VPN tra due 837 che non funziona

spcadmin · sab 16 dic , 2006 3:12 pm

scusate,

sono 2 giorni che divendo pazzo.
Ho due cisco 837 speculari, ho fatto una VPN site-to-site tra loro ed e' su.
ma ho i seguenti problemi

lato a) vedo il router con l'ip interno 192.168.0.x ma non vedo il pc 192.168.0.y

lato b) vedo il router , il pc e la cartella condivisa ed accedo normalmente ad essa e scarico senza problemi

Vi ringrazio anticipatamente per la collaborazione

La configurazione del lato A e' la seguente ( il lato B e' simile )

------------------------------

Building configuration...

Current configuration : 3913 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
logging monitor notifications
enable password
!
username xxxxx privilege 15 password
no aaa new-model
ip subnet-zero
!
!
ip name-server 62.94.0.1
ip name-server 62.94.0.2
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 62.94.x.y
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 62.94.x.y
set peer 62.94.x.y
set transform-set ESP-3DES-SHA
match address 100
!
partition flash 2 10 2
!
!
!
!
interface Ethernet0
ip address 192.168.1.200 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description connessione ad internet ( PPPoA EUTELIA )
ip address a.b.c.d 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxxxx
ppp chap password
ppp pap sent-username xxxxxxxxxx password
crypto map SDM_CMAP_1
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat translation max-entries 5000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 remark SDM_ACL Category=17
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community visiospc RO
snmp-server trap-source Ethernet0
snmp-server enable traps tty
snmp-server host 192.168.1.2 visiospc
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
privilege level 15
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 3
exec-timeout 120 0
password
login local
length 0
transport preferred all
transport input all
transport output all
line vty 4
access-class 23 out
exec-timeout 120 0
password
login local
length 0
transport preferred all
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
!
end

Wizard · mar 19 dic , 2006 12:05 pm

Quindi, la vpn da una parte funziona ma dalla altra parte no, giusto?!
Se da una parte raggiungi solo il router remoto hai controllato il gateway dei pc?

spcadmin · mer 20 dic , 2006 11:48 am

Wizard ha scritto:Quindi, la vpn da una parte funziona ma dalla altra parte no, giusto?!
Se da una parte raggiungi solo il router remoto hai controllato il gateway dei pc?

grazie ma poi ho risolto eliminando l'snmp che tanto non serviva a nulla

[email protected] · gio 22 feb , 2007 10:48 pm

spcadmin ha scritto:
Wizard ha scritto:Quindi, la vpn da una parte funziona ma dalla altra parte no, giusto?!
Se da una parte raggiungi solo il router remoto hai controllato il gateway dei pc?

grazie ma poi ho risolto eliminando l'snmp che tanto non serviva a nulla

Ciao, ripropongo il mio problema..
La VPN mi va su, ma non riesco a pingare i client dall'altra parte..posto la conf.:

!
!
aaa authentication login LISTA-UTENTI-VPN local
aaa authorization network GRUPPO-UTENTI-VPN local
!
!
aaa session-id common
clock timezone SOLARE 1
clock summer-time LEGALE recurring last Sat Mar 2:00 last Sat Oct 3:00
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.x.1 192.168.x.9
!
ip dhcp pool casa
import all
network 192.168.x.0 255.255.255.0
update dns
default-router 192.168.x.1
dns-server 85.37.17.47
!
!
!
ip dhcp update dns both
ip cef
ip name-server 85.37.17.47
ip name-server 151.99.125.3
ip inspect name LOW cuseeme
ip inspect name LOW dns
ip inspect name LOW ftp
ip inspect name LOW h323
ip inspect name LOW https
ip inspect name LOW icmp
ip inspect name LOW imap
ip inspect name LOW pop3
ip inspect name LOW netshow
ip inspect name LOW rcmd
ip inspect name LOW realaudio
ip inspect name LOW rtsp
ip inspect name LOW esmtp
ip inspect name LOW sqlnet
ip inspect name LOW streamworks
ip inspect name LOW tftp
ip inspect name LOW tcp
ip inspect name LOW udp
ip inspect name LOW vdolive
ip inspect name LOW sip
ip inspect name LOW fragment maximum 256 timeout 1
ip ssh time-out 15
ip ssh version 2
!
!
multilink bundle-name authenticated
!
!
username xx privilege 15 password 7 xx
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 xxx address x.x.x.x no-xauth
crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
!
crypto isakmp client configuration group GRUPPO-UTENTI-VPN
key xxx
pool VPN-CLIENT-POOL
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
!
crypto ipsec profile VPN
!
!
crypto dynamic-map VPNDYNAMIC 1
set transform-set ESP-3DES-MD5
!
!
crypto map VPN client authentication list LISTA-UTENTI-VPN
crypto map VPN isakmp authorization list GRUPPO-UTENTI-VPN
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 180
crypto map VPN 2 ipsec-isakmp dynamic VPNDYNAMIC
!
!
!
!
interface Ethernet0
ip address 192.168.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
ip address 192.168.100.1 255.255.255.0
ip access-group DMZ in
ip nat inside
ip virtual-reassembly
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
!
interface Dialer0

ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect LOW out
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
ppp chap hostname xxx
ppp chap password 7 xxx
ppp pap sent-username xxx password 7 xx
crypto map VPN
!
ip local pool VPN-CLIENT-POOL 172.18.10.10 172.18.10.50
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source static udp 192.168.x.12 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.x.11 6881 interface Dialer0 6881
ip nat inside source static udp 192.168.x.11 4673 interface Dialer0 4673
ip nat inside source static tcp 192.168.x.11 6881 interface Dialer0 6881
ip nat inside source static tcp 192.168.x.11 4662 interface Dialer0 4662
ip nat inside source static tcp 192.168.x.10 6882 interface Dialer0 6882
ip nat inside source static udp 192.168.x.10 23580 interface Dialer0 23580
ip nat inside source static tcp 192.168.x.10 7954 interface Dialer0 7954
ip nat inside source static tcp 192.168.x.10 33916 interface Dialer0 33916
ip nat inside source static udp 192.168.x.10 6882 interface Dialer0 6882
ip nat inside source list 141 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
!
!
ip access-list extended DMZ
remark NEGA DMZ ---> INSIDE
deny ip 192.168.100.0 0.0.0.255 192.168.x.0 0.0.0.255 log
permit ip any any log

ip access-list extended NONAT
access-list 1 remark PERMESSI PER IL TELNET
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 1 permit 172.18.10.0 0.0.0.255 log
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 62.152.126.5 eq ntp any eq ntp
access-list 101 permit udp host 198.41.0.4 eq domain any
access-list 101 permit udp host 85.37.17.47 eq domain any
access-list 101 permit udp host 151.99.125.3 eq domain any
access-list 101 permit tcp host 63.208.196.95 eq www any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 7954
access-list 101 permit udp any any eq 23580
access-list 101 permit udp any any eq 4673
access-list 101 permit tcp any any eq 6881
access-list 101 permit udp any any eq 6881
access-list 101 permit udp any any eq 6882
access-list 101 permit tcp any any eq 4662
access-list 101 permit tcp any any eq 6882
access-list 101 permit tcp any any eq 7960
access-list 101 permit udp any any eq 7963
access-list 101 permit udp any any eq 23551
access-list 101 permit udp any any eq 5060
access-list 101 permit udp any any eq isakmp log
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 141 remark *** ACL PER NAT DMZ ***
access-list 141 remark SDM_ACL Category=16
access-list 141 permit ip 192.168.100.0 0.0.0.255 any
access-list 160 deny ip 192.168.x.0 0.0.0.255 192.168.y.0 0.0.0.255 log
access-list 160 deny ip 192.168.x.0 0.0.0.255 172.18.10.0 0.0.0.255 log
access-list 160 permit ip 192.168.x.0 0.0.0.255 any
access-list 180 permit ip 192.168.x.0 0.0.0.255 192.168.y.0 0.0.0.255 log
no cdp run
route-map nonat permit 1
match ip address 160
!
!
control-plane
!
!

Grazie

Wizard · mar 27 feb , 2007 11:15 am

4 cose:

- Pulisci un po' le regole di ip isnpect (tcp, udp e icmp) bastano se non devi pubblicare nulla

- Controlla che tutti i PC abbiano come gateway i 2 router cisco

- Gestisci NAT e DE- NAT nella stella ACL (141)

- Sembra che manchi la crypto acl

[email protected] · mar 27 feb , 2007 5:00 pm

Wizard ha scritto:4 cose:

- Pulisci un po' le regole di ip isnpect (tcp, udp e icmp) bastano se non devi pubblicare nulla

- Controlla che tutti i PC abbiano come gateway i 2 router cisco

- Gestisci NAT e DE- NAT nella stella ACL (141)

- Sembra che manchi la crypto acl

1) fatto
2) fatto
3) fatto
4) qual'e' la crypto acl? (non è la 180)?

Grazie

Wizard · mar 27 feb , 2007 5:40 pm

Si è la 180 sorry!

[email protected] · mer 28 feb , 2007 6:56 pm

Wizard ha scritto:Si è la 180 sorry!

Ma allora, perchè non pingo gli ip dell'altra rete?..
Ho controllato che i firewall di xp siano completamente disabilitati.
Non pingo neanche il router...

Strano...

Wizard · gio 01 mar , 2007 9:34 am

Mi che è meglio debuggare un po'...
Dai due router dai:

debug crypto ipsec
debug crypto isakmp
ter mon

lancia i ping e vediamo

[email protected] · gio 01 mar , 2007 9:58 am

Wizard ha scritto:Mi che è meglio debuggare un po'...
Dai due router dai:

debug crypto ipsec
debug crypto isakmp
ter mon

lancia i ping e vediamo

Premetto che la 180 l'ho cambiata in ip access-list extended TUNNEL e l'ho matchata sul crypto map VPN
Ho tolto anche la crypto isakmp policy 1 lasciando la crypto isakmp policy 10 (quella con il 3des)

I log li ho presi solo da un router (per ora)..
Allego i llog altrimenti viene fuori un papiro..

Ho fatto un sh crypto session:

Interface: Dialer0
Session status: UP-ACTIVE
Peer: 82.51.xxx.xxx port 500
IKE SA: local 82.60.yyy.yyy/500 remote 82.51.xxx.xxx/500 Active
IPSEC FLOW: permit ip 192.168.x.0/255.255.255.0 192.168.y.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.x.0/255.255.255.0 192.168.y.0/255.255.255.0
Active SAs: 2, origin: crypto map

VPN tra due 837 che non funziona

Login • Iscriviti