Buongiorno a tutti, sono nuovo del forum, ma credo troverò una mano per il mio problema.
Conosco Cisco abbastanza da programmare un router ed un firewall in CLI con le classiche rfc 1483, Hdsl, Multigroup Telecom e sono in grado di configurare la vpn col client Cisco. Mi si presenta però un problema più complesso. Ho preso un cliente che ha una VPN a 5 punti (principale + 4 remote) e che ha sostituito la sua attuale connettività (adsl) con una HDSL a banda garantita con un router 1900 ed interfaccia HDSL. Il router l'ho programmato senza problemi e funziona, ma per la VPN sono arenato la momento nel senso che non so da che parte prenderla, esula da quello che ho fatto finora, per le vpn spesso uso server RRAS, ma in questo caso devo farla tra apparati. Nelle sedi remote ha tutti 857.
Esiste qualcosa che io possa visionare per capire come metterla in piedi? Una configurazione esistente e similare alla mia? Purtroppo vivo in piccole realtà e questi casi li vedo veramente di rado.
Sulla VPN poi viaggerà una rete windows con SBS2003 quindi i client si autenticheranno tramite vpn al dominio remoto, ma quella dal momento che ora è in piedi dovrebbe ripartire senza problemi se faccio passare tutti i pacchetti verso il router principale.
I need help...Grazie per qualsiasi piccolo aiuto.
Alessandro.
VPN a 5 nodi con Cisco HDSL 1900 e 857...mai messa in piedi.
Moderatore: Federico.Lagni
-
paolomat75
- Messianic Network master
- Messaggi: 2965
- Iscritto il: ven 29 gen , 2010 10:25 am
- Località: Prov di GE
Ciao,
sul forum ci sono diversi esempi. Guarda VPN Ipsec site to site.
Ora non ho documentazione sotto mano, ma se mi mandi la tua email stasera te la giro
Buona giornata
Paolo
sul forum ci sono diversi esempi. Guarda VPN Ipsec site to site.
Ora non ho documentazione sotto mano, ma se mi mandi la tua email stasera te la giro
Buona giornata
Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
-
alessandro2875
- n00b
- Messaggi: 14
- Iscritto il: ven 20 mag , 2011 9:08 am
ciao Morpheus, sei molto gentile...se vuoi postarmela la guardo volentieri ma anche io l'avevo fatta coi 837...il problema è il 1900 che ha uno ios un po diverso....e già io ci capisco poco...e so 30 comandi in croce...
-
moorpheus
- Cisco fan
- Messaggi: 49
- Iscritto il: mer 12 set , 2007 7:44 am
Questa è la conf del router della sede centrale, dove ho tolto il la parte che a te non serve.
Le altre sedi vanno configurate di conseguenza.
Assicurati che il tuo IP pubblico sia rangiungibile dall'esterno, e verifica le impostazioni dell'MTU che sulla mia interfaccia ATM è 1500 (su HDSL forse è diverso). Con questa cosa ci ho sbattuto il grugno, e Wizard su questo forum mi ha aperto la visione dell'importanza di questo parametro.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXX address 88.35.XX.XX
crypto isakmp key XXXXXXXXXXX address 94.88.XX.XX
crypto isakmp key XXXXXXXXXXX address 93.189.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.35.XX.XX
set peer 88.35.XX.XX
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to94.88.XX.XX
set peer 94.88.XX.XX
set transform-set ESP-3DES-SHA1
match address 109
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to93.189.XXX.XXX
set peer 93.189.XXX.XXX
set transform-set ESP-3DES-SHA2
match address 111
!
archive
log config
hidekeys
!
!
!
...............................ho tolto tutta la parte del firewall ZBF
!
!
!
interface ATM0
mtu 1500
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
mtu 1500
ip address 88.41.xx.xxx 255.255.255.xxx
ip access-group 101 in
ip nat outside
ip virtual-reassembly
zone-member security out-zone
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark SDM_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_SHELL
remark SDM_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_TELNET
remark SDM_ACL Category=0
permit tcp any any eq telnet
!
logging trap debugging
HO LASCIATO LE ACL CHE TI INTERESSANO..........................................
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 93.189.XXX.XXX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 93.189.XXX.XXX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 93.189.XXX.XXX host 88.41.XXX.XXX
access-list 101 permit ahp host 93.189.XXX.XXX host 88.41.XXX.XXX
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 94.88.XX.XX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 94.88.XX.XX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 94.88.XX.XX host 88.41.XXX.XXX
access-list 101 permit ahp host 94.88.XX.XX host 88.41.XXX.XXX
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 88.35.XX.XX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 88.35.XX.XX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 88.35.XX.XX host 88.41.XXX.XXX
access-list 101 permit ahp host 88.35.XX.XX host 88.41.XXX.XXX
access-list 101 permit ip any any
.................................................................................
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 88.35.XX.XX any
access-list 106 permit ip host 94.88.XX.XX any
access-list 106 permit ip host 93.189.XXX.XXX any
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 remark SDM_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Come puoi vedere i tunnel li ho creati sulle interfacce esterne (ip pubblico).
La conf è stata fatta con una IOS 12.4
Le altre sedi vanno configurate di conseguenza.
Assicurati che il tuo IP pubblico sia rangiungibile dall'esterno, e verifica le impostazioni dell'MTU che sulla mia interfaccia ATM è 1500 (su HDSL forse è diverso). Con questa cosa ci ho sbattuto il grugno, e Wizard su questo forum mi ha aperto la visione dell'importanza di questo parametro.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXX address 88.35.XX.XX
crypto isakmp key XXXXXXXXXXX address 94.88.XX.XX
crypto isakmp key XXXXXXXXXXX address 93.189.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.35.XX.XX
set peer 88.35.XX.XX
set transform-set ESP-3DES-SHA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to94.88.XX.XX
set peer 94.88.XX.XX
set transform-set ESP-3DES-SHA1
match address 109
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to93.189.XXX.XXX
set peer 93.189.XXX.XXX
set transform-set ESP-3DES-SHA2
match address 111
!
archive
log config
hidekeys
!
!
!
...............................ho tolto tutta la parte del firewall ZBF
!
!
!
interface ATM0
mtu 1500
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
mtu 1500
ip address 88.41.xx.xxx 255.255.255.xxx
ip access-group 101 in
ip nat outside
ip virtual-reassembly
zone-member security out-zone
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark SDM_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_SHELL
remark SDM_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_TELNET
remark SDM_ACL Category=0
permit tcp any any eq telnet
!
logging trap debugging
HO LASCIATO LE ACL CHE TI INTERESSANO..........................................
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 93.189.XXX.XXX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 93.189.XXX.XXX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 93.189.XXX.XXX host 88.41.XXX.XXX
access-list 101 permit ahp host 93.189.XXX.XXX host 88.41.XXX.XXX
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 94.88.XX.XX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 94.88.XX.XX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 94.88.XX.XX host 88.41.XXX.XXX
access-list 101 permit ahp host 94.88.XX.XX host 88.41.XXX.XXX
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 88.35.XX.XX host 88.41.XXX.XXX eq non500-isakmp
access-list 101 permit udp host 88.35.XX.XX host 88.41.XXX.XXX eq isakmp
access-list 101 permit esp host 88.35.XX.XX host 88.41.XXX.XXX
access-list 101 permit ahp host 88.35.XX.XX host 88.41.XXX.XXX
access-list 101 permit ip any any
.................................................................................
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 88.35.XX.XX any
access-list 106 permit ip host 94.88.XX.XX any
access-list 106 permit ip host 93.189.XXX.XXX any
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 remark SDM_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Come puoi vedere i tunnel li ho creati sulle interfacce esterne (ip pubblico).
La conf è stata fatta con una IOS 12.4
