Ciao a tutti, vi vorrei sottoporre un piccolo problema.
Ho configurato delle vpn tra la sede centrale e tre sedi remote usando per la sede contrale un Cisco Pix Firewall 515e e tre router Cisco 837 per le sedi remote. Ora la vpn funziona dalle tre sedi remote verso la sede centrale e vice-versa, ma la mia esigenza adesso è far vedere le sedi remote tra di loro. Come posso fare?
Grazie per il vostro aiuto.
Aiuto VPN...
Moderatore: Federico.Lagni
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
Descrivi meglio la tua topologia e dacci un'indicazione sulle sottoreti utilizzate. Si tratta di o impostare le rotte e passare per la sede centrale, o fare una rete vpn full mashed (se ho capito bene la domanda).
Ciao
Ciao
-=] MaiO [=-
-
alkol75
- n00b
- Messaggi: 5
- Iscritto il: lun 10 apr , 2006 11:21 am
Nella topologia la sede centrale fa da centro stella e le sedi remote puntano tutte al centro stella. Le sottoreti utilizzate sono le seguenti:
192.168.1./24 Sede centrale;
192.168.2.x/24 Sede remota 1;
192.168.3.x/24 Sede remota 2;
192.168.4.x/24 Sede remota 3.
Questa è la configurazione della sede centrale:
Sede centrale sul Pix:
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Como 255.255.255.0
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Lecco 255.255.255.0
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Erba 255.255.255.0
access-list Como permit ip Lan-Cantu 255.255.255.0 Lan-Como 255.255.255.0
access-list Erba permit ip Lan-Cantu 255.255.255.0 Lan-Erba 255.255.255.0
access-list Lecco permit ip Lan-Cantu 255.255.255.0 Lan-Lecco 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set coxxx esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map Coxxx 20 ipsec-isakmp
crypto map Coxxx 20 match address Como
crypto map Coxxx 20 set peer 85.36.34.113
crypto map Coxxx 20 set transform-set coxxx
crypto map Coxxx 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx 21 ipsec-isakmp
crypto map Coxxx 21 match address Lecco
crypto map Coxxx 21 set peer 82.186.186.9
crypto map Coxxx 21 set transform-set coxxx
crypto map Coxxx 21 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx 22 ipsec-isakmp
crypto map Coxxx 22 match address Erba
crypto map Coxxx22 set peer Filiale-Erba
crypto map Coxxx 22 set transform-set coxxx
crypto map Coxxx 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx interface outside
isakmp enable outside
isakmp key ******** address xxx.36.34.xxxnetmask 255.255.255.255
isakmp key ******** address Filiale-Erba netmask 255.255.255.255
isakmp key ******** address xx.186.186.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Sul Pix non ci sono route particolari.
Questa è la configurazione di uno dei router, gli altri sono uguali:
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key c********* address ***.32.51.***
crypto isakmp keepalive 60
crypto isakmp nat keepalive 8
!
crypto ipsec security-association lifetime seconds 1200
!
crypto ipsec transform-set c*****l esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer ***.32.51.***
set transform-set c*****
match address 101
interface ATM0.1 point-to-point
ip address ***.20.1.*** 255.255.255.0 secondary
ip address ***.184.43.*** 255.255.255.248
ip nat outside
pvc 1/33
encapsulation aal5snap
!
crypto map vpn
!
ip nat inside source route-map nonat interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ***.20.1.***
no ip http server
no ip http secure-server
!
!
access-list 60 permit 192.168.2.0 0.0.0.255
access-list 60 permit 192.168.1.0 0.0.0.255
access-list 60 permit 192.168.4.0 0.0.0.255
access-list 60 permit 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.127 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 172.20.0.0 0.0.255.255
route-map nonat permit 10
match ip address 100
Sperando di essere stato abbastanza chiaro ti ringrazio per la risposta.
Ciao...
192.168.1./24 Sede centrale;
192.168.2.x/24 Sede remota 1;
192.168.3.x/24 Sede remota 2;
192.168.4.x/24 Sede remota 3.
Questa è la configurazione della sede centrale:
Sede centrale sul Pix:
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Como 255.255.255.0
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Lecco 255.255.255.0
access-list 101 permit ip Lan-Cantu 255.255.255.0 Lan-Erba 255.255.255.0
access-list Como permit ip Lan-Cantu 255.255.255.0 Lan-Como 255.255.255.0
access-list Erba permit ip Lan-Cantu 255.255.255.0 Lan-Erba 255.255.255.0
access-list Lecco permit ip Lan-Cantu 255.255.255.0 Lan-Lecco 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set coxxx esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map Coxxx 20 ipsec-isakmp
crypto map Coxxx 20 match address Como
crypto map Coxxx 20 set peer 85.36.34.113
crypto map Coxxx 20 set transform-set coxxx
crypto map Coxxx 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx 21 ipsec-isakmp
crypto map Coxxx 21 match address Lecco
crypto map Coxxx 21 set peer 82.186.186.9
crypto map Coxxx 21 set transform-set coxxx
crypto map Coxxx 21 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx 22 ipsec-isakmp
crypto map Coxxx 22 match address Erba
crypto map Coxxx22 set peer Filiale-Erba
crypto map Coxxx 22 set transform-set coxxx
crypto map Coxxx 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map Coxxx interface outside
isakmp enable outside
isakmp key ******** address xxx.36.34.xxxnetmask 255.255.255.255
isakmp key ******** address Filiale-Erba netmask 255.255.255.255
isakmp key ******** address xx.186.186.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
Sul Pix non ci sono route particolari.
Questa è la configurazione di uno dei router, gli altri sono uguali:
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key c********* address ***.32.51.***
crypto isakmp keepalive 60
crypto isakmp nat keepalive 8
!
crypto ipsec security-association lifetime seconds 1200
!
crypto ipsec transform-set c*****l esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer ***.32.51.***
set transform-set c*****
match address 101
interface ATM0.1 point-to-point
ip address ***.20.1.*** 255.255.255.0 secondary
ip address ***.184.43.*** 255.255.255.248
ip nat outside
pvc 1/33
encapsulation aal5snap
!
crypto map vpn
!
ip nat inside source route-map nonat interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ***.20.1.***
no ip http server
no ip http secure-server
!
!
access-list 60 permit 192.168.2.0 0.0.0.255
access-list 60 permit 192.168.1.0 0.0.0.255
access-list 60 permit 192.168.4.0 0.0.0.255
access-list 60 permit 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.3.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.127 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 172.20.0.0 0.0.255.255
route-map nonat permit 10
match ip address 100
Sperando di essere stato abbastanza chiaro ti ringrazio per la risposta.
Ciao...
-
MaiO
- Messianic Network master
- Messaggi: 1083
- Iscritto il: sab 15 ott , 2005 10:55 am
- Località: Milano
- Contatta:
Perfetto, come pensavo, la cosa che più ti conviene è creare una rete FULL MASHED
http://www.cisco.com/en/US/products/hw/ ... 2cce.shtml
http://www.cisco.com/en/US/tech/tk583/t ... f8ab.shtml
http://www.cisco.com/en/US/tech/tk583/t ... _list.html
Spero basti.
Ciao ciao
http://www.cisco.com/en/US/products/hw/ ... 2cce.shtml
http://www.cisco.com/en/US/tech/tk583/t ... f8ab.shtml
http://www.cisco.com/en/US/tech/tk583/t ... _list.html
Spero basti.
Ciao ciao
-=] MaiO [=-
