v-rtc 88 Geschrieben 25. Februar 2016 Melden Teilen Geschrieben 25. Februar 2016 (bearbeitet) Hallo zusammen, wir haben als Gateway einen Cisco 2921, auf denen Tunnel terminieren, sowie unsere User, wenn Sie sich von extern einwählen (Cisco Client). Nun möchten die User, die extern eingewählt sind, auf ein Server zugreifen, den wir bisher nur von intern, über den VPN Tunnel erreichen. Wie wird das konfiguriert bzw. geroutet? Server im Tunnel hat die 192.168.84.75 und die eingewählten User haben 192.168.40.21. Beide terminieren am VPN Gateway und gehen nicht über die Firewall. Vielen Dank.Viele GrüßeRolf bearbeitet 26. Februar 2016 von RolfW Zitieren Link zu diesem Kommentar
Otaku19 33 Geschrieben 26. Februar 2016 Melden Teilen Geschrieben 26. Februar 2016 da musst du wohl oder übel die wichtigen confiug Teile posten...wichtig wäre zb zu wissen ob die Ceints tunnel-all machen oder ob da nur bestimmte netze definiert worden sind. PSK,descirption und auch die echten IPs solltest du weglassen/ersetzen Zitieren Link zu diesem Kommentar
v-rtc 88 Geschrieben 26. Februar 2016 Autor Melden Teilen Geschrieben 26. Februar 2016 (bearbeitet) Current configuration : 44094 bytes ! version 15.4 no service pad service timestamps debug datetime localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ! hostname vpn_01 ! boot-start-marker boot system flash:c2900-universalk9-mz.SPA.154-3.M3.bin boot-end-marker ! ! logging buffered 256000 enable secret 12345 ! aaa new-model ! ! aaa group server radius Radius server 192.168.13.70 auth-port 9999 acct-port 9999 server-private 192.168.13.70 auth-port 9999 acct-port 9999 key 12345 ! aaa authentication login default local aaa authentication login RADIUS group Radius aaa authorization exec default local aaa authorization network VPNAUTHO local aaa accounting update periodic 1 ! aaa session-id common clock timezone MET 1 0 clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00 ! no standby redirect ! ip flow-cache timeout active 1 no ip bootp server ip domain name domain.de ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! cts logging verbose ! crypto pki trustpoint TP-self-signed-10947 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-10947 revocation-check none rsakeypair TP-self-signed-10947 ! ! crypto pki certificate chain TP-self-signed-10947 certificate self-signed 01 license udi pid CISCO2921/K9 sn 12345 ! ! archive log config hidekeys username vpn privilege 15 secret 12345 ! redundancy ! crypto isakmp policy 8 encr 3des hash md5 authentication pre-share group 2 lifetime 43200 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share group 5 ! crypto isakmp policy 16 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 20 encr aes 256 authentication pre-share group 5 ! crypto isakmp policy 25 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 ! crypto isakmp policy 30 encr aes 256 authentication pre-share group 5 lifetime 28800 ! crypto isakmp policy 35 encr aes 256 authentication pre-share group 5 lifetime 3600 ! crypto isakmp policy 40 encr 3des authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 45 encr aes authentication pre-share group 2 ! crypto isakmp keepalive 15 crypto isakmp client configuration address-pool local DEFAULTPOOL ! crypto isakmp client configuration group VPN key private dns 192.168.13.10 192.168.13.47 wins 192.168.13.10 192.168.13.47 domain domain.local pool DEFAULTPOOL backup-gateway 69.14.24.8 max-users 250 max-logins 10 ! crypto isakmp client configuration group VPN1 key private dns 192.168.13.10 192.168.13.47 wins 192.168.13.10 192.168.13.47 domain domain.local pool DEFAULTPOOL backup-gateway 69.14.24.8 ! crypto isakmp client configuration group VPN2 key private dns 192.168.13.10 192.168.13.47 wins 192.168.13.10 192.168.13.47 domain domain.local pool DEFAULTPOOL backup-gateway 69.14.24.8 ! crypto isakmp profile IKE-Profile-VPN1 match identity group VPN1 client authentication list RADIUS isakmp authorization list VPNAUTHO client configuration address respond accounting ipsecacc keepalive 15 retry 3 virtual-template 2 crypto isakmp profile IKE-Profile-VPN2 match identity group VPN2 client authentication list RADIUS isakmp authorization list VPNAUTHO client configuration address respond keepalive 15 retry 3 virtual-template 6 ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac mode tunnel crypto ipsec transform-set PSK-SA esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set TEST esp-3des esp-sha-hmac comp-lzs mode tunnel crypto ipsec df-bit clear ! crypto ipsec profile IPSec-Profile-VPN1 set transform-set ESP-3DES-MD5 set isakmp-profile IKE-Profile-VPN1 ! crypto ipsec profile IPSec-Profile-VPN2 set transform-set PSK-SA set isakmp-profile IKE-Profile-VPN2 ! crypto dynamic-map dynmap 50 description test fuer version 3.6 set transform-set ESP-3DES-MD5 ! ! crypto map outside_map client authentication list RADIUS crypto map outside_map client accounting list ipsecacc crypto map outside_map isakmp authorization list VPNAUTHO crypto map outside_map client configuration address respond ! crypto map outside_map 95 ipsec-isakmp description VPN Tunnel Partner set peer 15.19.13.13 set security-association lifetime seconds 28800 set transform-set PSK-SA match address 155 crypto map outside_map 100 ipsec-isakmp dynamic dynmap ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description Management no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 description DMZ ip address 192.168.222.3 255.255.255.0 no ip redirects no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in duplex auto speed auto no mop enabled ! interface GigabitEthernet0/2 description Outside ip address 19.8.11.9 255.255.255.240 ip access-group outside_in in no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly in max-reassemblies 512 duplex auto speed auto no mop enabled crypto map outside_map ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 ! interface Virtual-Template2 type tunnel ip unnumbered GigabitEthernet0/2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSec-Profile-VPN1 ! interface Virtual-Template6 type tunnel ip unnumbered GigabitEthernet0/2 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSec-Profile-VPN2 ! ip local pool DEFAULTPOOL 192.168.40.1 192.168.40.30 ip forward-protocol nd ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-export source GigabitEthernet0/1 ip flow-export version 5 ip flow-export destination 192.168.3.155 0000 ! ip nat pool Partner-PAT 192.168.84.54 192.168.84.54 netmask 255.255.255.240 ... ip nat inside source static 192.168.13.13 192.168.84.49 route-map NAT-Partner extendable ip nat inside source static 192.168.13.127 192.168.84.50 route-map NAT-Partner extendable ip nat inside source static 192.168.111.150 192.168.84.51 route-map NAT-Partner extendable ip nat inside source static 192.168.13.17 192.168.84.52 route-map NAT-Partner extendable ip nat inside source static 192.168.13.18 192.168.84.53 route-map NAT-Partner extendable ip nat inside source static 192.168.13.140 192.168.84.55 route-map NAT-Partner extendable ip nat inside source static 192.168.111.229 192.168.84.56 route-map NAT-Partner extendable ip nat inside source static 192.168.13.3 192.168.84.57 route-map NAT-Partner extendable ip nat inside source static 192.168.13.5 192.168.84.58 route-map NAT-Partner extendable ip route 0.0.0.0 0.0.0.0 19.8.11.11 ... ! ip access-list extended outside_in permit icmp any host 19.8.11.9 permit esp any host 19.8.11.9 permit udp any host 19.8.11.9 eq isakmp permit udp any host 19.8.11.9 eq non500-isakmp permit tcp any host 19.8.11.9 range 10000 10010 permit tcp any host 19.8.11.9 eq 443 deny ip any any log ! ip radius source-interface GigabitEthernet0/1 ! logging trap debugging logging facility local6 logging source-interface GigabitEthernet0/1 logging host 192.168.13.155 ! route-map PAT-Partner permit 10 match ip address 157 ! route-map NAT-Partner permit 10 match ip address 156 ! snmp-server community test RO snmp-server location RZ snmp-server contact IT snmp-server enable traps envmon snmp-server enable traps aaa_server snmp-server enable traps config snmp-server enable traps frame-relay multilink bundle-mismatch access-list 23 permit 192.168.161.65 access-list 23 permit 192.168.111.61 access-list 23 permit 192.168.111.1 access-list 23 permit 192.168.111.31 access-list 23 permit 192.168.13.227 access-list 23 permit 192.168.13.229 access-list 23 permit 192.168.13.222 access-list 23 permit 192.168.111.222 access-list 23 permit 192.168.40.167 access-list 23 permit 192.168.111.150 ... access-list 155 remark Tunnel Definition fuer Partner access-list 155 permit ip 192.168.84.48 0.0.0.15 192.168.84.64 0.0.0.15 access-list 156 remark Tunnel Partner Zugriffe NAT access-list 156 permit icmp host 192.168.13.5 192.168.84.64 0.0.0.15 ... access-list 157 remark Tunnel Partner Zugriffe PAT access-list 157 permit ip 192.168.0.0 0.0.255.255 192.168.84.64 0.0.0.15 ! ... ! end Der Client nutzt den Cisco Client (Gruppe/Passwort) mit Radius Authentifizierung. Die Außenstellen EasyVPN, die sind aber aktuell nicht relevant. Beim "tracert" ist die erste IP die öffentliche des VPN_01, danach ist Schluss. Nun wäre die Frage, ob man mit "ip route ... " schon das Ganze lösen könnte? Vielen Dank. Viele Grüße Rolf bearbeitet 26. Februar 2016 von RolfW Zitieren Link zu diesem Kommentar
Empfohlene Beiträge
Schreibe einen Kommentar
Du kannst jetzt antworten und Dich später registrieren. Falls Du bereits ein Mitglied bist, logge Dich jetzt ein.