PC remoti si loggano al VPN server ma non vedono la LAN
Inviato: dom 29 apr , 2012 11:03 am
Salve
questo è il mio scenario:
SERVER1 on lan (192.168.5.2/24)
|
CISCO-887 (192.168.5.4) with VPN server
|
INTERNET
|
VPN Cisco client on xp machine
La mia connessione ha un ip pubblico assegnato dopo l'autenticazione ppp effettuata dal cisco.
Dopo la configurazione effettuata con CCP i pc in lan navigano e i pc remoti si autenticano al VPN server (easy VPN)
Tuttavia dopo essersi autenticati non riescono a pingare (e quindi ad accecdere) a SERVER1 e ad altre risorse in LAN. Sui pc remoti ho utilizzato Cisco VPN Client (V5.0.007) con "Enabled Trasparent Tunnelling" e "IPSec over UDP NAT/PAT".
Vi allego la configurazione sperando mi aiutiate a capire dove è l'errore. (forse problemi di acl?).
Un grazie anticipato.
Current configuration : 5019 bytes
!
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
!
!
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
***** ******* ***** *******
***** ******* ***** *******
quit
!
!
!
ip name-server 212.216.112.222
ip cef
no ipv6 cef
!
!
password encryption aes
license udi pid CISCO887VA-K9 sn ********
!
!
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
!
!
controller VDSL 0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
!
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
end
questo è il mio scenario:
SERVER1 on lan (192.168.5.2/24)
|
CISCO-887 (192.168.5.4) with VPN server
|
INTERNET
|
VPN Cisco client on xp machine
La mia connessione ha un ip pubblico assegnato dopo l'autenticazione ppp effettuata dal cisco.
Dopo la configurazione effettuata con CCP i pc in lan navigano e i pc remoti si autenticano al VPN server (easy VPN)
Tuttavia dopo essersi autenticati non riescono a pingare (e quindi ad accecdere) a SERVER1 e ad altre risorse in LAN. Sui pc remoti ho utilizzato Cisco VPN Client (V5.0.007) con "Enabled Trasparent Tunnelling" e "IPSec over UDP NAT/PAT".
Vi allego la configurazione sperando mi aiutiate a capire dove è l'errore. (forse problemi di acl?).
Un grazie anticipato.
Current configuration : 5019 bytes
!
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
!
!
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
***** ******* ***** *******
***** ******* ***** *******
quit
!
!
!
ip name-server 212.216.112.222
ip cef
no ipv6 cef
!
!
password encryption aes
license udi pid CISCO887VA-K9 sn ********
!
!
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
!
!
controller VDSL 0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
!
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
transport input all
!
end