Cyrrus 10 Geschrieben 29. Juli 2007 Melden Teilen Geschrieben 29. Juli 2007 hallo zusammen! folgendes problem. habe mit dem SDM 2.41 auf nem 1841 (adv sec) nen easy VPN server eingerichtet. mein test client mit cdem cisco vpn client logt sich darauf ein, kein problm. ich kann das LAN interface des routers auf 10.0.0.1 anpingen, aber NIX anderes(!!) im LAN! jede andere adresse 10.0.0.xx antwortet nicht! kann mir jemand sagen wo der wurm ist? ich vermute ne ACL oder so.... hier die config..... danke fuer eure hilfe! no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R1_MAINSITE ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret 5 [--delete--] ! aaa new-model ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common clock timezone PCTime 2 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 no ip source-route ip cef ! ip tcp synwait-time 10 no ip bootp server ip domain name [mydomain.local] ip name-server xx.xx.xx.xx ip name-server xx.xx.xx.xx ip ssh time-out 60 ip ssh authentication-retries 2 ! multilink bundle-name authenticated ! username [--delete--] privilege 15 secret 5 [--delete--] username [--delete--] privilege 15 secret 5 [--delete--] ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn key [--delete--] dns 10.0.0.11 domain [mydomain.local] pool SDM_POOL_1 acl 100 netmask 255.255.255.0 ! crypto isakmp profile sdm-ike-profile-1 match identity group vpn client authentication list sdm_vpn_xauth_ml_1 isakmp authorization list sdm_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set security-association idle-time 900 set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 ! interface FastEthernet0/0 ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1 ip address [external_IP] 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile1 ! ip local pool SDM_POOL_1 10.0.0.251 10.0.0.254 ip route 0.0.0.0 0.0.0.0 [gateway_IP] ! ! ip http server ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 no ip http secure-server ! ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside source static tcp 10.0.0.200 25 interface FastEthernet0/1 25 ip nat inside source static tcp 10.0.0.200 443 interface FastEthernet0/1 443 ! logging trap debugging ! access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 permit ip 10.0.0.0 0.0.0.255 any no cdp run ! control-plane ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! scheduler allocate 4000 1000 end Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 30. Juli 2007 Melden Teilen Geschrieben 30. Juli 2007 Hast du auf dem "Server" im Netz mal geschaut ob der Ping ankommt? Mal ein anderes Netz fuer die VPN Clients probiert? Zitieren Link zu diesem Kommentar
Cyrrus 10 Geschrieben 30. Juli 2007 Autor Melden Teilen Geschrieben 30. Juli 2007 update.... habe ein downgrade auf SDM 2.32 gemacht..... das ganze nochmal genauso konfiguriert.... ES LAEUFT! die config sieht nun so aus: no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R1_MAINSITE ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret 5 [--delete--] ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! ! aaa session-id common clock timezone PCTime 2 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 no ip source-route ip cef ! ! ! ! ip tcp synwait-time 10 no ip bootp server ip domain name [mydomain.local] ip name-server xx.xx.xx.xx ip name-server xx.xx.xx.xx ip ssh time-out 60 ip ssh authentication-retries 2 ! multilink bundle-name authenticated ! ! ! username [--delete--] privilege 15 secret 5 [--delete--] username [--delete--] privilege 15 secret 5 [--delete--] ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn key [--delete--] pool SDM_POOL_1 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description $ES_WAN$$FW_OUTSIDE$ ip address [external_IP] 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip route 0.0.0.0 0.0.0.0 [gateway_IP] ! ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 10.0.0.14 25 interface FastEthernet0/1 25 ip nat inside source static tcp 10.0.0.14 443 interface FastEthernet0/1 443 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip any host 192.168.2.1 access-list 100 deny ip any host 192.168.2.2 access-list 100 deny ip any host 192.168.2.3 access-list 100 deny ip any host 192.168.2.4 access-list 100 deny ip any host 192.168.2.5 access-list 100 permit ip 10.0.0.0 0.0.0.255 any no cdp run ! ! route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! ! control-plane ! banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! scheduler allocate 4000 1000 end Zitieren Link zu diesem Kommentar
Wordo 11 Geschrieben 30. Juli 2007 Melden Teilen Geschrieben 30. Juli 2007 Ist dein IOS: # 12.3(8)T4 or later # 12.4(2)T or later Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.