HELP VPN CONFIG

[linomatz]

Salve, di nuovo un piccolo aiuto se ne avete voglia ...


Il mio punto punto Telecom e' 85.xx.7.250, la lan Telecom e' 85.xx.63.233,
la mia lan interna e' 192.168.1.x, il mio server lan Windows e dhcp e' il 192.168.1.2.

Addeso tutto mi funziona bene e voglio provare un collegamento da casa
con Mac OS X e VPN Client Cisco.

Con questa config di VPN mi si blocca la rete aziendale e non esco piu' ...
mi dite dove potrebbe stare l'arcano?

Codice: Seleziona tutto

aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
aaa session-id common
ip subnet-zero
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name 191.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group linomatz_vpn
 key linomatz
 dns 192.168.1.2
 wins 192.168.1.2
 domain linomatz
 pool SDM_POOL_1
 max-users 2
 netmask 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 3600
 set transform-set ESP-3DES-SHA 
 reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 bandwidth 2048
 ip address 85.xx.7.250 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 pvc 8/35 
  oam-pvc manage
  oam retry 5 5 1
  encapsulation aal5snap
!
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0 secondary
 ip address 85.xx.63.233 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
ip local pool SDM_POOL_1 192.168.1.4 192.168.1.5
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool net-ibs 85.xx.63.234 85.xx.63.234 netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 85.xx.63.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 0.0.0.0
access-list 100 permit ip 85.xx.63.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 100
!

[Wizard]

Manca la acl per lo spilt tunnel e per il de-nat direi...

[linomatz]

dove posso recuperarne un esempio?

[Wizard]

contattami su skype o messanger

[linomatz]

La VPN comincia a funzionare con il Client Cisco.

L'unica cosa che ancora non va e' la visione delle risorse netbios di Windows.

... qualche dritta?

grazie.

Building configuration...

Current configuration : 14181 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname linomatz
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging rate-limit
logging console critical
enable secret 5 $1$bMvJ$onZ26GCZjT1o7xbcZtIY7/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW appleqtc
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW h323gatestat
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW 802-11-iapp
ip inspect name SDM_LOW microsoft-ds
ip inspect name SDM_LOW ms-cluster-net
ip inspect name SDM_LOW ms-dotnetster
ip inspect name SDM_LOW ms-sna
ip inspect name SDM_LOW ms-sql
ip inspect name SDM_LOW ms-sql-m
ip inspect name SDM_LOW msexch-routing
ip inspect name SDM_LOW netbios-dgm
ip inspect name SDM_LOW netbios-ssn
ip inspect name SDM_LOW r-winsock
ip inspect name SDM_LOW clp
ip inspect name SDM_LOW cisco-net-mgmt
ip inspect name SDM_LOW cisco-sys
ip inspect name SDM_LOW cisco-tna
ip inspect name SDM_LOW cisco-fna
ip inspect name SDM_LOW cisco-tdp
ip inspect name SDM_LOW cisco-svcs
ip inspect name SDM_LOW stun
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW dbcontrol_agent
ip inspect name SDM_LOW giop
ip inspect name SDM_LOW net8-cman
ip inspect name SDM_LOW orasrv
ip inspect name SDM_LOW oem-agent
ip inspect name SDM_LOW oracle
ip inspect name SDM_LOW oraclenames
ip inspect name SDM_LOW oracle-em-vp
ip inspect name SDM_LOW rdb-dbs-disp
ip inspect name SDM_LOW rtc-pm-port
ip inspect name SDM_LOW ttc
ip inspect name SDM_LOW citrix
ip inspect name SDM_LOW citriximaclient
ip inspect name SDM_LOW ica
ip inspect name SDM_LOW icabrowser
ip inspect name SDM_LOW cddbp
ip inspect name SDM_LOW dbase
ip inspect name SDM_LOW mysql
ip inspect name SDM_LOW sqlsrv
ip inspect name SDM_LOW sqlserv
ip inspect name SDM_LOW ftps
ip inspect name SDM_LOW kermit
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW nfs
ip inspect name SDM_LOW exec
ip inspect name SDM_LOW telnet
ip inspect name SDM_LOW telnets
ip inspect name SDM_LOW rtelnet
ip inspect name SDM_LOW login
ip inspect name SDM_LOW ssh
ip inspect name SDM_LOW shell
ip inspect name SDM_LOW sshell
ip inspect name SDM_LOW pcanywheredata
ip inspect name SDM_LOW pcanywherestat
ip inspect name SDM_LOW x11
ip inspect name SDM_LOW xdmcp
ip inspect name SDM_LOW entrust-svcs
ip inspect name SDM_LOW n2h2server
ip inspect name SDM_LOW realsecure
ip inspect name SDM_LOW creativeserver
ip inspect name SDM_LOW creativepartnr
ip inspect name SDM_LOW cifs
ip inspect name SDM_LOW fcip-port
ip inspect name SDM_LOW hp-alarm-mgr
ip inspect name SDM_LOW hp-collector
ip inspect name SDM_LOW hp-managed-node
ip inspect name SDM_LOW irc
ip inspect name SDM_LOW irc-serv
ip inspect name SDM_LOW ircs
ip inspect name SDM_LOW ircu
ip inspect name SDM_LOW ipass
ip inspect name SDM_LOW netstat
ip inspect name SDM_LOW nntp
ip inspect name SDM_LOW tarantella
ip inspect name SDM_LOW iscsi-target
ip inspect name SDM_LOW iscsi
ip inspect name SDM_LOW sms
ip inspect name SDM_LOW webster
ip inspect name SDM_LOW who
ip inspect name SDM_LOW pptp
ip inspect name SDM_LOW l2tp
ip inspect name SDM_LOW gtpv0
ip inspect name SDM_LOW gtpv1
ip inspect name SDM_LOW ddns-v3
ip inspect name SDM_LOW dnsix
ip inspect name SDM_LOW ldap-admin
ip inspect name SDM_LOW ldap
ip inspect name SDM_LOW ldaps
ip inspect name SDM_LOW netbios-ns
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW daytime
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW time
ip inspect name SDM_LOW timed
ip inspect name SDM_LOW hsrp
ip inspect name SDM_LOW router
ip inspect name SDM_LOW fragment maximum 256 timeout 1
ip inspect name SDM_LOW snmp
ip inspect name SDM_LOW snmptrap
ip inspect name SDM_LOW syslog
ip inspect name SDM_LOW syslog-conn
ip inspect name SDM_LOW tacacs
ip inspect name SDM_LOW kerberos
ip inspect name SDM_LOW radius
ip inspect name SDM_LOW tacacs-ds
ip inspect name SDM_LOW ident
ip inspect name SDM_LOW ace-svr
ip inspect name SDM_LOW bootpc
ip inspect name SDM_LOW bootps
ip inspect name SDM_LOW dhcp-failover
ip inspect name SDM_LOW discard
ip inspect name SDM_LOW echo
ip inspect name SDM_LOW finger
ip inspect name SDM_LOW gopher
ip inspect name SDM_LOW igmpv3lite
ip inspect name SDM_LOW ipx
ip inspect name SDM_LOW pwdgen
ip inspect name SDM_LOW rsvp-encap
ip inspect name SDM_LOW rsvp_tunnel
ip inspect name SDM_LOW socks
ip inspect name SDM_LOW vqp
ip inspect name SDM_LOW gdoi
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name SDM_LOW ssp
ip tcp synwait-time 10
no ip bootp server
ip domain name 191.it
ip name-server 151.99.125.2
ip name-server 151.99.0.100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxxxx privilege 15 secret 5 $1$geaO$/VcuCBZtlPrVksFsyA2b1/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mazzoccospa_vpn
key xxxxx
dns 151.99.125.2 151.99.0.100
wins 192.168.1.3
pool SDM_POOL_1
acl 102
save-password
include-local-lan
max-users 9
max-logins 9
banner ^CBenvenuto sul "VPN Server" della xxxxx ^C
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
bandwidth 2048
ip address 85.43.7.xxx 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0 secondary
ip address 85.43.63.xxx 255.255.255.248
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
crypto map SDM_CMAP_1
hold-queue 100 out
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.9
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool net-ibs 85.43.63.xxx 85.43.63.xxx netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.3 21 85.43.63.xxx 21 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 192.168.1.3 80 85.43.63.xxx 80 route-map SDM_RMAP_3 extendable
!
logging trap debugging
access-list 2 remark SDM_ACL Category=16
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 85.43.63.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 100 permit udp any host 85.43.63.xxx eq non500-isakmp
access-list 100 permit udp any host 85.43.63.xxx eq isakmp
access-list 100 permit esp any host 85.43.63.xxx
access-list 100 permit ahp any host 85.43.63.xxx
access-list 100 deny ip 85.43.7.xxx 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 85.43.63.xxx eq www
access-list 101 permit tcp any host 85.43.63.xxx eq ftp
access-list 101 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 101 permit udp any host 85.43.7.xxx eq non500-isakmp
access-list 101 permit udp any host 85.43.7.xxx eq isakmp
access-list 101 permit esp any host 85.43.7.xxx
access-list 101 permit ahp any host 85.43.7.xxx
access-list 101 permit udp host 151.99.0.100 eq domain host 85.43.7.xxx
access-list 101 permit udp host 151.99.125.2 eq domain host 85.43.7.xxx
access-list 101 deny ip 85.43.63.xxx 0.0.0.7 any
access-list 101 permit icmp any host 85.43.7.xxx echo-reply
access-list 101 permit icmp any host 85.43.7.xxx time-exceeded
access-list 101 permit icmp any host 85.43.7.xxx unreachable
access-list 101 permit tcp any host 85.43.7.xxx eq 443
access-list 101 permit tcp any host 85.43.7.xxx eq 22
access-list 101 permit tcp any host 85.43.7.xxx eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip host 192.168.1.3 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 permit ip 85.43.63.0 0.0.0.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip host 192.168.1.3 host 192.168.2.9
access-list 104 deny ip host 192.168.1.3 host 192.168.2.8
access-list 104 deny ip host 192.168.1.3 host 192.168.2.7
access-list 104 deny ip host 192.168.1.3 host 192.168.2.6
access-list 104 deny ip host 192.168.1.3 host 192.168.2.5
access-list 104 deny ip host 192.168.1.3 host 192.168.2.4
access-list 104 deny ip host 192.168.1.3 host 192.168.2.3
access-list 104 deny ip host 192.168.1.3 host 192.168.2.2
access-list 104 deny ip host 192.168.1.3 host 192.168.2.1
access-list 104 permit ip host 192.168.1.3 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip host 192.168.1.3 host 192.168.2.9
access-list 105 deny ip host 192.168.1.3 host 192.168.2.8
access-list 105 deny ip host 192.168.1.3 host 192.168.2.7
access-list 105 deny ip host 192.168.1.3 host 192.168.2.6
access-list 105 deny ip host 192.168.1.3 host 192.168.2.5
access-list 105 deny ip host 192.168.1.3 host 192.168.2.4
access-list 105 deny ip host 192.168.1.3 host 192.168.2.3
access-list 105 deny ip host 192.168.1.3 host 192.168.2.2
access-list 105 deny ip host 192.168.1.3 host 192.168.2.1
access-list 105 permit ip host 192.168.1.3 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

[Wizard]

Il netbios funziona x broadcast e il router li blocca...

[linomatz]

Il netbios funziona x broadcast e il router li blocca...

Ok, creata regola di NAT e funziona ...

Sembra funzionare anche con client Mac OSX anche se non mi compaiono
le risorse Netbios ... faro' altre prove ...