Problema VPN e IAS

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
baba
n00b
Messaggi: 6
Iscritto il: gio 30 nov , 2006 10:44 am

Salve a tutti.
Ho creato una VPN con un cisco 857 utilizzando SDM.
Su DC 2000 server ho installato IAS e configurato RADIUS.
Il problema è che ora il server dove è installato RADIUS non accede più ad internet ma solamente alla rete interna.
Come posso risolvere questo problema?
Grazie
Top
Avatar utente
MaiO
Messianic Network master
Messaggi: 1083
Iscritto il: sab 15 ott , 2005 10:55 am
Località: Milano
Contatta:
Contatta MaiO

E' un problema noto (almeno a me). La procedura guidata SDM svalvola con le route map. Posta la conf cosi ti dico cosa devi modificare.

In pratica succede nella conversione delle nat statiche in route map (e ha anche un certo senso in alcuni casi).


Ciao
-=] MaiO [=-
Top
baba
n00b
Messaggi: 6
Iscritto il: gio 30 nov , 2006 10:44 am

Grazie mille per l'aiuto. ecco la configurazione.

Codice: Seleziona tutto

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authentication login sdm_vpn_xauth_ml_3 group radius local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 group radius 
aaa authorization network sdm_vpn_group_ml_2 group radius 
aaa authorization network sdm_vpn_group_ml_3 local 
!
aaa session-id common
!
resource policy
!
ip cef
no ip domain lookup
ip name-server 151.99.125.2
!
!
crypto pki trustpoint TP-self-signed-1109663261
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1109663261
 revocation-check none
 rsakeypair TP-self-signed-1109663261
!
!
crypto pki certificate chain TP-self-signed-1109663261
 certificate self-signed 01 nvram:IOS-Self-Sig#3108.cer
username xxxxx privilege 15 secret 5 xxxxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxxx
 key xxxxx
 dns 192.168.1.101 192.168.1.102
 domain xxxxx.xxx
 pool SDM_POOL_1
 max-users 10
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA2 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface ATM0
 no ip address
 ip nat outside
 ip virtual-reassembly
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 bandwidth 1280
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
 !
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.1.201 192.168.1.210
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source route-map SDM_RMAP_2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.102 22 xxx.xxx.xxx.xxx 22 route-map SDM_RMAP_9 extendable
ip nat inside source static tcp 192.168.1.102 25 xxx.xxx.xxx.xxx 25 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 192.168.1.102 80 xxx.xxx.xxx.xxx 80 route-map SDM_RMAP_10 extendable
ip nat inside source static tcp 192.168.1.102 443 xxx.xxx.xxx.xxx 443 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp 192.168.1.102 993 xxx.xxx.xxx.xxx 993 route-map SDM_RMAP_6 extendable
ip nat inside source static tcp 192.168.1.102 995 xxx.xxx.xxx.xxx route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 192.168.1.104 80 xxx.xxx.xxx.xxx route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 192.168.1.101 3389 xxx.xxx.xxx.xxx 3389 route-map SDM_RMAP_8 extendable
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip any host 192.168.1.201
access-list 100 deny   ip any host 192.168.1.202
access-list 100 deny   ip any host 192.168.1.203
access-list 100 deny   ip any host 192.168.1.204
access-list 100 deny   ip any host 192.168.1.205
access-list 100 deny   ip any host 192.168.1.206
access-list 100 deny   ip any host 192.168.1.207
access-list 100 deny   ip any host 192.168.1.208
access-list 100 deny   ip any host 192.168.1.209
access-list 100 deny   ip any host 192.168.1.210
access-list 100 deny   ip host 192.168.1.102 any
access-list 100 deny   ip host 192.168.1.104 any
access-list 100 deny   ip host 192.168.1.101 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip any host 192.168.1.201
access-list 101 deny   ip any host 192.168.1.202
access-list 101 deny   ip any host 192.168.1.203
access-list 101 deny   ip any host 192.168.1.204
access-list 101 deny   ip any host 192.168.1.205
access-list 101 deny   ip any host 192.168.1.206
access-list 101 deny   ip any host 192.168.1.207
access-list 101 deny   ip any host 192.168.1.208
access-list 101 deny   ip any host 192.168.1.209
access-list 101 deny   ip any host 192.168.1.210
access-list 101 deny   ip host 192.168.1.102 any
access-list 101 deny   ip host 192.168.1.104 any
access-list 101 deny   ip host 192.168.1.101 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.210
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.209
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.208
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.207
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.206
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.205
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.204
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.203
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.202
access-list 102 deny   ip host 192.168.1.104 host 192.168.1.201
access-list 102 permit ip host 192.168.1.104 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 103 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 103 permit ip host 192.168.1.102 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 104 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 104 permit ip host 192.168.1.102 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 105 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 105 permit ip host 192.168.1.102 any
access-list 106 remark SDM_ACL Category=2
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 106 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 106 permit ip host 192.168.1.102 any
access-list 107 remark SDM_ACL Category=2
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.210
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.209
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.208
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.207
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.206
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.205
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.204
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.203
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.202
access-list 107 deny   ip host 192.168.1.101 host 192.168.1.201
access-list 107 permit ip host 192.168.1.101 any
access-list 108 remark SDM_ACL Category=2
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 108 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 108 permit ip host 192.168.1.102 any
access-list 109 remark SDM_ACL Category=2
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.210
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.209
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.208
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.207
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.206
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.205
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.204
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.203
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.202
access-list 109 deny   ip host 192.168.1.102 host 192.168.1.201
access-list 109 permit ip host 192.168.1.102 any
no cdp run
route-map SDM_RMAP_10 permit 1
 match ip address 109
!
route-map SDM_RMAP_4 permit 1
 match ip address 103
!
route-map SDM_RMAP_5 permit 1
 match ip address 104
!
route-map SDM_RMAP_6 permit 1
 match ip address 105
!
route-map SDM_RMAP_7 permit 1
 match ip address 106
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 101
!
route-map SDM_RMAP_3 permit 1
 match ip address 102
!
route-map SDM_RMAP_8 permit 1
 match ip address 107
!
route-map SDM_RMAP_9 permit 1
 match ip address 108
!
radius-server host 192.168.1.101 auth-port 1812 acct-port 1813 key xxxxx
control-plane
end
Top
baba
n00b
Messaggi: 6
Iscritto il: gio 30 nov , 2006 10:44 am

up :)
Top
baba
n00b
Messaggi: 6
Iscritto il: gio 30 nov , 2006 10:44 am

nessuno riesce ad aiutarmi? :(
Top
Rispondi

Torna a “VPN”