162
!         
!         
crypto pki certificate chain TP-self-signed-230161162
 certificate self-signed 01
  30820D29 30820192 A0030201 02020001 300X0609 2A864886 F70D0101 05070030  
  9BBC8790 8B6E9CD5 C84J3ACA 3D
        quit
!         
!         
archive   
 log config
  hidekeys
username xxx privilege 15 password 7 xxx
username xxxx secret 5 xxx
!         
!         
controller VDSL 0
!         
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!         
!         
!         
!         
!         
crypto isakmp policy 1
 encr 3des
 hash md5 
 authentication pre-share
 group 2  
!         
crypto isakmp client configuration group CCLIENT-VPN
 key xxxxx
 dns 4.4.4.4
 domain xyz.local
 pool VPN-Pool
 acl 120  
 max-users 1
crypto isakmp profile vpn-ike-profile-1
   match identity group CCLIENT-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!         
!         
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac 
 mode tunnel
!         
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1 
!         
!         
!         
!         
!         
!         
!         
interface Null0
 no ip unreachables
!         
interface ATM0
 description LINEA ADSL
 no ip address
 ip access-group 131 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no ip route-cache
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !        
!         
interface Ethernet0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 shutdown 
!         
interface FastEthernet0
 no ip address
!         
interface FastEthernet1
 no ip address
!         
interface FastEthernet2
 no ip address
!         
interface FastEthernet3
 no ip address
!         
interface GigabitEthernet0
 no ip address
!         
interface GigabitEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown 
 duplex auto
 speed auto
!         
interface Virtual-Template1
 description TUNNEL IPSEC VPN
 no ip address
!         
interface Virtual-Template2 type tunnel
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!         
interface Vlan1
 description CONNESSIONE LAN
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting output-packets
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!         
interface Dialer0
 description INTERNET ACCESS DIALER
 ip ddns update hostname xxxx
 ip ddns update dyndns
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 no ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication pap chap callin
 ppp chap hostname xxxx
 ppp chap password 7 0508030328431B5D
 ppp pap sent-username xxxx password 7 15110E000X257E71
 no cdp enable
!         
ip local pool VPN-Pool 192.168.1.211
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!         
!         
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.200 4661 interface Dialer0 4661
ip nat inside source static tcp 192.168.1.200 4662 interface Dialer0 4662
ip nat inside source static udp 192.168.1.200 4672 interface Dialer0 4672
ip nat inside source static udp 192.168.1.200 4665 interface Dialer0 4665
ip nat inside source static tcp 192.168.1.200 22 interface Dialer0 2233
ip route 0.0.0.0 0.0.0.0 Dialer0
!         
!         
logging trap debugging
no cdp run
!         
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark *** Deny NAT per VPN Clients ***
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host 192.168.1.211
access-list 120 remark *** Cisco VPN SPLIT TUNNEL***
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any host 192.168.1.211
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *** ACL PORTE EMULE ***
access-list 131 permit tcp any any eq 4661
access-list 131 permit tcp any any eq 4662
access-list 131 permit udp any any eq 4672
access-list 131 permit udp any any eq 4665
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny   ip any any log
access-list 131 permit tcp any any eq 2233
!         
!         
!         
banner motd ^CC
****************************************************************
----------------------------------------------------------------
* ***      //////////  \\\\\\\\\\      ***   *
----------------------------------------------------------------
* WARNING: System is RESTRICTED to authorized personnel ONLY! *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law. *
* *       
* If you are NOT authorized to use this system, LOG OFF NOW! *
* *       
****************************************************************
^C        
!         
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input telnet ssh
 transport output telnet ssh
!         
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
!         
end       
Rispondi