Come pingare gli host della lan in una connessione vpn ?
Inviato: mer 05 lug , 2006 1:50 pm
Salve ,
come potete notare dall'oggetto dell'argomento sono riuscito ad attivare una connessione vpn tramite l'utilizzo dell'SDM. Il problema è che una volta che la connessione viene stipulata non ho la possibilità di sfogliare quella rete lan a cui sono connesso nè tantomeno di pingarla possibile che non ci sia modo di ovviare a questo problema? Per maggiore chiarezza vi allego la configurazione di quel router.
Ringrazio anticipatamente per l'aiuto e la disponibilità.
P.S. la connessione vpn è del tipo "client internet--->router"
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
ip domain name TEST
no ip ips deny-action ips-interface
ip ips notify SDEE
ip ssh version 1
!
!
crypto pki trustpoint TP-self-signed-2598887296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2598887296
revocation-check none
rsakeypair TP-self-signed-2598887296
!
!
crypto pki certificate chain TP-self-signed-2598887296
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353938 38383732 3936301E 170D3032 30333130 31383236
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35393838
38373239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9D5 1AD57BD1 E9EDBCBA E374AA6E 3EC22B71 E0302182 D0B31AA7 44D4CF10
09195C29 83169DFA A2EC4F8C 03CA9431 507EC3B6 8E2DE66B 9605696B D94DBDC3
1C37092B BB0ECD73 FB6B2631 160B6F37 9AD6D4CC 7EB4E12E 870A0773 58E0E82E
5BB51705 2BE69F50 8241BF79 01E3753D EF326A88 38C92B84 D9D3347D 47E1F495
0E090203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B546563 6E6F6461 74695F4C 65527567 68652E54 45434E4F
44415449 301F0603 551D2304 18301680 14852774 F24F3026 FF7D1EDA F22472C6
855576A8 11301D06 03551D0E 04160414 852774F2 4F3026FF 7D1EDAF2 2472C685
5576A811 300D0609 2A864886 F70D0101 04050003 81810084 042E8804 A31A3E0B
4F00D92A CC8D29B3 A7A32BF8 CB7C546F 8AAE95A5 DADFA9ED 62C81329 4D1B75F2
09DD5E8B BA8639E6 3A6E30DB 476B3783 0A3C295E 30BA92EB 33DE26AC 564441AA
13FB2464 BE154FAA FC45AF3C 91BF65B8 611566F0 083F33AC EE02651A 7DD9F2A3
8CFA65AD 3F16CAA3 C7F9A3FB 8041DDC8 31C2E8AF 12AFA4
quit
!
username test privilege 15 secret test
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group VPN-837
key cisco
pool SDM_POOL_1
include-local-lan
max-users 1
netmask 255.255.255.252
!
!
crypto ipsec transform-set trasformazione esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set trasformazione
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
no cdp enable
ppp chap hostname test
ppp chap password test
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
password test
transport input telnet ssh
!
end
come potete notare dall'oggetto dell'argomento sono riuscito ad attivare una connessione vpn tramite l'utilizzo dell'SDM. Il problema è che una volta che la connessione viene stipulata non ho la possibilità di sfogliare quella rete lan a cui sono connesso nè tantomeno di pingarla possibile che non ci sia modo di ovviare a questo problema? Per maggiore chiarezza vi allego la configurazione di quel router.
Ringrazio anticipatamente per l'aiuto e la disponibilità.
P.S. la connessione vpn è del tipo "client internet--->router"
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
ip domain name TEST
no ip ips deny-action ips-interface
ip ips notify SDEE
ip ssh version 1
!
!
crypto pki trustpoint TP-self-signed-2598887296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2598887296
revocation-check none
rsakeypair TP-self-signed-2598887296
!
!
crypto pki certificate chain TP-self-signed-2598887296
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353938 38383732 3936301E 170D3032 30333130 31383236
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35393838
38373239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9D5 1AD57BD1 E9EDBCBA E374AA6E 3EC22B71 E0302182 D0B31AA7 44D4CF10
09195C29 83169DFA A2EC4F8C 03CA9431 507EC3B6 8E2DE66B 9605696B D94DBDC3
1C37092B BB0ECD73 FB6B2631 160B6F37 9AD6D4CC 7EB4E12E 870A0773 58E0E82E
5BB51705 2BE69F50 8241BF79 01E3753D EF326A88 38C92B84 D9D3347D 47E1F495
0E090203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B546563 6E6F6461 74695F4C 65527567 68652E54 45434E4F
44415449 301F0603 551D2304 18301680 14852774 F24F3026 FF7D1EDA F22472C6
855576A8 11301D06 03551D0E 04160414 852774F2 4F3026FF 7D1EDAF2 2472C685
5576A811 300D0609 2A864886 F70D0101 04050003 81810084 042E8804 A31A3E0B
4F00D92A CC8D29B3 A7A32BF8 CB7C546F 8AAE95A5 DADFA9ED 62C81329 4D1B75F2
09DD5E8B BA8639E6 3A6E30DB 476B3783 0A3C295E 30BA92EB 33DE26AC 564441AA
13FB2464 BE154FAA FC45AF3C 91BF65B8 611566F0 083F33AC EE02651A 7DD9F2A3
8CFA65AD 3F16CAA3 C7F9A3FB 8041DDC8 31C2E8AF 12AFA4
quit
!
username test privilege 15 secret test
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group VPN-837
key cisco
pool SDM_POOL_1
include-local-lan
max-users 1
netmask 255.255.255.252
!
!
crypto ipsec transform-set trasformazione esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set trasformazione
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface Ethernet0
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
no cdp enable
ppp chap hostname test
ppp chap password test
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.2
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
password test
transport input telnet ssh
!
end