Ciao a tutti, mi serve una mano...mi sono preso una patata piu grande di me ed ora ne devo uscire...ho una vpn configurata a 5 punti con un 1900 ed degli 857. Ho usato il fantastico wizard che mi ha preparato tutto...in effetti le internet vanno...ma anche se il tunnel sale mi taglia i pacchetti...di seguito la conf del centrale e di un periferico...sicuramente qualcosa di sbagliato c'è...ma non riesco a capire cosa, se mi collego col client cisco va dentro senza problemi quindi c'è qualcosa a livello conf tra apparati...ho bisogno di qualcuno che ne sa....ogni aiuto è ben acccetto...grazie dell'attenzione intanto a tutti...
Router Centrale
Current configuration : 6074 bytes
!
! Last configuration change at 17:18:10 UTC Tue May 31 2011 by it4you
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1744371077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1744371077
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1744371077
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373434 33373130 3737301E 170D3131 30353331 31343232
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37343433
37313037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CE80 1AC763ED 24CCCAA0 07B09A86 1CE406B6 18D194D1 9F28C850 AC9F53E5
E1BFC0E8 D1169A4C AE0F8ADD 36CFD2BA D5F9A9E8 92AAEEB2 AFD4354E BAB9A309
80CA1728 342A8193 DEB77600 002A04C3 025F06E8 6281BC8E 98F6E4D0 E3128629
FE545099 68FF0D80 0CAFF225 C6325C39 85ADBF59 057B00FC 91F62338 1D8AF99C
A0CB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14AC709D AEC140CD E9D7615E 8CA6E3EC 7B09AE09 3B301D06
03551D0E 04160414 AC709DAE C140CDE9 D7615E8C A6E3EC7B 09AE093B 300D0609
2A864886 F70D0101 04050003 818100BB 456539E2 3B59D7A3 E3714544 E54DE168
F2048532 00EB2181 E56E75A5 6FB5A78D C5AFBED5 73653A5B 48F874BA 4B6615F2
26E42267 2264E080 8DE5C8E1 35736A99 C3DD0496 0B2CB061 5FEC229F 40F53B54
5FFC2EA1 6E7D2E1A F25E2368 E5D39325 4097664F 37FDDA98 FE7810B8 97620F69
977B2B68 F489DA07 A284A846 14A092
quit
license udi pid CISCO1921/K9 sn FCZ151490DE
!
!
username pippo privilege 15 password 0 paperino
!
redundancy
!
!
!
!
!
no crypto isakmp enable
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key pippovpn address 82.xxx.xxx.194
crypto isakmp key pippovpn address 88.xxx.xxx.73
crypto isakmp key pippovpn address 94.xxx.xxx.105
crypto isakmp key pippovpn address 88.xxx.xxx.217
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.xxx.xxx.194
set peer 82.xxx.xxx.194
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to88.xxx.xxx.73
set peer 88.xxx.xxx.73
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to94.xxx.xxx.105
set peer 94.xxx.xxx.105
set transform-set ESP-3DES-SHA2
match address 103
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to88.xxx.xxx.217
set peer 88.xxx.xxx.217
set transform-set ESP-3DES-SHA3
match address 104
!
!
!
!
!
interface Loopback0
ip address 2.xxx.xxx.193 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.51.47.4 255.255.255.192
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
ip address 2.xxx.xxx.38 255.255.255.252
ip nat outside
ip virtual-reassembly in
frame-relay interface-dlci 388
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.51.47.1 3389 interface Loopback0 3389
ip nat inside source static tcp 10.51.47.1 1723 interface Loopback0 1723
ip nat inside source static tcp 10.51.47.1 43 interface Loopback0 43
ip nat inside source route-map SDM_RMAP_1 interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip route 10.30.0.0 255.255.0.0 10.51.47.2
ip route 10.31.0.0 255.255.0.0 10.51.47.2
ip route 10.50.0.0 255.255.0.0 10.51.47.2
ip route 10.60.0.0 255.255.0.0 10.51.47.2
ip route 10.128.0.0 255.128.0.0 10.51.47.2
ip route 172.16.0.0 255.240.0.0 10.51.47.2
ip route 191.68.0.0 255.255.0.0 10.51.47.2
ip route 192.168.224.0 255.255.224.0 10.51.47.2
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.51.47.0 0.0.0.63
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.51.47.0 0.0.0.63 10.55.47.0 0.0.0.15
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.51.47.0 0.0.0.63 10.55.47.48 0.0.0.15
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.51.47.0 0.0.0.63 10.55.47.32 0.0.0.15
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.51.47.0 0.0.0.63 10.55.47.16 0.0.0.15
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.51.47.0 0.0.0.63 10.55.47.0 0.0.0.15
access-list 101 permit ip 10.51.47.0 0.0.0.63 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.51.47.0 0.0.0.63 10.55.47.16 0.0.0.15
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.51.47.0 0.0.0.63 10.55.47.32 0.0.0.15
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.51.47.0 0.0.0.63 10.55.47.48 0.0.0.15
access-list 104 permit ip 10.51.47.0 0.0.0.63 10.55.47.48 0.0.0.15
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password pippo
login local
transport input telnet
!
scheduler allocate 20000 1000
end
Router Perfierico
Building configuration...
Current configuration : 3961 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gigi
!
boot-start-marker
boot-end-marker
!
enable password paperino
!
no aaa new-model
!
!
ip cef
!
!
crypto pki trustpoint TP-self-signed-718887590
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-718887590
revocation-check none
rsakeypair TP-self-signed-718887590
!
!
crypto pki certificate chain TP-self-signed-718887590
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37313838 38373539 30301E17 0D303230 34313730 38343634
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3731 38383837
35393030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B0112F27 01EC5543 8D59F31F 5C0246D3 DEE828F8 4FC595E5 8DEF6CD9 9B1B106F
FC56E25C D682F391 DF9B2172 498230F8 92E07C45 DF01FAE9 9354B1D3 C695067A
C7507741 9649549B 6AA7B38B E626F5DA BD2B4CEA 88356A98 51FFB4F6 99818334
46CB665F 066E9A5D 059DE1DF 71719A84 0238CFCF 57D66B2B 6B7BFEBD AA0F1FFD
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B82096C 656E6469 6E617261 301F0603 551D2304 18301680 147EBDAD
7B520C3E 5C23EAA4 5583175B 73A2FABE 3F301D06 03551D0E 04160414 7EBDAD7B
520C3E5C 23EAA455 83175B73 A2FABE3F 300D0609 2A864886 F70D0101 04050003
81810062 3CDE0040 6BC089E7 5AA5F0F4 16C62F8F 5E919E5A F3F52742 FC1C6FD9
4337D1E3 50F2952B A394A9D5 E10E811D A55B9C57 F1C5654B 51D59F49 AFA40FAB
8A4AD493 D85F54C1 32A10097 B01F6230 CBAC4A99 2290B58B D8C5D2F2 64897386
94EEA648 886333B3 183CBE1D F370DD47 FED5D0C7 7EC2BBA2 2D8BAC4A A16FEE3F 3B4EF2
quit
!
!
username pippo privilege 15 password 0 paperino
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key it4youvpn address 2.xxx.xxx.193
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to2.xxx.xxx.193
set peer 2.xxx.xxx.193
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 88.xxx.xxx.73 255.255.255.248
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.55.47.17 255.255.255.240
ip mtu 1486
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.30.0.0 255.255.0.0 10.51.47.4
ip route 10.31.0.0 255.255.0.0 10.51.47.4
ip route 10.50.0.0 255.255.0.0 10.51.47.4
ip route 10.60.0.0 255.255.0.0 10.51.47.4
ip route 10.128.0.0 255.128.0.0 10.51.47.4
ip route 172.16.0.0 255.240.0.0 10.51.47.4
ip route 191.68.0.0 255.255.0.0 10.51.47.4
ip route 192.168.224.0 255.255.224.0 10.51.47.4
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.55.47.16 0.0.0.15
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.55.47.16 0.0.0.15 10.51.47.0 0.0.0.63
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.55.47.16 0.0.0.15 10.51.47.0 0.0.0.63
access-list 101 permit ip 10.55.47.16 0.0.0.15 any
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Vpn tra 1900 ed 857 naviga, sale il tunnel ma i pacchetti no
Moderatore: Federico.Lagni
-
moorpheus
- Cisco fan
- Messaggi: 49
- Iscritto il: mer 12 set , 2007 7:44 am
Prova a sistemare gli MTU
ATM 1500
vlan o ethernet 1452 - (Wiz mi consigliò anche 1350)
dialer 1492
serial 1600 - di questo parametro non sono sicuro, ma su questo forum qualcuno con telecom ce l'ha su questo valore e funziona
A suo tempo io avevo il tuo stesso problema, e sistemando questi valori ho risolto.
Non finirò mai di ringraziare Wiz.
ATM 1500
vlan o ethernet 1452 - (Wiz mi consigliò anche 1350)
dialer 1492
serial 1600 - di questo parametro non sono sicuro, ma su questo forum qualcuno con telecom ce l'ha su questo valore e funziona
A suo tempo io avevo il tuo stesso problema, e sistemando questi valori ho risolto.
Non finirò mai di ringraziare Wiz.
