premetto che il 1801 dovrà è configurato per vpn client, anche con questo ho problemi, da quando ho inserito la conf per le |2| non mi va più, e per connettersi con 2 reti gestite da cisco 877 appena riesco a far andare la prova...
Guarda te che non si fa per i lan party
posto la configurazione dei due router.
CISCO 1801
Codice: Seleziona tutto
Current configuration : 9707 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *******
!
boot-start-marker
boot-end-marker
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 debugging
logging console critical
enable secret 5 ****
enable password ****
!
no aaa new-model
!
resource policy
!
clock timezone CET 1
clock summer-time ROMA recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.199.96 172.16.199.254
!
ip dhcp pool voipsi
import all
network 172.16.199.0 255.255.255.0
dns-server 88.149.128.12 208.67.222.222
domain-name lirioboschi.localdomain
default-router 172.16.199.254
lease 0 2
!
!
no ip domain lookup
ip domain name lirioboschi.localdomain
ip name-server 88.149.128.12
ip name-server 208.67.222.222
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name FWOUT icmp
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
login block-for 1 attempts 3 within 30
login on-failure
login on-success
!
!
!
username **** privilege 15 password 7 ****
username **** password 7 ****
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key **** address **** no-xauth
crypto isakmp key **** address **** no-xauth
crypto isakmp key BBB address AAAA no-xauth
!
crypto isakmp client configuration group dialinuser
key ****
pool remote-pool
acl 199
max-users 5
max-logins 3
banner ^C
**************************************************************************
Se non siete esplicitamente autorizzati,DISCONNETETEVI
IMMEDIATAMENTE.
Ogni abuso verr` perseguito.
System is RESTRICTED to authorized personnel ONLY
Unauthorized use of this system will be logged and prosecuted
to the fullest extent of the law.
If you are NOT authorized to use this system, LOG OFF NOW
*************************************************************************
^C
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
crypto ipsec transform-set VPN-CLI esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list dialinuser
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
description Tunnel to ****
set peer ****
set transform-set VPN-SET
match address 151
crypto map VPN 2 ipsec-isakmp
description Tunnel to ****
set peer ****
set transform-set VPN-SET
match address 152
crypto map VPN 3 ipsec-isakmp
description Tunnel to prova
set peer AAAA
set transform-set VPN-SET
match address 153
crypto map VPN 65535 ipsec-isakmp dynamic remote-dyn
!
!
!
!
interface FastEthernet0
ip address 192.168.5.253 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
ip broadcast-address 0.0.0.0
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
mtu 1500
no ip address
ip broadcast-address 0.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
mtu 1500
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
ip address 172.16.199.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
no ip mroute-cache
!
interface Dialer0
ip address **** 255.255.255.252
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no snmp trap link-status
no cdp enable
ppp authentication pap callin
ppp pap sent-username **** password 7 ****
crypto map VPN
!
ip local pool remote-pool 172.16.254.239 172.16.254.243
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT0-RM interface Dialer0 overload
!
!
access-list 1 remark *********************
access-list 1 remark *** ACL ROUTE-MAP ***
access-list 1 remark *********************
access-list 1 permit 172.16.199.0 0.0.0.255
access-list 100 remark *******************
access-list 100 remark *** ACL RM-NAT0 ***
access-list 100 remark *******************
access-list 100 remark ---- to **** ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 100 remark ---- to **** ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 100 remark ---- to prova ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.202.0 0.0.0.255
access-list 100 remark ---- to vpn client ---
access-list 100 deny ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
access-list 100 remark ---- to translate ---
access-list 100 permit ip 172.16.199.0 0.0.0.255 any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 remark *****************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq non500-isakmp
access-list 131 permit udp any eq isakmp any
access-list 131 permit udp any eq non500-isakmp any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER TRAFFICO NTP ***
access-list 131 remark *****************************
access-list 131 permit udp any any eq ntp
access-list 131 remark *************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************
access-list 131 deny ip host 0.0.0.0 any log
access-list 131 deny ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *****************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *****************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any
access-list 131 remark *****************************
access-list 131 remark *** ACL PER BLOCCARE WORM ***
access-list 131 remark *****************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 8888
access-list 131 deny tcp any any eq 8594
access-list 131 deny tcp any any eq 8563
access-list 131 deny tcp any any eq 7778
access-list 131 deny tcp any any eq 593
access-list 131 deny tcp any any eq 2049
access-list 131 deny udp any any eq 2049
access-list 131 deny tcp any any eq 2000
access-list 131 deny tcp any any range 6000 6010
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark ************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark ************************************************
access-list 131 deny ip any any log
access-list 151 remark ************************
access-list 151 remark *** ACL TRAFFICO VPN ***
access-list 151 remark ************************
access-list 151 remark --VPN-****--
access-list 151 permit ip 172.16.199.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 152 remark --VPN-****--
access-list 152 permit ip 172.16.199.0 0.0.0.255 172.16.201.0 0.0.0.255
access-list 153 remark --VPN-prova--
access-list 153 permit ip 172.16.199.0 0.0.0.255 172.16.202.0 0.0.0.255
access-list 199 remark --VPN-****-
access-list 199 permit ip 172.16.199.0 0.0.0.255 172.16.254.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NAT0-RM permit 1
match ip address 100
!
!
!
!
control-plane
!
!
line con 0
line aux 0
password 7 ****
line vty 0 4
password 7 ****
login
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Codice: Seleziona tutto
Current configuration : 2355 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c877-lirioboschi-cht
!
boot-start-marker
boot-end-marker
!
enable secret 5 ****
enable password ****
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.202.96 172.16.202.254
!
ip dhcp pool voipcht
import all
network 172.16.202.0 255.255.255.0
dns-server 88.149.128.12 208.67.222.222
domain-name lirioboschi.localdomain
default-router 172.16.202.254
lease 0 2
!
!
no ip domain lookup
ip name-server 88.149.128.12
ip name-server 208.67.222.222
!
!
!
username ***** privilege 15 password 0 ****
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key BBBB address **** no-xauth
!
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN local-address Dialer0
crypto map VPN 10 ipsec-isakmp
set peer ****
set transform-set VPN-SET
match address 151
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip broadcast-address 0.0.0.0
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
interface Vlan1
ip address 172.16.202.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username aliceadls password 0 aliceadsl
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 deny ip 172.16.202.0 0.0.0.255 172.16.199.0 0.0.0.255
access-list 101 permit ip 172.16.202.0 0.0.0.255 any
access-list 151 permit ip 172.16.202.0 0.0.0.255 172.16.199.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
login
no modem enable
line aux 0
password ****
login
line vty 0 4
password ****
login
!
scheduler max-task-time 5000
end
GRAZIE A TUTTI E CONTINUATE COSI CHE PER CHI INIZIA CON CISCO COME STO FACENDO IO SIETE UNA MANNA DAL CIELO...
