837 - vpn e navigazione internet

[Lanla]

Buonasera,
ho un problema con la vpn di un cisco 837 e non riesco a venirne a capo. Ho rigirato tutta la configurazione ma proprio non trovo il problema
qualcuno sà dirmi dov'è l'inghippo?

Codice: Seleziona tutto

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROU
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret X
enable password X
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 http
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name NAME.it
ip name-server 151.99.125.2
ip name-server 151.99.125.3
!
!
crypto pki trustpoint XX
!
!
crypto pki certificate chain TP-self-signed-XX
username X privilege 15 secret 5 X
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key PRESHARED address IP_MIA_SEDE_A no-xauth
!
crypto isakmp client configuration group VPN_1
 key X1
 pool vpn-user
 acl vpnclient-lan
!
!
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
 mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map vpnclient 100
 set transform-set strong-des
!
!
crypto map gollum client authentication list userauthen
crypto map gollum isakmp authorization list groupauthor
crypto map gollum client configuration address respond
crypto map gollum 20 ipsec-isakmp
 set peer IP_MIA_SEDE_A
 set transform-set strong-des
 match address 101
crypto map gollum 100 ipsec-isakmp dynamic vpnclient
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 ip address 11.11.11.11 255.255.255.252
 ip access-group outside in
 ip access-group reflex out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no snmp trap link-status
 pvc 8/35
  encapsulation aal5snap
 !
 crypto map gollum
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 172.18.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
ip local pool vpn-user 192.168.101.1 192.168.101.10
ip forward protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface ATM0.1 overload
!
ip access-list extended outside
 permit ip host IP_MIA_SEDE_A host IP_PTP
 evaluate tcptraffic
 evaluate udptraffic
 evaluate icmptraffic
 permit udp any any eq ntp
 permit ip 172.16.0.0 0.0.255.255 172.18.1.0 0.0.0.255
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any time-exceeded
 permit icmp any any source-quench
 permit icmp any any ttl-exceeded
 permit icmp any any unreachable
 permit icmp any any port-unreachable
 permit ip 192.168.101.0 0.0.0.255 172.18.1.0 0.0.0.255
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.18.0.0 0.13.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended reflex
 permit tcp host IP_PTP any reflect tcptraffic
 permit udp host IP_PTP any reflect udptraffic
 permit icmp host IP_PTP any reflect icmptraffic
 permit ip host IP_MIA_SEDE_B any
 permit ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
 permit ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
ip access-list extended vpnclient-lan
 permit ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
!
access-list 99 permit IP_MIA_SEDE_A

access-list 99 permit 172.16.0.0 0.0.255.255
access-list 99 permit 172.18.1.0 0.0.0.255
access-list 99 permit 192.168.101.0 0.0.0.255
access-list 100 permit ip host IP_PTP host IP_MIA_SEDE_A
access-list 100 deny   ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny   ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 permit ip 172.18.1.0 0.0.0.255 any
access-list 101 permit ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
no cdp run
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 99 in
 exec-timeout 120 0
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server yy.yy.yy.yy
sntp server yy1.yy1.yy1.yy1
end

Grazie

[Rizio]

Se non specifichi che problema hai temo nessuno riesca ad aiutarti.

Rizio

[Lanla]

Si, vero, ma sono abbastanza frustrato
E' che non riesco a collegare in vpn la sede A (isa2006) con la sede B (cisco 837), nonostante le innumerevoli letture che mi son fatto dei vari post, faq ed altro. In più, la sede B naviga da tutte le parti ma non nei siti aziendali.

La configurazione mi sembra corretta, ma è evidente che non lo è.
lato isa son sicuro che vada bene, ma il prb non riesco a risolverlo.