Configurazione VPN SOHO

[mulasso]

Ciao a tutti ho buttato giù questo tipo di configurazione per creare una VPN tra 2 SOHO 97, con 2 linee identiche di ADSL Alice Flat.

Ora visto che sono un nubbio in questo campo, volevo un Vostro consiglio, se andava bene, cioè se le 2 sedi potevano con questa configurazione lavorare in VPN tra di loro e se gli utenti delle riuscivano ad navigare in internet.

ROUTER A
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nenelao
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip name-server 151.99.125.2
ip name-server 151.00.0.100
!
!
!
!
username cisco password 7 ciscomenelao
!
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ciscoclass address 88.41.115.66
!
!
crypto ipsec transform-set VPN-set esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN-set
set pfs group2
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Dialer0
tunnel destination 88.41.115.66
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface ATM0
description Interfaccia ATM0/0 - Connessione ADSL Menelao
bandwidth 1280
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
hold-queue 224 in
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
!
interfacce ATM0.1 point-to-point
ip address 88.53.48.190 255.255.255.248 secondary
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description Interfaccia FastEthernet0/0 - Lan interna
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0 - Alice Adsl
description Interfaccia Dialer0
bandwidth 1504
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username AAAAAAAAAAA password 7 BBBBBBBBBBBBBBBBBB
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat translation max-entries 1000
ip nat inside source list nat interface Dialer0 overload
!
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
!
no cdp run
!
control-plane
!
!
line con 0
logging synchronous
transport output pad telnet rlogin udptn
stopbits 1
line aux 0
line vty 0 4
logging synchronous
login local
transport input pad telnet rlogin udptn
transport output pad telnet rlogin udptn
!
scheduler max-task-time 5000
end

ROUTER B
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sorgente
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 PPPPPPPPPPPPPPPPPPPPPPPPPP
!
no aaa new-model
!
resource policy
!

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
!
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ciscoclass address 88.41.115.74
!
!
crypto ipsec transform-set VPN-set esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN-set
set pfs group2
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Dialer0
tunnel destination 88.41.115.74
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface ATM0
description Interfaccia ATM0/0 - Connessione ADSL Sorgente
bandwidth 2464
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interfacce ATM0.1 point-to-point
ip address 88.53.48.186 255.255.255.248 secondary
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
description Interfaccia FastEthernet0/0 - Lan interna
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
description Interfaccia Dialer0/0 - Alice ADSL Flat 2Mbit/s
bandwidth 2464
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 7 050A0A0622494F0D0A09
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 360
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 360
ip nat translation syn-timeout 10
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat translation port-timeout tcp 4663 60
ip nat translation port-timeout tcp 4662 60
ip nat translation port-timeout udp 4672 60
ip nat translation port-timeout udp 4673 60
ip nat translation max-entries 1000
ip nat inside source list nat interface Dialer0 overload
!
ip access-list standard nat
permit 192.168.0.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
!

!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
login local
transport input pad telnet rlogin udptn
transport output pad telnet rlogin udptn
!
scheduler max-task-time 5000
!
end

Grazie per i Vostri consigli

[Wizard]

Mancano le acl per il de-nat

[mulasso]

Chiedo venia prima ho aperto per errore un altro Topic. Scusatemi

Se ho capito bene devo aggiungere l'acl de-nat.
Prima domanda dove si aggiunge e a che cosa serve? Seconda qual'è il codice completo del de-nat

Dopodiché come mi suggerisce Dreamer devo togliere la riga in questo modo
no ip nat translation max-entries 1000
Faccio bene?

Grazie per i suggerimenti, sono un nubbio e per mercoledì dovrei metter su questi due router in vpn e i Vostri consigli non fanno altro che arricchire la mia preparazione e rendere il cliente soddisfatto.

[Wizard]

Per la tabella di nat si, Cisco sconsiglia di mettere quella riga di configurazione tranne casi particolari.
Per il de-nat prova a guardare qualche altro post che l'ho scritto e spiegato un tot di volte

[mulasso]

Ho fatto le modifiche. Ci potete dare un'occhiata: riescono a lavorare in vpn le 2 sedi e gli utenti navigano in internet, con queste configurazioni?

ROUTER A


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nenelao
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip name-server 151.99.125.2
ip name-server 151.00.0.100
!
!
!
!
username cisco password 7 ciscomenelao
!
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ciscoclass address 88.41.115.66
!
!
crypto ipsec transform-set VPN-set esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN-set
set pfs group2
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Dialer0
tunnel destination 88.41.115.66
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface ATM0
description Interfaccia ATM0/0 - Connessione ADSL Menelao
bandwidth 1280
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
hold-queue 224 in
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
!
interfacce ATM0.1 point-to-point
ip address 88.53.48.190 255.255.255.248 secondary
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
description Interfaccia FastEthernet0/0 - Lan interna
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0 - Alice Adsl
description Interfaccia Dialer0
bandwidth 1504
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username AAAAAAAAAAA password 7 BBBBBBBBBBBBBBBBBB
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation icmp-timeout 1
ip nat inside source list nat interface Dialer0 overload
!
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
ip access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
no cdp run
!
control-plane
!
!
line con 0
logging synchronous
transport output pad telnet rlogin udptn
stopbits 1
line aux 0
line vty 0 4
logging synchronous
login local
transport input pad telnet rlogin udptn
transport output pad telnet rlogin udptn
!
scheduler max-task-time 5000
end

ROUTER B



version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sorgente
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 PPPPPPPPPPPPPPPPPPPPPPPPPP
!
no aaa new-model
!
resource policy
!

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
ip name-server 151.99.125.2
ip name-server 151.99.0.100
!
!
!
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ciscoclass address 88.41.115.74
!
!
crypto ipsec transform-set VPN-set esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
set transform-set VPN-set
set pfs group2
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Dialer0
tunnel destination 88.41.115.74
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN
!
interface ATM0
description Interfaccia ATM0/0 - Connessione ADSL Sorgente
bandwidth 2464
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interfacce ATM0.1 point-to-point
ip address 88.53.48.186 255.255.255.248 secondary
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
description Interfaccia FastEthernet0/0 - Lan interna
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
hold-queue 100 out
!
interface Dialer0
description Interfaccia Dialer0/0 - Alice ADSL Flat 2Mbit/s
bandwidth 2464
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 7 050A0A0622494F0D0A09
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 360
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 360
ip nat translation syn-timeout 10
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat translation port-timeout tcp 4663 60
ip nat translation port-timeout tcp 4662 60
ip nat translation port-timeout udp 4672 60
ip nat translation port-timeout udp 4673 60
ip nat inside source list nat interface Dialer0 overload
!
ip access-list standard nat
permit 192.168.0.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
ip access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!

!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
logging synchronous
login local
transport input pad telnet rlogin udptn
transport output pad telnet rlogin udptn
!
scheduler max-task-time 5000
!
end

Ciao

[Wizard]

Hai fatto male le regole di NAT, devono essere:

ip nat inside source list 102 interface Dialer0 overload

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-l list 102 permit 192.168.1.0 0.0.0.255

[mulasso]

Per il resto va tutto bene. Funzioneranno?

Grazie

[Wizard]

So che questa risposta non ti piacerà ma occorre che tu provi!
Indicativamente cmq a me sembra che per il resto vada abbastanza bene.