Cisco 1720 VPN, einwahl ok, aber kein ping

[romeo310 10]

Moin,

 

habe einen Cisco 1720 am Start. Habe nun mal VPN konfiguriert. Einwahl mit dem Cisco VPN Client 4.03 geht 1a.

 

Das Problem: Der Client bekommt auf dem VPN Adapter die IP 10.1.1.5-10.1.1.253.

 

Geht.

 

Versuche ich nun den Router mit einer 10.1.1.x Adresse oder der Intranetadresse 192.168.10.1 an zu pingen, NIX.

 

Auch andere Maschinen erreiche ich trotz Verbindungaufbau nicht.

 

Was mache ich falsch ??? Hab ich einen Fehler übersehen ?

[romeo310 10]

hier meine konf:

 

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname c1720g

!

boot-start-marker

boot-end-marker

!

enable password 7 <remove>

!

memory-size iomem 25

clock timezone MEZ 1

clock summer-time MEZ+1 recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

ip name-server 192.168.10.52

ip dhcp excluded-address 192.168.10.1 192.168.10.252

 

!

ip dhcp pool standard-clients

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.52 192.168.10.1

domain-name domaene.de

default-router 192.168.10.52

!

ip cef

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 cuseeme

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 h323

ip inspect name FastEthernet_0 rcmd

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 streamworks

ip inspect name FastEthernet_0 vdolive

ip inspect name FastEthernet_0 sqlnet

ip inspect name FastEthernet_0 tftp

ip inspect name FastEthernet_0 sip

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

isdn switch-type basic-net3

!

username <removed> password 7 <removed>

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp keepalive 30 10

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group mobil

key <removed>

dns 192.168.10.52 194.25.2.129

pool ippool

reverse-route

acl VPNROUTES-CLIENTS

crypto isakmp profile VPNClient

description VPN Clients Profile

match identity group clientgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNClient

reverse-route

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

interface BRI0

description connected to Dial-inPCs(ISDN)

no ip address

ip nat inside

encapsulation ppp

dialer rotary-group 3

dialer-group 1

isdn switch-type basic-net3

isdn point-to-point-setup

no cdp enable

!

interface Ethernet0

description connected to Internet

no ip address

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no keepalive

 

!

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

ip tcp adjust-mss 1452

speed auto

full-duplex

no keepalive

!

interface Async5

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet0

ip nat inside

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer rotary-group 2

dialer-group 1

async mode dedicated

!

interface Dialer0

no ip address

[romeo310 10]

!

interface Dialer1

description connected to Internet

ip address negotiated

ip access-group 103 in

ip mtu 1492

ip nat outside

ip inspect FastEthernet_0 out

encapsulation ppp

dialer pool 1

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname <removed>

ppp chap password 7 <removed>

ppp pap sent-username <removed> password 7 <removed>

crypto map mymap

!

interface Dialer2

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet0

ip access-group 101 in

ip nat inside

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer-group 1

peer default ip address pool Cisco1720-Group-2

no cdp enable

ppp authentication chap

!

interface Dialer3

description connected to Dial-inPCs(ISDN)

ip unnumbered FastEthernet0

ip access-group 100 in

ip nat inside

encapsulation ppp

no ip split-horizon

dialer in-band

dialer-group 1

peer default ip address pool Cisco1720-Group-3

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

interface Dialer4

no ip address

!

router rip

version 2

passive-interface Dialer1

network 192.168.10.0

no auto-summary

!

ip local pool Cisco1720-Group-2 192.168.10.250

ip local pool Cisco1720-Group-3 192.168.10.251 192.168.10.252

ip local pool ippool 10.5.5.1 10.5.5.253

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.10.52 443 interface Dialer1 443

ip nat inside source static udp 192.168.10.7 5060 interface Dialer1 5060

ip nat inside source static tcp 192.168.10.52 22 interface Dialer1 22

ip nat inside source static tcp 192.168.10.101 21 interface Dialer1 21

ip nat inside source static tcp 192.168.10.101 20 interface Dialer1 20

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip http authentication local

ip http secure-server

!

!

!

ip access-list extended VPNROUTES-CLIENTS

permit ip any any

deny ip any any

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit udp any eq rip any eq rip

access-list 100 deny ip any any log

access-list 101 permit udp any eq rip any eq rip

access-list 101 deny ip any any log

access-list 102 permit ip any any

access-list 102 deny ip any any log

access-list 103 permit icmp any any echo-reply

access-list 103 permit tcp any any eq 22

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

access-list 103 permit udp any eq 5060 any

access-list 103 permit esp any any

access-list 103 permit udp any any eq isakmp

access-list 103 permit udp any any eq non500-isakmp

access-list 103 permit tcp any any eq 443

access-list 103 deny ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

banner motd

*********************************************************

** **

* WARNING ! *

* System ist RESTRICTED to authorized personnell ONLY ! *

* *

* Unauthorized use of this System will be logged and *

* prosecuted to the fullest extent of the law. *

* *

* If you are NOT authorized to use this system *

* LOG OFF NOW ! *

* *

* We fight against SPAM an HACKERS ! *

*********************************************************

!

line con 0

exec-timeout 0 0

password 7 <removed>

line aux 0

modem InOut

transport input all

autoselect during-login

autoselect ppp

stopbits 1

speed 38400

flowcontrol hardware

line vty 0 4

!

ntp clock-period 17042045

ntp access-group peer 10

ntp master 2

ntp server 131.188.3.223

ntp server 131.188.3.222

ntp server 131.188.3.221

ntp server 131.188.3.220

!

end

[michael01 10]

Hallo,

ip access-list extended VPNROUTES-CLIENTS

permit ip any any

deny ip any any

 

hier kann irgendwas nicht stimmen.

 

Gruß

Michael

[romeo310 10]

hmmmmmm, denke, dass damit die VPN Clients für das interne Netz definiert sind.

 

Die acl hatte ich auch schon mal komplett aus der conf genommen. Selbe Ergebnis :(

[michael01 10]

Hallo,

irgendwie sehe ich keine ACL wo der Bereich für die VPN-Clients 10.1.1.5-10.1.1.253

aufs interne LAN zugreifen können.

 

Gruß

Michael

[romeo310 10]

d.h. ich müsste dann die VPN ACL für die Clients in die acl 103 auf Dialer1 mit einbinden ?

 

Oder verstehe ich dass auch falsch ?

 

Stehe eben immer noch auf´m Schlach :(

[michael01 10]

ja genau in der acl 103

[romeo310 10]

sollte es dann evtl. so aussehen ???

 

-------------------schnipp-----------------------

access-list 103 permit icmp any any echo-reply

access-list 103 permit tcp any any eq 22

access-list 103 permit tcp any any eq ftp

access-list 103 permit tcp any any eq ftp-data

access-list 103 permit udp any eq 5060 any

access-list 103 permit esp any any

access-list 103 permit udp any any eq isakmp

access-list 103 permit udp any any eq non500-isakmp

access-list 103 permit tcp any any eq 443

----------------neu-------------------------------

access-list 103 permit ip 10.5.5.0 any

---------------neu--------------------------------

access-list 103 deny ip any any

 

oder liege ich da wieder falsch ???

 

??? :) :) :)

[michael01 10]

Hallo romeo310

ich hätte eine

 

access-list 103 permit ip 10.5.5.0 0.0.0.255 192.168.10.1 0.0.0.255

 

verwendet.

 

Gruß

Michael

[romeo310 10]

Hi,

habe meinen 1720 nochmal komplett von vorne konfiguriert:

 

Leider hauts hier auch nur mit der Verbindung der Road-Warriors hin. Verbindung steht, kann aber nichts auf der Gegenseite anpingen oder auf irgendeinen Server zugreifen...

 

Steh eben acht auf´m Schlauch.......

 

Hier nochmal die neue (bis jetzt meine beste :) ) Konf:

 

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname c1720w

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

no logging console

enable password 7 xxx

!

memory-size iomem 25

clock timezone MEZ 1

clock summer-time MEZ+1 recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip domain name domain.de

ip name-server 192.168.10.101

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.2

ip dhcp excluded-address 192.168.10.3

ip dhcp excluded-address 192.168.10.4

ip dhcp excluded-address 192.168.10.5

ip dhcp excluded-address 192.168.10.6

ip dhcp excluded-address 192.168.10.7

ip dhcp excluded-address 192.168.10.8

ip dhcp excluded-address 192.168.10.9

ip dhcp excluded-address 192.168.10.10

ip dhcp excluded-address 192.168.10.11

ip dhcp excluded-address 192.168.10.50

ip dhcp excluded-address 192.168.10.51

ip dhcp excluded-address 192.168.10.52

ip dhcp excluded-address 192.168.10.53

ip dhcp excluded-address 192.168.10.100

ip dhcp excluded-address 192.168.10.101

ip dhcp excluded-address 192.168.10.102

ip dhcp excluded-address 192.168.10.103

ip dhcp excluded-address 192.168.10.104

ip dhcp excluded-address 192.168.10.105

ip dhcp excluded-address 192.168.10.106

ip dhcp excluded-address 192.168.10.107

ip dhcp excluded-address 192.168.10.150

ip dhcp excluded-address 192.168.10.151

ip dhcp excluded-address 192.168.10.152

ip dhcp excluded-address 192.168.10.153

!

ip dhcp pool standard-clients

network 192.168.10.0 255.255.255.0

dns-server 192.168.10.52 194.25.2.129

default-router 192.168.10.101

domain-name domain.de

!

[romeo310 10]

no ip bootp server

ip cef

ip inspect max-incomplete low 300

ip inspect max-incomplete high 400

ip inspect one-minute low 150

ip inspect one-minute high 250

ip inspect udp idle-time 35

ip inspect dns-timeout 6

ip inspect tcp idle-time 300

ip inspect tcp finwait-time 6

ip inspect tcp synwait-time 35

ip inspect tcp max-incomplete host 50 block-time 15

ip inspect name internet http timeout 180

ip inspect name internet realaudio timeout 30

ip inspect name internet udp timeout 300

ip inspect name internet tcp timeout 600

ip inspect name internet ftp timeout 60

ip inspect name internet sip timeout 600

ip inspect name internet rtsp timeout 30

ip inspect name internet tftp timeout 30

ip inspect name internet sqlnet timeout 60

ip inspect name internet vdolive timeout 60

ip inspect name internet streamworks timeout 60

ip inspect name internet rcmd timeout 30

ip inspect name internet cuseeme timeout 30

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

isdn switch-type basic-net3

!

username ms2 password 7 xxx

!

!

class-map match-all Queue-MediumPrio

match dscp af31

class-map match-all Queue-HighPrio

match dscp ef

!

!

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key xxx

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 30 10

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group xxx

key xxx

dns 192.168.10.101

domain domain.de

pool ippool

acl VPNROUTES-CLIENTS

crypto isakmp profile VPNclient

description VPN Clients Profile

match identity group xxx

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

crypto isakmp profile l2l

description lan-2-lan Configuration for spokes Routers

keyring spokes

match identity address 0.0.0.0

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNclient

reverse-route

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile

reverse-route

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

interface BRI0

description connected to Dial-inPCs(ISDN)

ip unnumbered FastEthernet0

ip nat inside

encapsulation ppp

dialer rotary-group 3

dialer-group 1

isdn switch-type basic-net3

isdn point-to-point-setup

no cdp enable

!

interface Ethernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip route-cache flow

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

crypto map mymap

!

interface FastEthernet0

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no ip mroute-cache

speed auto

full-duplex

!

interface Async5

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet0

ip nat inside

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer rotary-group 2

dialer-group 1

async mode dedicated

[romeo310 10]

interface Dialer1

ip address negotiated

ip access-group FIREWALL-INCOMING in

ip access-group FIREWALL-OUTGOING out

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip inspect internet in

ip inspect internet out

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password 7 xxx

ppp pap sent-username xxx password 7 xxx

ppp ipcp dns request

crypto map mymap

!

interface Dialer2

description connected to Dial-inPCs(modem)

ip unnumbered FastEthernet0

ip access-group Dialin-modem in

ip nat inside

encapsulation ppp

ip tcp header-compression passive

dialer in-band

dialer-group 1

peer default ip address pool DIALIN-MODEM

no cdp enable

ppp authentication chap

!

interface Dialer3

description connected to Dial-inPCs(ISDN)

ip unnumbered FastEthernet0

ip access-group DIALIN-ISDN in

ip nat inside

encapsulation ppp

no ip split-horizon

dialer in-band

dialer-group 1

peer default ip address pool DIALIN-ISDN

no cdp enable

ppp authentication chap pap callin

ppp multilink

!

router rip

version 2

redistribute static

passive-interface Dialer1

network 192.168.4.0

network 192.168.10.0

no auto-summary

!

ip local pool DIALIN-MODEM 192.168.10.250

ip local pool DIALIN-ISDN 192.168.10.251 192.168.10.252

ip local pool ippool 192.168.4.1 192.168.4.253

ip nat inside source list TRIGGER-CONNECT interface Dialer1 overload

ip nat inside source static tcp 192.168.10.152 20 interface Dialer1 20

ip nat inside source static tcp 192.168.10.152 21 interface Dialer1 21

ip nat inside source static tcp 192.168.10.101 443 interface Dialer1 443

ip nat inside source static tcp 192.168.10.7 5060 interface Dialer1 5060

ip nat inside source static tcp 192.168.10.101 22 interface Dialer1 22

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

!

ip access-list extended FIREWALL-INCOMING

permit udp host 131.188.3.223 eq ntp any

permit udp host 131.188.3.222 eq ntp any

permit udp host 131.188.3.221 eq ntp any

permit udp host 131.188.3.220 eq ntp any

permit udp any eq 5060 any

permit icmp any any echo-reply

permit tcp any any eq 22

permit tcp any any eq 443

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

permit tcp any any eq ftp-data

permit tcp any any eq ftp

deny ip any any log

ip access-list extended FIREWALL-OUTGOING

permit ip any any

deny ip any any log

ip access-list extended TRIGGER-CONNECT

deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 any

deny ip any any log

ip access-list extended VPNROUTES-CLIENTS

permit ip any any

deny ip any any

ip access-list extended VTY-SSH

permit ip 192.168.10.0 0.0.0.255 any

access-list 10 permit 131.188.3.220

access-list 10 permit 131.188.3.221

access-list 10 permit 131.188.3.222

access-list 10 permit 131.188.3.223

access-list 10 permit 192.168.10.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

[romeo310 10]

!

banner motd #CCCCC

*********************************************************************

* WARNING !!!!! *

* *

* Firewall Router. RESTRICTED ACCESS *

* *

* No Unauthorised Access. *

* *

* No Hackers, Phreaks, Crackers or so called security *

* experts allowed! *

* *

* Unauthorized use of this system will be logged and *

* prosecuted to the fullest extent of the law ! *

* *

* Contact: webmaster@domain.de *

* *

* We fight against Spam and Hackers !!!! *

*********************************************************************

#

!

line con 0

exec-timeout 120 0

password 7 xxx

line aux 0

line vty 0 4

access-class VTY-SSH in

exec-timeout 0 0

password 7 xxx

transport input ssh

!

ntp clock-period 17042046

ntp access-group peer 10

ntp master 2

ntp server 131.188.3.223

ntp server 131.188.3.222

ntp server 131.188.3.221

ntp server 131.188.3.220

end

[Klettermaxx 10]

Also für mich sieht das so aus, als wenn der VPN-Traffic mit ins NAT läuft. Du müsstest eine Access-List basteln die es verbietet, den VPN-Traffic ins NAT zu schicken.