Creare VPN tra 2 cisco sr520

[pupillaz]

Salve,

ho creato fare una vpn tra 2 cisco sr520, i due router tra di loro si pingano, ma non riesco a raggiungere la rete locale.

La configurazione è la seguente

sede a (10.10.0.0/24)->sr520 <PPTP-> sr520<>- sede b (10.0.0.0/24).

Posto le 2 conf.

Grazie a tutti per l'aiuto


ROUTER A:
Router A#sh run
Building configuration...

Current configuration : 3523 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$98aN$cxIA5kt6FZQqk5bxIvuVL0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2395044852
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2395044852
revocation-check none
rsakeypair TP-self-signed-2395044852
!
!
crypto pki certificate chain TP-self-signed-2395044852
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333935 30343438 3532301E 170D3130 30323033 30313533
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33393530
34343835 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008CAC 60CBBBC4 53B31A5E 4B9694A5 430A1811 5433F389 6C4B374E 61438211
7DF6A5D9 0D35DCD4 2F6318E0 7B4AC061 62B8C205 032EABD4 6EB1A790 7C853D6C
90FB6DAD 02AC58C5 82924235 AFD4EA99 4306308A 50C2EC85 342AB362 357A6796
1CC9130F 97392C35 B797AB48 6BC04C03 0CDAEE67 1582BBA4 201A097E B879233A
7F5B0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 8E782E42
3EB8454F 08796D1F 19A4E79C 9E245512 301D0603 551D0E04 1604148E 782E423E
B8454F08 796D1F19 A4E79C9E 24551230 0D06092A 864886F7 0D010104 05000381
810081E0 E31A9C42 F8D6DDA2 9338B0CA B94B370A 7B248CC7 07B08303 36116409
CA340278 A0C0CA9A 9B50208D 7EC92303 DC3C4623 27FE6525 FE72E0F7 D48C1CE8
992B2A76 9ECBD2BF B3053FF3 4851E78B 89343FD8 BDFF2778 E481D86A 681146D9
368C2E28 B1B50A49 2C95A682 22375739 400072B5 C7061350 361DB67B B4B97390 16C5
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 password 0 fiuftufuyr6u
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel1
description VPN VERSO B
ip address 172.31.226.20 255.255.255.0
ip nat outside
ip virtual-reassembly
tunnel source XX.XX.XX.150
tunnel destination YY.YY.YY.146
tunnel mode ipip
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address XX.XX.XX.150 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address ip pub gw 255.255.255.248 secondary
ip address 10.10.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.0.0.0 255.255.255.0 Tunnel1
!
ip http server
ip http secure-server
ip nat inside source list 101 interface ATM0.1 overload
!
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 host 10.0.0.0
access-list 101 permit tcp any any eq 1723
access-list 150 deny ip 10.10.0.0 0.0.0.255 host 10.0.0.0
access-list 150 deny ip 10.10.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password
login
transport input telnet ssh
!
scheduler max-task-time 5000
end



ROUTER B
Router_b#sh run
Building configuration...

Current configuration : 1909 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging userinfo
logging buffered 4096
enable secret 5 $1$GxkF$cw7AaheCT1NND6K6QTTq5/
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 14 secret 5 $1$iDp9$aQhw82NrXXSTvZpebgcDh0
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel1
description VPN VERSO A
ip address 172.31.226.10 255.255.255.0
ip nat outside
ip virtual-reassembly
tunnel source xx.xx.xx.146
tunnel destination yy.yy.yy.150
tunnel mode ipip
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address yy.yy.yy.146 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address ip pub gw 255.255.255.248 secondary
ip address 10.0.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.10.0.0 255.255.255.0 Tunnel1
!
ip http server
no ip http secure-server
ip nat inside source list 101 interface ATM0.1 overload
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 101 permit tcp any any eq 1723
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

[weblaboratory]

Ciao, se fai un IP NAT OUTSIDE nella Tunnel, sarà difficile che tu riesca ad entrare all'interno delle due reti
Togli l'ip nat outside e su entrambi i router metti le rotte corrette per arrivare dall'altra parte, vedrai che così funziona