ho un problema con la vpn di un cisco 837 e non riesco a venirne a capo. Ho rigirato tutta la configurazione ma proprio non trovo il problema
qualcuno sà dirmi dov'è l'inghippo?
Codice: Seleziona tutto
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROU
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret X
enable password X
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 http
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name NAME.it
ip name-server 151.99.125.2
ip name-server 151.99.125.3
!
!
crypto pki trustpoint XX
!
!
crypto pki certificate chain TP-self-signed-XX
username X privilege 15 secret 5 X
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key PRESHARED address IP_MIA_SEDE_A no-xauth
!
crypto isakmp client configuration group VPN_1
key X1
pool vpn-user
acl vpnclient-lan
!
!
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map vpnclient 100
set transform-set strong-des
!
!
crypto map gollum client authentication list userauthen
crypto map gollum isakmp authorization list groupauthor
crypto map gollum client configuration address respond
crypto map gollum 20 ipsec-isakmp
set peer IP_MIA_SEDE_A
set transform-set strong-des
match address 101
crypto map gollum 100 ipsec-isakmp dynamic vpnclient
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 11.11.11.11 255.255.255.252
ip access-group outside in
ip access-group reflex out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
crypto map gollum
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.18.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 out
!
ip local pool vpn-user 192.168.101.1 192.168.101.10
ip forward protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface ATM0.1 overload
!
ip access-list extended outside
permit ip host IP_MIA_SEDE_A host IP_PTP
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
permit udp any any eq ntp
permit ip 172.16.0.0 0.0.255.255 172.18.1.0 0.0.0.255
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any time-exceeded
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any unreachable
permit icmp any any port-unreachable
permit ip 192.168.101.0 0.0.0.255 172.18.1.0 0.0.0.255
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.18.0.0 0.13.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended reflex
permit tcp host IP_PTP any reflect tcptraffic
permit udp host IP_PTP any reflect udptraffic
permit icmp host IP_PTP any reflect icmptraffic
permit ip host IP_MIA_SEDE_B any
permit ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
ip access-list extended vpnclient-lan
permit ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
!
access-list 99 permit IP_MIA_SEDE_A
access-list 99 permit 172.16.0.0 0.0.255.255
access-list 99 permit 172.18.1.0 0.0.0.255
access-list 99 permit 192.168.101.0 0.0.0.255
access-list 100 permit ip host IP_PTP host IP_MIA_SEDE_A
access-list 100 deny ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 100 deny ip 172.18.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 100 permit ip 172.18.1.0 0.0.0.255 any
access-list 101 permit ip 172.18.1.0 0.0.0.255 172.16.0.0 0.0.255.255
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 99 in
exec-timeout 120 0
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server yy.yy.yy.yy
sntp server yy1.yy1.yy1.yy1
end