Dritta per vpn pptp
Inviato: ven 16 feb , 2007 10:47 am
Dritta per vpn pptp
Lo so che è meglio fare una vpn ipsec, ma il cliente vuole che da qualunque pc xp senza installare nessun software si possa accedere e quindi non mi resta che pptp.
Il router ha ios versione 12.4 (857W)
Lurkando qui e li... ho trovato che la cosa è semplice (almeno sembrerebbe) e che è sufficiente fare una nat e lasciar passare la vpn
static (inside,outside) IPStaticoADSL IPInternoDelServer netmask 255.255.255.255 0 0
fixup protocol pptp 1723
devo forse abilitare qualcosina anche sull'access-list 106 tipo:
access-list 106 permit tcp any any eq 1723
Non riesco a capire dove inserire questi comandi....
forse sono comandi per ios/apparecchiature diversi?
Mi dite che comandi eseguire?
Eccovi la configurazione corrente
1000 grazie
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
ip name-server 212.216.112.112
ip name-server 212.216.172.62
!
!
crypto pki trustpoint TP-self-signed-2249262054
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2249262054
revocation-check none
rsakeypair TP-self-signed-2249262054
!
!
crypto pki certificate chain TP-self-signed-2249262054
certificate self-signed 01 nvram:IOS-Self-Sig#340B.cer
username xxxxx privilege 15 password 7 082F454D061504
!
!
!
!
!
interface ATM0
no ip address
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
description $ES_WAN$
ip address IPStaticoADSL 255.255.255.248
ip nat outside
ip access-group 106 in
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip IPStaticoADSL-1 broadcast
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip route 0.0.0.0 0.0.0.0 ATM0.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface ATM0.2 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip any any
access-list 106 deny ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Lo so che è meglio fare una vpn ipsec, ma il cliente vuole che da qualunque pc xp senza installare nessun software si possa accedere e quindi non mi resta che pptp.
Il router ha ios versione 12.4 (857W)
Lurkando qui e li... ho trovato che la cosa è semplice (almeno sembrerebbe) e che è sufficiente fare una nat e lasciar passare la vpn
static (inside,outside) IPStaticoADSL IPInternoDelServer netmask 255.255.255.255 0 0
fixup protocol pptp 1723
devo forse abilitare qualcosina anche sull'access-list 106 tipo:
access-list 106 permit tcp any any eq 1723
Non riesco a capire dove inserire questi comandi....
forse sono comandi per ios/apparecchiature diversi?
Mi dite che comandi eseguire?
Eccovi la configurazione corrente
1000 grazie
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
ip name-server 212.216.112.112
ip name-server 212.216.172.62
!
!
crypto pki trustpoint TP-self-signed-2249262054
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2249262054
revocation-check none
rsakeypair TP-self-signed-2249262054
!
!
crypto pki certificate chain TP-self-signed-2249262054
certificate self-signed 01 nvram:IOS-Self-Sig#340B.cer
username xxxxx privilege 15 password 7 082F454D061504
!
!
!
!
!
interface ATM0
no ip address
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
description $ES_WAN$
ip address IPStaticoADSL 255.255.255.248
ip nat outside
ip access-group 106 in
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
protocol ip IPStaticoADSL-1 broadcast
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip route 0.0.0.0 0.0.0.0 ATM0.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface ATM0.2 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip any any
access-list 106 deny ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end