VPN che pinga ma non connette pc in AD

erreu · mer 18 apr , 2007 9:44 am

Salve a tutti.
Sono nuovo del forum e spero che qualcuno possa aiutarmi.

Ecco il mio problema:

Ho configurato una VPN lan-to-lan frà una sede centrale e le sue 5 sedi remote (sostituendo una precedente config con Zyxel che continuava a cadere)
Nella sede centrale ho installato un 1841 e nelle sedi remote dei 877W.

Configurato tutti gli apparati con SDM 2.3.4
Configurate le VPN con configurazione guidata "VPN site-to-site"

Dopo la configurazione provati i collegamenti con i test VPN con il seguente risultato:

Dettagli del report relativo alla risoluzione dei problemi della connessione VPN

Dettagli router

Attributo Valore
Modello del router 1841
Nome immagine c1841-advsecurityk9-mz.124-9.T2.bin
Versione IOS 12.4(9)T2
Nome host xxxxxxxxxxxxxxx

Riepilogo attività di verifica

Attività Stato
Controllo stato del tunnel in corso... Su

Dettagli attività di verifica

Attività Stato
Controllo stato del tunnel in corso... Su
Incapsulamento:125589
Estrazione:113143
Invia errore:17
Errore ricevuto:0

Risultati di risoluzione dei problemi
Motivi errore

Tentativo di esecuzione del comando ping con dimensione dei dati corrispondente alla dimensione MTU dell'interfaccia VPN e con impostazione del bit per la disattivazione della frammentazione nel dispositivo VPN sull'altra estremità non riuscito. Ciò si verifica se la rete dispone di un valore MTU inferiore che comporta la perdita dei pacchetti con la disattivazione della frammentazione.

Azioni consigliate
1)Contattare l'ISP/amministratore per risolvere il problema.
2)Digitare il comando 'crypto ipsec df-bit clear' nell'interfaccia VPN per evitare la perdita dei pacchetti a causa della frammentazione.

Ho inserito il comando ma l'ìerrore rimane.

Il problema è che i pc e i server di tutte le sedi si pingano regolarmente, ma non si riesce a fare traffico:
I PC delle sedi remote non si autenticano al server di dominio (SBS2003) e partono solo se si stacca il cavo di rete.
non si riesce a fare accesso remoto.

AIUTOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!

ecco le config del 1841v e dei 877W

Cisco 1841

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name xxxxxxxxxxxxxx
ip name-server 213.205.32.70
ip name-server 213.205.36.70
!
!
crypto pki trustpoint TP-self-signed-4100544283
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4100544283
revocation-check none
rsakeypair TP-self-signed-4100544283
!
!
crypto pki certificate chain TP-self-signed-4100544283
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
..............................................................................
quit
username xxxxxx privilege 15 secret xxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
crypto isakmp key xxxxxxxx address 217.133.xxx.xxx no-xauth
!
crypto isakmp client configuration group xxxxxxxxxxxxx
key xxxxxxxxxx
dns 192.168.1.5 213.205.32.70
domain xxxxxxxxxxxxxxx
pool SDM_POOL_1
max-users 32
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA1
match address 106
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA3
match address 108
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA4
match address 109
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA7
match address 112
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA12
match address 107
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto ipsec df-bit clear
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 217.133.xxx.xxx 255.255.255.240
ip access-group 113 in
duplex auto
speed auto
crypto ipsec df-bit clear
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0/0/0.1 point-to-point
description Tiscali
no snmp trap link-status
crypto ipsec df-bit clear
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address 217.133.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 7 06565671151F504F5D
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 217.133.xxx.xxx
access-list 2 permit 217.133.xxx.xxx
access-list 2 permit 217.133.xxx.xxx
access-list 2 permit 217.133.xxx.xxx
access-list 2 permit 217.133.xxx.xxx
access-list 2 remark SDM_ACL Category=1
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.1.1 eq telnet
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.1.1 eq 22
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.1.1 eq www
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.1.1 eq 443
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.1.1 eq cmd
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 100 deny tcp any host 192.168.1.1 eq telnet
access-list 100 deny tcp any host 192.168.1.1 eq 22
access-list 100 deny tcp any host 192.168.1.1 eq www
access-list 100 deny tcp any host 192.168.1.1 eq 443
access-list 100 deny tcp any host 192.168.1.1 eq cmd
access-list 100 deny udp any host 192.168.1.1 eq snmp
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host 217.133.xxx.xxx any
access-list 102 permit ip host 217.133.xxx.xxx any
access-list 102 permit ip host 217.133.xxx.xxx any
access-list 102 permit ip host 217.133.xxx.xxx any
access-list 102 permit ip host 217.133.xxx.xxx any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip host 217.133.xxx.xxx any
access-list 103 permit ip host 217.133.xxx.xxx any
access-list 103 permit ip host 217.133.xxx.xxx any
access-list 103 permit ip host 217.133.xxx.xxx any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 105 deny ip any 192.168.10.64 0.0.0.31
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 107 remark VPN-PN-VE
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 217.133.xxx.xxx 0.0.0.15 192.168.60.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq telnet
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq telnet
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq telnet
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq telnet
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133xxx.xxx eq 22
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq cmd
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq cmd
access-list 113 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq cmd
access-list 113 deny tcp any host 217.133.xxx.xxx eq telnet
access-list 113 deny tcp any host 217.133.xxx.xxx eq 22
access-list 113 deny tcp any host 217.133.xxx.xxx eq www
access-list 113 deny tcp any host 217.133.xxx.xxx eq 443
access-list 113 deny tcp any host 217.133.xxx.xxx eq cmd
access-list 113 deny udp any host 217.133.xxx.xxx eq snmp
access-list 113 permit ip any any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 115 remark SDM_ACL Category=4
access-list 115 remark IPSec Rule
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 115 remark SDM_ACL Category=4
access-list 115 remark IPSec Rule
access-list 116 remark SDM_ACL Category=4
access-list 116 permit gre host 217.133.xxx.xxx host 217.133.xxx.xxx
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
control-plane
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
transport input telnet ssh
line vty 5 15
access-class 103 in
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Cisco 877W

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxx.xxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxx.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.30.1 192.168.30.31
ip dhcp excluded-address 192.168.30.64 192.168.30.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.1.5 213.205.32.70
default-router 192.168.30.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name mondokubik
ip name-server 192.168.1.5
ip name-server 213.205.32.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1167048056
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1167048056
revocation-check none
rsakeypair TP-self-signed-1167048056
!
!
crypto pki certificate chain TP-self-signed-1167048056
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
..........................................................................................................
quit
username xxxxxxxx privilege 15 secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 217.133.xxx.xxx
crypto isakmp key xxxxxxxxx address 217.133.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA2
match address xxxxxxxxxx
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to217.133.xxx.xxx
set peer 217.133.xxx.xxx
set transform-set ESP-3DES-SHA3
match address 105
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
ssid xxxxxxxxxxxxxxx
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
crypto ipsec df-bit clear
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 217.133.xxx.xxx 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 7 0509071D22444B
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto ipsec df-bit clear
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended xxxxxxxxx
remark SDM_ACL Category=4
permit ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 2 permit 217.133.xxx.xxx
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 permit 217.133.xxx.xxx 0.0.0.15
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.30.1 eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.30.1 eq 22
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.30.1 eq www
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.30.1 eq 443
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.30.1 eq cmd
access-list 100 deny tcp any host 192.168.30.1 eq telnet
access-list 100 deny tcp any host 192.168.30.1 eq 22
access-list 100 deny tcp any host 192.168.30.1 eq www
access-list 100 deny tcp any host 192.168.30.1 eq 443
access-list 100 deny tcp any host 192.168.30.1 eq cmd
access-list 100 deny udp any host 192.168.30.1 eq snmp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq telnet
access-list 101 permit tcp 217.133.xxx.xxx 0.0.0.15 host 217.133.xxx.xxx eq telnet
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 22
access-list 101 permit tcp 217.133.xxx.xxx 0.0.0.15 host 217.133.xxx.xxx eq 22
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq www
access-list 101 permit tcp 217.133.xxx.xxx 0.0.0.15 host 217.133.xxx.xxx eq www
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq 443
access-list 101 permit tcp 217.133.xxx.xxx 0.0.0.15 host 217.133.xxx.xxx eq 443
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq cmd
access-list 101 permit tcp host 217.133.xxx.xxx host 217.133.xxx.xxx eq cmd
access-list 101 permit tcp 217.133.xxx.xxx 0.0.0.15 host 217.133.xxx.xxx eq cmd
access-list 101 deny udp any host 217.133.xxx.xxx eq snmp
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit udp host 217.133.xxx.xxx host 217.133.xxx.xxx eq non500-isakmp
access-list 101 permit udp host 217.133.xxx.xxx host 217.133.xxx.xxx eq isakmp
access-list 101 permit udp host 217.133.xxx.xxx host 217.133.xxx.xxx eq isakmp
access-list 101 permit udp host 217.133.xxx.xxx host 217.133.xxx.xxx eq non500-isakmp
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 101 permit udp host 217.133.xxx.xxx any eq non500-isakmp
access-list 101 permit udp host 217.133.xxx.xxx any eq isakmp
access-list 101 permit esp host 217.133.xxx.xxx any
access-list 101 permit ahp host 217.133.xxx.xxx any
access-list 101 permit udp host 213.205.32.70 eq domain any
access-list 101 permit udp host 192.168.1.5 eq domain any
access-list 101 deny ip 192.168.30.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 deny ip 192.168.30.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 217.133.xxx.xxx host 217.133.xxx.xxx
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.0.0 0.0.255.255 any
access-list 106 permit ip host 217.133.xxx.xxx any
access-list 106 permit ip host 217.133.xxx.xxx any
access-list 106 permit ip 217.133.xxx.xxx 0.0.0.15 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 106 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Wizard · ven 20 apr , 2007 8:57 am

A parte il fatto che odio un po' sdm mi sa che devi debuggare un po'...

debug crypto ipsec
debug crypto isakmp
ter mon

erreu · ven 20 apr , 2007 9:52 am

Ora ci provo e vediamo cosa ne esce.

Nel frattempo ho scoperto che non devo lavorare di notte: quando le VPN sono tutte giù i singoli test danno risultati OK, di giorno, con le VPN su il test del tunnel mi da il solito errore del "df-bit clear" da aggiungere.

se non risolvo ci sentiamo.

P.S.:
per Wizard : se non risolvo da solo (come avrai capito dall'uso di SDM non sono un grande esperto) mi puoi assistere tu??

VPN che pinga ma non connette pc in AD

Login • Iscriviti