Zum Inhalt wechseln


Foto

Cisco VPN Tunnel - Traffic zwischen zwei Tunnel


  • Bitte melde dich an um zu Antworten
2 Antworten in diesem Thema

#1 RolfW

RolfW

    Expert Member

  • 1.138 Beiträge

 

Geschrieben 25. Februar 2016 - 13:49

Hallo zusammen,

 

wir haben als Gateway einen Cisco 2921, auf denen Tunnel terminieren, sowie unsere User, wenn Sie sich von extern einwählen (Cisco Client).

Nun möchten die User, die extern eingewählt sind, auf ein Server zugreifen, den wir bisher nur von intern, über den VPN Tunnel erreichen. Wie wird das konfiguriert bzw. geroutet?

 

Server im Tunnel hat die 192.168.84.75 und die eingewählten User haben 192.168.40.21. Beide terminieren am VPN Gateway und gehen nicht über die Firewall.

Vielen Dank.

Viele Grüße

Rolf


Bearbeitet von RolfW, 26. Februar 2016 - 12:28.

- Carpe Diem -

"Ist mir jetzt egal, ich lass das jetzt so."

#2 Otaku19

Otaku19

    Expert Member

  • 1.948 Beiträge

 

Geschrieben 26. Februar 2016 - 11:10

da musst du wohl oder übel die wichtigen confiug Teile posten...wichtig wäre zb zu wissen ob die Ceints tunnel-all machen oder ob da nur bestimmte netze definiert worden sind. PSK,descirption und auch die echten IPs solltest du weglassen/ersetzen


Done: 640-801; 640-553; 642-524; 642-515; 642-892; 642-832; 642-504; 640-863; 642-627; 642-874; 642-785; ITIL v3 Foundation
Enterasys Systems Engineer; CompTIA Sec+; CompTIA Mobility+; CISSP; CISSP-ISSAP; Barracuda NGSE/NGSX; CISM


#3 RolfW

RolfW

    Expert Member

  • 1.138 Beiträge

 

Geschrieben 26. Februar 2016 - 12:16

Current configuration : 44094 bytes
!
version 15.4
no service pad
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpn_01
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M3.bin
boot-end-marker
!
!
logging buffered 256000
enable secret 12345
!
aaa new-model
!
!
aaa group server radius Radius
 server 192.168.13.70 auth-port 9999 acct-port 9999
 server-private 192.168.13.70 auth-port 9999 acct-port 9999 key 12345
!
aaa authentication login default local
aaa authentication login RADIUS group Radius
aaa authorization exec default local
aaa authorization network VPNAUTHO local
aaa accounting update periodic 1
!
aaa session-id common
clock timezone MET 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
!

no standby redirect
!

ip flow-cache timeout active 1
no ip bootp server
ip domain name domain.de
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-10947
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-10947
 revocation-check none
 rsakeypair TP-self-signed-10947
!
!
crypto pki certificate chain TP-self-signed-10947
 certificate self-signed 01
license udi pid CISCO2921/K9 sn 12345
!
!
archive
 log config
  hidekeys
username vpn privilege 15 secret 12345
!
redundancy
!
crypto isakmp policy 8
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 43200
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 hash md5
 authentication pre-share
 group 5
!
crypto isakmp policy 16
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 25
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp policy 30
 encr aes 256
 authentication pre-share
 group 5
 lifetime 28800
!
crypto isakmp policy 35
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp policy 40
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 45
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp keepalive 15
crypto isakmp client configuration address-pool local DEFAULTPOOL
!
crypto isakmp client configuration group VPN
 key private
 dns 192.168.13.10 192.168.13.47
 wins 192.168.13.10 192.168.13.47
 domain domain.local
 pool DEFAULTPOOL
 backup-gateway 69.14.24.8
 max-users 250
 max-logins 10
!
crypto isakmp client configuration group VPN1
 key private
 dns 192.168.13.10 192.168.13.47
 wins 192.168.13.10 192.168.13.47
 domain domain.local
 pool DEFAULTPOOL
 backup-gateway 69.14.24.8
!
crypto isakmp client configuration group VPN2
 key private
 dns 192.168.13.10 192.168.13.47
 wins 192.168.13.10 192.168.13.47
 domain domain.local
 pool DEFAULTPOOL
 backup-gateway 69.14.24.8
!
crypto isakmp profile IKE-Profile-VPN1
   match identity group VPN1
   client authentication list RADIUS
   isakmp authorization list VPNAUTHO
   client configuration address respond
   accounting ipsecacc
   keepalive 15 retry 3
   virtual-template 2
crypto isakmp profile IKE-Profile-VPN2
   match identity group VPN2
   client authentication list RADIUS
   isakmp authorization list VPNAUTHO
   client configuration address respond
   keepalive 15 retry 3
   virtual-template 6
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set PSK-SA esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set TEST esp-3des esp-sha-hmac comp-lzs
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile IPSec-Profile-VPN1
 set transform-set ESP-3DES-MD5
 set isakmp-profile IKE-Profile-VPN1
!
crypto ipsec profile IPSec-Profile-VPN2
 set transform-set PSK-SA
 set isakmp-profile IKE-Profile-VPN2
!
crypto dynamic-map dynmap 50
 description test fuer version 3.6
 set transform-set ESP-3DES-MD5
!
!
crypto map outside_map client authentication list RADIUS
crypto map outside_map client accounting list ipsecacc
crypto map outside_map isakmp authorization list VPNAUTHO
crypto map outside_map client configuration address respond
!
crypto map outside_map 95 ipsec-isakmp
 description VPN Tunnel Partner
 set peer 15.19.13.13
 set security-association lifetime seconds 28800
 set transform-set PSK-SA
 match address 155

crypto map outside_map 100 ipsec-isakmp dynamic dynmap
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Management
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description DMZ
 ip address 192.168.222.3 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/2
 description Outside
 ip address 19.8.11.9 255.255.255.240
 ip access-group outside_in in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in max-reassemblies 512
 duplex auto
 speed auto
 no mop enabled
 crypto map outside_map
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSec-Profile-VPN1
!
interface Virtual-Template6 type tunnel
 ip unnumbered GigabitEthernet0/2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSec-Profile-VPN2

!
ip local pool DEFAULTPOOL 192.168.40.1 192.168.40.30
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.3.155 0000
!
ip nat pool Partner-PAT 192.168.84.54 192.168.84.54 netmask 255.255.255.240
...
ip nat inside source static 192.168.13.13 192.168.84.49 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.127 192.168.84.50 route-map NAT-Partner extendable
ip nat inside source static 192.168.111.150 192.168.84.51 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.17 192.168.84.52 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.18 192.168.84.53 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.140 192.168.84.55 route-map NAT-Partner extendable
ip nat inside source static 192.168.111.229 192.168.84.56 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.3 192.168.84.57 route-map NAT-Partner extendable
ip nat inside source static 192.168.13.5 192.168.84.58 route-map NAT-Partner extendable

ip route 0.0.0.0 0.0.0.0 19.8.11.11
...
!
ip access-list extended outside_in
 permit icmp any host 19.8.11.9
 permit esp any host 19.8.11.9
 permit udp any host 19.8.11.9 eq isakmp
 permit udp any host 19.8.11.9 eq non500-isakmp
 permit tcp any host 19.8.11.9 range 10000 10010
 permit tcp any host 19.8.11.9 eq 443
 deny   ip any any log
!
ip radius source-interface GigabitEthernet0/1
!
logging trap debugging
logging facility local6
logging source-interface GigabitEthernet0/1
logging host 192.168.13.155
!
route-map PAT-Partner permit 10
 match ip address 157
!
route-map NAT-Partner permit 10
 match ip address 156
!
snmp-server community test RO
snmp-server location RZ
snmp-server contact IT
snmp-server enable traps envmon
snmp-server enable traps aaa_server
snmp-server enable traps config
snmp-server enable traps frame-relay multilink bundle-mismatch
access-list 23 permit 192.168.161.65
access-list 23 permit 192.168.111.61
access-list 23 permit 192.168.111.1
access-list 23 permit 192.168.111.31
access-list 23 permit 192.168.13.227
access-list 23 permit 192.168.13.229
access-list 23 permit 192.168.13.222
access-list 23 permit 192.168.111.222
access-list 23 permit 192.168.40.167
access-list 23 permit 192.168.111.150
...
access-list 155 remark Tunnel Definition fuer Partner
access-list 155 permit ip 192.168.84.48 0.0.0.15 192.168.84.64 0.0.0.15
access-list 156 remark Tunnel Partner Zugriffe NAT
access-list 156 permit icmp host 192.168.13.5 192.168.84.64 0.0.0.15
...
access-list 157 remark Tunnel Partner Zugriffe PAT
access-list 157 permit ip 192.168.0.0 0.0.255.255 192.168.84.64 0.0.0.15
!
...
!
end

Der Client nutzt den Cisco Client (Gruppe/Passwort) mit Radius Authentifizierung. Die Außenstellen EasyVPN, die sind aber aktuell nicht relevant.

Beim "tracert" ist die erste IP die öffentliche des VPN_01, danach ist Schluss. Nun wäre die Frage, ob man mit "ip route ... " schon das Ganze lösen könnte?

 

Vielen Dank.

Viele Grüße

Rolf


Bearbeitet von RolfW, 26. Februar 2016 - 12:17.

- Carpe Diem -

"Ist mir jetzt egal, ich lass das jetzt so."