Cisco VPN Client Errore - Reason 403

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Maxwell
Cisco fan
Messaggi: 57
Iscritto il: mar 28 feb , 2006 1:50 pm

Ho un Cisco VPN Client che mi funziona perfettamente verso un server 803 ma non ne vuole sapere di stabilire una connessione verso un 837 (avendo una vpn configurata come l'803). Mi si pianta sull'autenticazione dell'utente del quale so per certo di aver inserito le giuste credenziali, riportandomi l'errore 403.
Potendomi collegare con il client verso l'803, presumo il problema sia lato server 837. Per cui vi chiedo guardando la conf.. dov'e' l'intoppo ?

Codice: Seleziona tutto

!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret xxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 62.xx.xx.xx 62.xx.xx.xx 
   lease 0 2
!
!
ip cef
ip name-server 62.xx.xx.xx
ip name-server 62.xx.xx.xx
!
!
!
username user privilege 15 secret xxxxxxxxxxxx
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngruppo
 key ciscokey
 pool remote-pool
 acl 151
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!
crypto dynamic-map remote-dyn 10
 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5  
 reverse-route
!
!
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 10 ipsec-isakmp dynamic remote-dyn 
!
!
!
interface Ethernet0
 ip address 212.xxx.xxx.xxx 255.255.255.240 secondary
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 crypto map remotemap
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname user@email
 ppp chap password xxxxxxxx
 ppp pap sent-username user@email password xxxxxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map remotemap
 hold-queue 224 in
!
ip local pool remote-pool 192.168.5.200 192.168.5.203
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static 10.10.10.2 212.xxx.xxx.xxx extendable
ip nat inside source static 10.10.10.3 212.xxx.xxx.xxx extendable
ip nat inside source static 10.10.10.4 212.xxx.xxx.xxx extendable
!
access-list 100 deny   ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 151 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 100
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 length 0
!
scheduler max-task-time 5000
end
Top
Maxwell
Cisco fan
Messaggi: 57
Iscritto il: mar 28 feb , 2006 1:50 pm

Pur di smuovere qualcosa ho inserito l'ip inspect e un access-group alle interfacce, inoltre aggiornato il cisco vpn client all'ultima versione, il tutto senza ottenere alcun risultato, errore 403 su phase2.
Riporto la nuova conf:

Codice: Seleziona tutto

!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname host
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret xxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time cet recurring
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 62.xx.xx.xx 62.xx.xx.xx
   lease 0 2
!
!
ip cef
ip name-server 62.xx.xx.xx
ip name-server 62.xx.xx.xx
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL icmp
ip inspect name FIREWALL netshow
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL esmtp
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tftp
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL vdolive
!
!
!
username user password xxxxx
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key ciscokey
 pool remote-pool
 acl 151
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
!
crypto dynamic-map remote-dyn 10
 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5 
 reverse-route
!
!
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 10 ipsec-isakmp dynamic remote-dyn 
!
!
!
interface Ethernet0
 ip address 212.xxx.xxx.xxx 255.255.255.240 secondary
 ip address 10.10.10.1 255.255.255.0
 ip access-group ACLInternal in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 no ip mroute-cache
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip access-group ACLExternal in
 ip mtu 1452
 ip nat outside
 ip inspect FIREWALL in
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname user@email
 ppp chap password xxxxxxxxxx
 ppp pap sent-username user@email password xxxxxxxxxxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map remotemap
 hold-queue 224 in
!
ip local pool remote-pool 192.168.5.200 192.168.5.203
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map nonat interface Dialer1 overload
!
!
ip access-list extended ACLExternal
 permit udp host 207.46.130.100 any eq ntp
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any parameter-problem
 permit icmp any any time-exceeded
 permit icmp any any echo-reply
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit esp any any
 permit ahp any any
 permit tcp any any range 5000 5300
 permit ip 192.168.5.0 0.0.0.255 any
 deny   ip any any
ip access-list extended ACLInternal
 permit tcp any any
 permit udp any any
 permit icmp any any
access-list 100 deny   ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 151 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
 match ip address 100
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 length 0
!
scheduler max-task-time 5000
sntp server 207.46.130.100
end
Qualche suggerimento ? Uff..
Top
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:
Contatta Wizard

Codice: Seleziona tutto

no aaa new-model

crypto isakmp enable
crypto logging session

crypto map remotemap local-address dialer1
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
Top
Rispondi

Torna a “VPN”