Problema VPN point-to-point cisco 1700 Ms W2k3
Inviato: ven 30 giu , 2006 5:01 pm
Salve a tutti,
ho un problema nel connettere un cisco 1701 ad una server Windows 2003 in IPSEC. Il canale criptato si instaura, ma poi i pacchetti non passano. Probabilmente mi perdo in una bicchiere d'acqua, un altro consulente (colui che aministra il server) ha già attivato una VPN tra server e un 837 (o qualcosa del genere). Abiamo replicato le configurazioni sia lato cisco che lato server, ovviamente apportando le opportune modifiche.
La rete dietro al 1701 è la 200.200.160.0/24 e la rete dietro il server MS è la 192.168.15.0/24.
Di seguito riporto la config del 1701, magari qualche volenteroso mi trova il baco...
!version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname HN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret XXXXX
!
username XXXX password 0 XXXX
username XXXX password 0 XXXX
username XXXX1 privilege 15 password 0 XXXX1
username XX privilege 15 password 0 XXXX
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip domain name interbusiness.it
ip name-server 151.99.125.2
ip name-server 82.88.233.67
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ips po max-events 100
no ftp-server write-enable
!
isdn switch-type basic-net3
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******* address ###.###.###.###
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to ###.###.###.###
set peer ###.###.###.###
set transform-set ESP-3DES-SHA
match address 101
!
!
!
interface Loopback0
ip address YYY.YYY.YYY.YYY 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252
ip nat outside
ip inspect myfw out
ip virtual-reassembly
crypto map SDM_CMAP_1
pvc 8/35
encapsulation aal5snap
!
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap
!
interface FastEthernet0
ip address 200.200.160.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed auto
no cdp enable
!
interface Dialer1
description Dialer per collegamento Assistenza
ip unnumbered FastEthernet0
encapsulation ppp
dialer pool 1
dialer remote-name mercurio
dialer idle-timeout 60
dialer string 1234567890
dialer-group 1
ppp authentication chap
ppp chap hostname CCCCCCCC
ppp chap password 0 CCC
!
interface Dialer2
description Dialer per wan verso sede
ip address 192.168.200.160 255.255.255.0
encapsulation ppp
dialer pool 1
dialer remote-name SEDE
dialer idle-timeout 60
dialer string 1234567890
dialer-group 1
ppp authentication chap
ppp chap hostname CCCCCCCCC
ppp chap password 0 CCC
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.10.10.0 255.255.255.0 Dialer1
ip route 200.200.150.0 255.255.255.0 Dialer2
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static tcp 200.200.160.1 3389 interface Loopback0 3389
ip nat inside source static tcp 200.200.160.1 5900 interface Loopback0 5900
!
!
!
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 200.200.160.0 0.0.0.255 192.168.15.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
password XXXX
login local
transport input telnet ssh
!
ntp clock-period 17179949
ntp server 62.101.81.203 source ATM0.1 prefer
end
Saluti,
Roberto
PS.: non riesco a cancellare l'ACL 100, non capisco.
ho un problema nel connettere un cisco 1701 ad una server Windows 2003 in IPSEC. Il canale criptato si instaura, ma poi i pacchetti non passano. Probabilmente mi perdo in una bicchiere d'acqua, un altro consulente (colui che aministra il server) ha già attivato una VPN tra server e un 837 (o qualcosa del genere). Abiamo replicato le configurazioni sia lato cisco che lato server, ovviamente apportando le opportune modifiche.
La rete dietro al 1701 è la 200.200.160.0/24 e la rete dietro il server MS è la 192.168.15.0/24.
Di seguito riporto la config del 1701, magari qualche volenteroso mi trova il baco...
!version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname HN
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret XXXXX
!
username XXXX password 0 XXXX
username XXXX password 0 XXXX
username XXXX1 privilege 15 password 0 XXXX1
username XX privilege 15 password 0 XXXX
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip domain name interbusiness.it
ip name-server 151.99.125.2
ip name-server 82.88.233.67
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ips po max-events 100
no ftp-server write-enable
!
isdn switch-type basic-net3
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******* address ###.###.###.###
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to ###.###.###.###
set peer ###.###.###.###
set transform-set ESP-3DES-SHA
match address 101
!
!
!
interface Loopback0
ip address YYY.YYY.YYY.YYY 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.252
ip nat outside
ip inspect myfw out
ip virtual-reassembly
crypto map SDM_CMAP_1
pvc 8/35
encapsulation aal5snap
!
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap
!
interface FastEthernet0
ip address 200.200.160.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed auto
no cdp enable
!
interface Dialer1
description Dialer per collegamento Assistenza
ip unnumbered FastEthernet0
encapsulation ppp
dialer pool 1
dialer remote-name mercurio
dialer idle-timeout 60
dialer string 1234567890
dialer-group 1
ppp authentication chap
ppp chap hostname CCCCCCCC
ppp chap password 0 CCC
!
interface Dialer2
description Dialer per wan verso sede
ip address 192.168.200.160 255.255.255.0
encapsulation ppp
dialer pool 1
dialer remote-name SEDE
dialer idle-timeout 60
dialer string 1234567890
dialer-group 1
ppp authentication chap
ppp chap hostname CCCCCCCCC
ppp chap password 0 CCC
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.10.10.0 255.255.255.0 Dialer1
ip route 200.200.150.0 255.255.255.0 Dialer2
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static tcp 200.200.160.1 3389 interface Loopback0 3389
ip nat inside source static tcp 200.200.160.1 5900 interface Loopback0 5900
!
!
!
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 200.200.160.0 0.0.0.255 192.168.15.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
password XXXX
login local
transport input telnet ssh
!
ntp clock-period 17179949
ntp server 62.101.81.203 source ATM0.1 prefer
end
Saluti,
Roberto
PS.: non riesco a cancellare l'ACL 100, non capisco.