Cisco VPN site a site

Cisco VPN site a site - Réseaux - Systèmes & Réseaux Pro

Marsh Posté le 14-08-2009 à 11:07:37    

bonjour à tous.  
 
débutant total en cisco. voilà mon problème : j'ai configuré 2 routeurs cisco 871 pour une connexion vpn site à site. Le vpn est monté, les 2 interfaces lan de mes routeurs se ping.
Par contre, ping et/ou RPD impossible entre 2 pc des 2 lan (OK sur même réseau). Comme c'est un environnement de test, j'ai mis des règles firewall très larges, mais ça ne change rien. le tracert depuis mes PC passe bien par l'interface lan de son routeur, mais rien sur les autres bonds.
Là je galère vraiment, au secours.
 
conf :
 
 
Building configuration...
 
Current configuration : 5167 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local  
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-4188366588
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4188366588
 revocation-check none
 rsakeypair TP-self-signed-4188366588
!
!
crypto pki certificate chain TP-self-signed-4188366588
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030  
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274  
  69666963 6174652D 34313838 33363635 3838301E 170D3039 30383133 30393039  
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649  
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31383833  
  36363538 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281  
  8100AB2D A3961F4D 60C9E5C1 0A91AB8B 461BC704 324CEE42 9B2E3066 65B1638E  
  EEDD49CB A1D7A0FC 272DEEC4 D806AD51 DD9328F3 B1512611 5175E2AB FD722210  
  46344ED6 982F5ACE A943BD70 8B044484 63849825 EEBB9F0A CCC87754 D6AFDCA4  
  C21DA1FC C664CA29 EEF7E0B3 F9F6477E EAA3AB42 000605C0 769C1F4E B16553AC  
  BDCF0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603  
  551D1104 0A300882 06436973 636F3130 1F060355 1D230418 30168014 60A71A78  
  5BFCA8F5 430FDE23 92EC35AC 7007B029 301D0603 551D0E04 16041460 A71A785B  
  FCA8F543 0FDE2392 EC35AC70 07B02930 0D06092A 864886F7 0D010104 05000381  
  8100281D FFE03167 0B7F9A63 92674E32 74F197CF 49326D0D 561F165F A73731AA  
  6BD8B0CD F8E9BD14 005D54C6 028A8C94 2147214E 7BB49BC2 9472B278 CB2D20AB  
  ECEDC516 D04FFA2D C46470D8 6D267752 4AF0D1D5 16E4ABB0 E972D1B8 6940BF68  
  A84234A2 2418700C 192C982B 20608C3E C7BB15DC B402831A D2FD8362 D2839E99 314B
   quit
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
!
username admin privilege 15 secret 5 $1$3jD.$3S3sDgYolync.DLoVz5ZG0
!  
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 123 address 82.15.1.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
!
crypto map SDM_CMAP_1 1 ipsec-isakmp  
 description Tunnel to82.15.1.2
 set peer 82.15.1.2
 set transform-set ESP-3DES-SHA  
 match address 100
!
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 101
class-map type inspect match-any all
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all sdm-cls-sdm-pol-VPNOutsideToInside-1-1
 match class-map all
 match access-group name all
class-map type inspect match-all Cl-Map-All
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-VPNOutsideToInside-1-1
  inspect  
 class type inspect sdm-cls-VPNOutsideToInside-1
  pass
 class class-default
  drop
policy-map type inspect Ctrl-Prot-lan1-to-out
 class type inspect Cl-Map-All
  inspect  
 class class-default
  drop
!
zone security Out
zone security Lan1
zone-pair security Paire-Zone-lan1-out source Lan1 destination Out
 service-policy type inspect Ctrl-Prot-lan1-to-out
zone-pair security sdm-zp-VPNOutsideToInside-1 source Out destination Lan1
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 ip address 82.15.1.1 255.255.255.0
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 zone-member security Out
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security Lan1
!
ip forward-protocol nd
ip route 192.168.20.0 255.255.255.0 FastEthernet4
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list standard nat-lan1-out
 remark SDM_ACL Category=2
 permit 192.168.10.0 0.0.0.255
!
ip access-list extended all
 remark SDM_ACL Category=128
 permit ip any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 remark SDM_ACL Category=0
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Reply

Marsh Posté le 14-08-2009 à 11:07:37   

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed