Dunque, ho 2 problemi:
1. mi connetto alla VPN e pingo i client ma non riesco ad autenticarmi sui client della rete .
2. (non per questa sezione ma già che ci sono) quando utilizzo emule funziona finchè non riavvio il pc, dopodichè mi dice che le porte sono chiuse e si connete con id basso e si risolve solo riavviando il router!
Ecco la mia conf.
Codice: Seleziona tutto
Current configuration : 7611 bytes
!
version 12.3
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 8
logging exception 100000
logging count
logging queue-limit 10000
logging buffered 150000 debugging
logging console critical
enable secret 5 XXXXXXXXXX
enable password 7 XXXXXXXXXX
!
username XXXXXXXXXX password 7 XXXXXXXXXX
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.250
!
ip dhcp pool CLIENT
network 192.168.0.0 255.255.255.0
default-router 192.168.0.250
dns-server 62.211.69.150 212.48.4.15
domain-name tin.it
lease infinite
!
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
ip name-server 62.211.69.150
ip name-server 212.48.4.15
ip name-server 151.99.125.1
no ip bootp server
ip cef
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name IDS tcp
ip inspect name IDS udp
ip ips sdf location disk2:attack-drop.sdf
ip ips po max-events 100
ip ips name IPS-IN
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXXXXXXXX
key XXXXXXXXXX
pool remote-pool
acl 151
!
!
crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET
!
!
crypto map remotemap local-address Dialer0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 10 ipsec-isakmp dynamic remote-dyn
!
!
!
interface Ethernet0
description INTERFACCIA FISICA PER GESTIONE LAN
ip address 192.168.0.250 255.255.255.0
ip nat inside
ip inspect IDS in
ip virtual-reassembly
ip tcp adjust-mss 1412
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
description INTERFACCIA FISICA PER COLLEGAMENTO ADSL
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description INTERFACCIA PER ACCESSO AD INTERNET
ip address negotiated
ip access-group 131 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip mtu 1492
ip nat outside
ip ips IPS-IN in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username XXXXXXXXXX password 7 XXXXXXXXXX
crypto map remotemap
!
ip local pool remote-pool 192.168.0.200 192.168.0.203
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.200 255.255.255.252 Dialer0
!
ip http server
no ip http secure-server
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 7642 interface Dialer0 7642
ip nat inside source static udp 192.168.0.1 7640 interface Dialer0 7640
ip nat inside source static tcp 192.168.0.1 7640 interface Dialer0 7640
ip nat inside source static udp 192.168.0.1 7642 interface Dialer0 7642
!
!
logging history debugging
access-list 101 remark *** ACL PER PAT E NAT0 ***
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.0.200 0.0.0.3
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 131 remark *** ACL PER PERMETTERE ACCESSO AL ROUTER DA OUTSIDE ***
access-list 131 permit tcp any any eq telnet
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *** ACL PER TRAFFICO VERSO EMULE ***
access-list 131 permit tcp any any eq 7642
access-list 131 permit udp any any eq 7640
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 deny ip any any log
access-list 151 remark *** ACL PER SPLIT-TUNNEL DA VPN-CLIENT ***
access-list 151 permit ip 192.168.0.0 0.0.0.255 192.168.0.200 0.0.0.3
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
login local
no modem enable
transport preferred all
transport output ssh
stopbits 1
line aux 0
exec-timeout 0 0
login local
transport preferred all
transport output ssh
line vty 0 4
exec-timeout 35791 0
login local
length 0
transport preferred all
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
