Cisco VPN site a site - Réseaux - Systèmes & Réseaux Pro
MarshPosté le 14-08-2009 à 11:07:37
bonjour à tous.
débutant total en cisco. voilà mon problème : j'ai configuré 2 routeurs cisco 871 pour une connexion vpn site à site. Le vpn est monté, les 2 interfaces lan de mes routeurs se ping. Par contre, ping et/ou RPD impossible entre 2 pc des 2 lan (OK sur même réseau). Comme c'est un environnement de test, j'ai mis des règles firewall très larges, mais ça ne change rien. le tracert depuis mes PC passe bien par l'interface lan de son routeur, mais rien sur les autres bonds. Là je galère vraiment, au secours.
conf :
Building configuration...
Current configuration : 5167 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco1 ! boot-start-marker boot-end-marker ! logging message-counter syslog no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! aaa session-id common clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 ! crypto pki trustpoint TP-self-signed-4188366588 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4188366588 revocation-check none rsakeypair TP-self-signed-4188366588 ! ! crypto pki certificate chain TP-self-signed-4188366588 certificate self-signed 01 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34313838 33363635 3838301E 170D3039 30383133 30393039 30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383833 36363538 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100AB2D A3961F4D 60C9E5C1 0A91AB8B 461BC704 324CEE42 9B2E3066 65B1638E EEDD49CB A1D7A0FC 272DEEC4 D806AD51 DD9328F3 B1512611 5175E2AB FD722210 46344ED6 982F5ACE A943BD70 8B044484 63849825 EEBB9F0A CCC87754 D6AFDCA4 C21DA1FC C664CA29 EEF7E0B3 F9F6477E EAA3AB42 000605C0 769C1F4E B16553AC BDCF0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 551D1104 0A300882 06436973 636F3130 1F060355 1D230418 30168014 60A71A78 5BFCA8F5 430FDE23 92EC35AC 7007B029 301D0603 551D0E04 16041460 A71A785B FCA8F543 0FDE2392 EC35AC70 07B02930 0D06092A 864886F7 0D010104 05000381 8100281D FFE03167 0B7F9A63 92674E32 74F197CF 49326D0D 561F165F A73731AA 6BD8B0CD F8E9BD14 005D54C6 028A8C94 2147214E 7BB49BC2 9472B278 CB2D20AB ECEDC516 D04FFA2D C46470D8 6D267752 4AF0D1D5 16E4ABB0 E972D1B8 6940BF68 A84234A2 2418700C 192C982B 20608C3E C7BB15DC B402831A D2FD8362 D2839E99 314B quit dot11 syslog ip source-route ! ! ip cef ! ! ! ! username admin privilege 15 secret 5 $1$3jD.$3S3sDgYolync.DLoVz5ZG0 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 123 address 82.15.1.2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to82.15.1.2 set peer 82.15.1.2 set transform-set ESP-3DES-SHA match address 100 ! archive log config hidekeys ! ! ! class-map type inspect match-all sdm-cls-VPNOutsideToInside-1 match access-group 101 class-map type inspect match-any all match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all sdm-cls-sdm-pol-VPNOutsideToInside-1-1 match class-map all match access-group name all class-map type inspect match-all Cl-Map-All match protocol tcp match protocol udp match protocol icmp ! ! policy-map type inspect sdm-pol-VPNOutsideToInside-1 class type inspect sdm-cls-sdm-pol-VPNOutsideToInside-1-1 inspect class type inspect sdm-cls-VPNOutsideToInside-1 pass class class-default drop policy-map type inspect Ctrl-Prot-lan1-to-out class type inspect Cl-Map-All inspect class class-default drop ! zone security Out zone security Lan1 zone-pair security Paire-Zone-lan1-out source Lan1 destination Out service-policy type inspect Ctrl-Prot-lan1-to-out zone-pair security sdm-zp-VPNOutsideToInside-1 source Out destination Lan1 service-policy type inspect sdm-pol-VPNOutsideToInside-1 ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ETH-WAN$ ip address 82.15.1.1 255.255.255.0 no ip unreachables ip nat outside ip virtual-reassembly zone-member security Out duplex auto speed auto crypto map SDM_CMAP_1 ! interface Vlan1 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security Lan1 ! ip forward-protocol nd ip route 192.168.20.0 255.255.255.0 FastEthernet4 ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! ip access-list standard nat-lan1-out remark SDM_ACL Category=2 permit 192.168.10.0 0.0.0.255 ! ip access-list extended all remark SDM_ACL Category=128 permit ip any any ! access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 remark SDM_ACL Category=0 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 102 remark SDM_ACL Category=2 access-list 102 remark IPSec Rule access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 102 permit ip 192.168.10.0 0.0.0.255 any ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
Marsh Posté le 14-08-2009 à 11:07:37
bonjour à tous.
débutant total en cisco. voilà mon problème : j'ai configuré 2 routeurs cisco 871 pour une connexion vpn site à site. Le vpn est monté, les 2 interfaces lan de mes routeurs se ping.
Par contre, ping et/ou RPD impossible entre 2 pc des 2 lan (OK sur même réseau). Comme c'est un environnement de test, j'ai mis des règles firewall très larges, mais ça ne change rien. le tracert depuis mes PC passe bien par l'interface lan de son routeur, mais rien sur les autres bonds.
Là je galère vraiment, au secours.
conf :
Building configuration...
Current configuration : 5167 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-4188366588
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4188366588
revocation-check none
rsakeypair TP-self-signed-4188366588
!
!
crypto pki certificate chain TP-self-signed-4188366588
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313838 33363635 3838301E 170D3039 30383133 30393039
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383833
36363538 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB2D A3961F4D 60C9E5C1 0A91AB8B 461BC704 324CEE42 9B2E3066 65B1638E
EEDD49CB A1D7A0FC 272DEEC4 D806AD51 DD9328F3 B1512611 5175E2AB FD722210
46344ED6 982F5ACE A943BD70 8B044484 63849825 EEBB9F0A CCC87754 D6AFDCA4
C21DA1FC C664CA29 EEF7E0B3 F9F6477E EAA3AB42 000605C0 769C1F4E B16553AC
BDCF0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06436973 636F3130 1F060355 1D230418 30168014 60A71A78
5BFCA8F5 430FDE23 92EC35AC 7007B029 301D0603 551D0E04 16041460 A71A785B
FCA8F543 0FDE2392 EC35AC70 07B02930 0D06092A 864886F7 0D010104 05000381
8100281D FFE03167 0B7F9A63 92674E32 74F197CF 49326D0D 561F165F A73731AA
6BD8B0CD F8E9BD14 005D54C6 028A8C94 2147214E 7BB49BC2 9472B278 CB2D20AB
ECEDC516 D04FFA2D C46470D8 6D267752 4AF0D1D5 16E4ABB0 E972D1B8 6940BF68
A84234A2 2418700C 192C982B 20608C3E C7BB15DC B402831A D2FD8362 D2839E99 314B
quit
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
!
username admin privilege 15 secret 5 $1$3jD.$3S3sDgYolync.DLoVz5ZG0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 123 address 82.15.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.15.1.2
set peer 82.15.1.2
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 101
class-map type inspect match-any all
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all sdm-cls-sdm-pol-VPNOutsideToInside-1-1
match class-map all
match access-group name all
class-map type inspect match-all Cl-Map-All
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-sdm-pol-VPNOutsideToInside-1-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
pass
class class-default
drop
policy-map type inspect Ctrl-Prot-lan1-to-out
class type inspect Cl-Map-All
inspect
class class-default
drop
!
zone security Out
zone security Lan1
zone-pair security Paire-Zone-lan1-out source Lan1 destination Out
service-policy type inspect Ctrl-Prot-lan1-to-out
zone-pair security sdm-zp-VPNOutsideToInside-1 source Out destination Lan1
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 82.15.1.1 255.255.255.0
no ip unreachables
ip nat outside
ip virtual-reassembly
zone-member security Out
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security Lan1
!
ip forward-protocol nd
ip route 192.168.20.0 255.255.255.0 FastEthernet4
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list standard nat-lan1-out
remark SDM_ACL Category=2
permit 192.168.10.0 0.0.0.255
!
ip access-list extended all
remark SDM_ACL Category=128
permit ip any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 remark SDM_ACL Category=0
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end