CiscoForums.it

Ciao a tutti .

scenario router soho97 , easy vpn server configurata in azienda e vpn client 5.0 installata a casa mia ...

ecco lo sh run :

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret x xxxxxxxxxxxxxxxx
!
clock timezone GMT 1
clock summer-time GMT+1 recurring
no aaa new-model
ip subnet-zero
no ip source-route
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group system
key password
dns 192.168.2.2
wins 192.168.2.10
pool dynpool
acl 103
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list system
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.5.4 255.255.0.0
ip access-group 100 out
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 1280
ip address 212.xxx.xxx.xxx 255.255.255.252
ip access-group 101 in
ip nat outside
crypto map dynmap
pvc 8/35
!
!
ip local pool dynpool 10.128.4.10 10.128.4.20
ip local pool dynpool1 10.128.5.10
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.128.1.0 255.255.255.0 Ethernet0 192.168.5.2
ip route 10.128.2.0 255.255.255.0 Ethernet0 192.168.5.8
ip route 10.128.3.0 255.255.255.0 Ethernet0 192.168.5.8
no ip http server
no ip http secure-server
ip nat inside source list 101 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.20 5900 interface ATM0.1 5900
!
!
logging trap debugging
logging facility local2
access-list 23 permit any
access-list 100 permit icmp any any
access-list 100 permit ip any host 192.168.10.1
access-list 100 permit ip any host 192.168.10.7
access-list 100 permit tcp host 82.185.xxx.xxx host 192.168.1.20 eq 5900
access-list 100 deny ip any any
access-list 101 permit ip any any
access-list 103 permit ip any any
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
password x xxxxxxxxx
login
length 20
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
password x xxxxxxxxxxxxxx
login
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
sntp server 129.6.15.28
!
end


la VPN funziona , mi dice che è collegato , ma non pingo nulla e non riesco a raggiungere nessun PC aziendale , ne usando VNC , ne visualizzando le risorse condivise tramite il comando \\pc1 ...

dove sbaglio ?

bye

ho notato anche che se mentre è attiva la vpn , non mi naviga su internet e se provo a fare un TRACERT su un ip aziendale qualunque , non mi raggiunge alcuna destinazione ...

X forza, ri studiati il nat0 e split tunnel

le acl

access-list 101 permit ip any any
access-list 103 permit ip any any

sono da rifare!

ciao , ti ringrazio della tua risposta ...

io avevo messo le acl permit any any come prova , per verificare che tutto funzionasse e solo dopo impostare le acl ...

secondo te cosa dovrei scrivere per fare intanto funzionare il tutto e per piacere mi indicheresti dove trovare informazioni sullo split tunnel ?

la volontà di studiare non mi manca di certo , ti chiedo solo di indicarmi la strada ...


grazie.

cercando sul sito cisco , credo aver trovato quello che mi serve :

http://www.cisco.com/en/US/docs/ios/12_ ... #wp1060506

che ne dici ?

Prova e facci poi vedere la config.
Cmq, si, la documentazione è corretta

ciao , ho fatto alcune prove e modificando la acl 103 , riesco ad accedere ad internet , ma cmq non riesco a fare altro ...

ecco la config :

Current configuration : 3329 bytes
!
! Last configuration change at 11:56:35 GMT+1 Mon Apr 21 2008
! NVRAM config last updated at 11:52:23 GMT+1 Mon Apr 21 2008
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname serou004
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$CB3G$AoZaBeArQxPeEeCHdnKOE1
!
clock timezone GMT 1
clock summer-time GMT+1 recurring
no aaa new-model
ip subnet-zero
no ip source-route
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group system
key **************
dns 192.168.2.2 192.168.2.3
wins 192.168.2.5 192.168.2.10
domain *******
pool dynpool
acl 103
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list system
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 10.128.4.1 255.255.255.0 secondary
ip address 192.168.5.4 255.255.0.0
ip access-group 100 out
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 1280
ip address ***.***.***.*** 255.255.255.252
ip access-group 101 in
ip nat outside
crypto map dynmap
pvc 8/35
!
!
ip local pool dynpool 10.128.4.10 10.128.4.20
ip local pool dynpool1 10.128.5.10
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.128.1.0 255.255.255.0 Ethernet0 192.168.5.2
ip route 10.128.2.0 255.255.255.0 Ethernet0 192.168.5.8
ip route 10.128.3.0 255.255.255.0 Ethernet0 192.168.5.8
no ip http server
no ip http secure-server
ip nat inside source list 101 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.20 5900 interface ATM0.1 5900
!
!
logging trap debugging
logging facility local2
access-list 23 permit any
access-list 100 permit icmp any any
access-list 100 permit ip any host 192.168.10.1
access-list 100 permit ip any host 192.168.10.7
access-list 100 permit tcp host ***.***.***.*** host 192.168.1.20 eq 5900
access-list 100 permit ip any 10.128.4.0 0.0.0.255
access-list 100 deny ip any any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.0.0 0.0.255.255 10.128.4.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
password xxxxxxxxxx
login
length 20
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
password xxxxxxxxxxx
login
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
sntp server 129.6.15.28
!
end

un ' altra cosa :

mi spiegheresti per favore , che significa questa riga che ho trovato nella configurazione di esempio ?

nella eth0 mi dice :
interface Ethernet0
ip address 172.16.0.129 255.255.255.255

ok , ma allora la acl 150 perchè scrive :
access-list 150 permit ip 172.16.0.128 10.0.0.127 any

???

e poi la ip route :
ip route 172.16.1.0 255.255.255.255 cable-modem0

quando la subnet è 172.16.0 invece di 172.16.1 !

perchè ???

Perchè x fare le cose bene hanno configurato acl e rotte con la subnet del pool dedicato alla vpn (immagino)