Jump to content

VPN mit IPSec Probleme


Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Recommended Posts

Hallo zusammmen,

 

also ich habe eine VPN Verbindung zu meinem Cisco 851W per IPSec -> EasyVPN Server per SDM eingerichtet. Die Clients sind mittels Cisco VPN-Client drauf.

Die Anmeldung und Auth. funkt., nach anfänglichen Startschwiriegkeiten. Die Clients bekommen auch IP`s vom vpn.pool zugeweisen in dem Fall. 192.168.5.0/24.

Das Intranet ist mit 192.168.10.0/24 konfiguriert.

 

So nun das Prob.

Wie kann ich nun mit meinen vpn Clients auf das Interne Netz zugreifen?

Welche Einstellungen muß ich noch vornehmen?

Ich kann im 192.168.10.0/24 nicht erreichen.

 

 

Mit der bitte um Unterstützung.

 

mfg

hkjwj

 

 

P.S. Es sind noch einige Konfigs von einem vorigen Versuch drinnen einen vpn per PPTP herzustellen, werd ich nach der jetztigen Problemsösung ausmisten.

 

Hier die Cisco konfig.

 

Teil 1

 

!This is the running config of the router: cisco

!----------------------------------------------------------------------------

!version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$std.$9k6kMCiqUPwMk9ngg/0RX1

!

username privilege 15 secret 5

username privilege 15 secret 5

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login userauthen local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name fodt.local

ip name-server 86.59.24.122

ip name-server 62.157.101.211

ip ssh time-out 60

ip ssh authentication-retries 2

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

no ftp-server write-enable

Link to comment

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

 

!

crypto isakmp client configuration group fodt.local.vpn

key zmzkfamn7s49keu

dns 192.168.10.20

domain fodt.local

pool SDM_POOL_2

netmask 255.255.0.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA6

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

bridge irb

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 86.59.*.* 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip proxy-arp

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

!

interface Virtual-Template1

ip unnumbered FastEthernet4

peer default ip address pool fodt.local

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap

!

interface Dot11Radio0

no ip address

shutdown

!

ssid 1071CiscoWLan

authentication open

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2457

no cdp enable

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

bridge-group 1

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_2 192.168.5.10 192.168.5.15

ip classless

ip route 0.0.0.0 0.0.0.0 86.59.24.121

!

Link to comment

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat pool fodt.nat.vpn 192.168.10.221 192.168.10.240 netmask 255.255.0.0

ip nat inside source static tcp 192.168.10.21 8081 interface FastEthernet4 8081

ip nat inside source static udp 192.168.10.99 5063 interface FastEthernet4 5063

ip nat inside source static udp 192.168.10.99 5062 interface FastEthernet4 5062

ip nat inside source static udp 192.168.10.21 24125 interface FastEthernet4 24125

ip nat inside source static udp 192.168.10.21 53 interface FastEthernet4 53

ip nat inside source static udp 192.168.10.98 5061 interface FastEthernet4 5061

ip nat inside source static udp 192.168.10.98 5060 interface FastEthernet4 5060

ip nat inside source static tcp 192.168.10.21 3389 interface FastEthernet4 49001

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

logging 192.168.10.20

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp host 192.168.10.21 eq domain any

access-list 100 permit udp host 192.168.10.20 eq domain any

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq 22

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq www

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq 443

access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq cmd

access-list 100 deny tcp any host 192.168.10.1 eq telnet

access-list 100 deny tcp any host 192.168.10.1 eq 22

access-list 100 deny tcp any host 192.168.10.1 eq www

access-list 100 deny tcp any host 192.168.10.1 eq 443

access-list 100 deny tcp any host 192.168.10.1 eq cmd

access-list 100 deny udp any host 192.168.10.1 eq snmp

access-list 100 deny ip 86.59.24.120 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto-generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.5.10 any

access-list 101 permit ip host 192.168.5.11 any

access-list 101 permit ip host 192.168.5.12 any

access-list 101 permit ip host 192.168.5.13 any

access-list 101 permit ip host 192.168.5.14 any

access-list 101 permit ip host 192.168.5.15 any

access-list 101 permit udp any host 86.59.24.126 eq non500-isakmp

access-list 101 permit udp any host 86.59.24.126 eq isakmp

access-list 101 permit esp any host 86.59.24.126

access-list 101 permit ahp any host 86.59.24.126

access-list 101 permit tcp any host 86.59.24.126 eq 49001

access-list 101 permit udp host 62.157.101.211 eq domain host 86.59.24.126

access-list 101 remark Auto generated by SDM for NTP (123) 86.59.24.122

access-list 101 permit udp host 86.59.24.122 eq ntp host 86.59.24.126 eq ntp

Link to comment

access-list 101 remark bit client

access-list 101 permit tcp any host 86.59.24.126 eq 24125

access-list 101 remark bit client webui

access-list 101 permit tcp any host 86.59.24.126 eq 8081

access-list 101 remark wow -dwnl f wsxp01

access-list 101 permit tcp any host 86.59.24.126 eq 3724

access-list 101 remark wow -dwnl f wsxp01

access-list 101 permit tcp any host 86.59.24.126 eq 6112

access-list 101 remark dns

access-list 101 permit udp any host 86.59.24.126 eq domain log

access-list 101 remark VoIP SuppPhone

access-list 101 permit udp any host 86.59.24.126 eq 5063 log

access-list 101 remark VoIP Fax

access-list 101 permit udp any host 86.59.24.126 eq 5062 log

access-list 101 remark VoIP FMUO

access-list 101 permit udp any host 86.59.24.126 eq 5061 log

access-list 101 remark VoIP HauptRN

access-list 101 permit udp any host 86.59.24.126 eq 5060 log

access-list 101 permit udp host 62.157.101.211 eq domain any

access-list 101 permit udp host 86.59.24.122 eq domain any

access-list 101 permit udp host 86.59.24.122 eq domain host 86.59.24.126

access-list 101 permit udp host 192.168.10.20 eq domain host 86.59.24.126

access-list 101 deny ip 192.168.10.0 0.0.0.255 any

access-list 101 permit icmp any host 86.59.24.126 echo-reply

access-list 101 permit icmp any host 86.59.24.126 time-exceeded

access-list 101 permit icmp any host 86.59.24.126 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=2

access-list 103 deny ip any host 192.168.5.10

.....

access-list 103 deny ip any host 192.168.5.15

access-list 103 deny ip any host 192.168.10.200

access-list 103 deny ip any host 192.168.10.201

....

access-list 103 deny ip any host 192.168.10.219

access-list 103 deny ip any host 192.168.10.220

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 103

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login authentication local_authen

no modem enable

transport preferred all

transport output telnet

line aux 0

login authentication local_authen

transport preferred all

transport output telnet

line vty 0 4

access-class 102 in

authorization exec local_author

login authentication local_authen

transport preferred all

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17175232

ntp server 86.59.*.* source FastEthernet4

Link to comment

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

 

hostname cisco

 

boot-start-marker

boot-end-marker

 

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$mPyx$lu6Z5wUTRvJHKK7ypbVL61

 

username Besitzer51 privilege 15 secret 5 $1$Am4v$F2Z6YNdd6hMvyz2UT1afi/

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

aaa new-model

 

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

no ip source-route

 

ip cef

ip tcp synwait-time 10

no ip bootp server

ip domain name fodt.local

ip name-server 192.168.10.20

ip name-server 192.168.10.21

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

 

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

 

crypto isakmp client configuration group fodt.local.vpn

key IERvbWFpbiBUZWNobmljcyAmIElUMRQwEgYDVQQDEwtuczEuZm9kdC5p

dns 192.168.5.20

domain fodt.local

pool SDM_POOL_1

netmask 255.255.255.0

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

 

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

 

bridge irb

 

interface FastEthernet0

no ip address

no cdp enable

 

interface FastEthernet1

no ip address

no cdp enable

 

interface FastEthernet2

no ip address

no cdp enable

 

interface FastEthernet3

no ip address

no cdp enable

 

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 86.59.24.126 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

 

interface Dot11Radio0

no ip address

 

ssid 1071CiscoWLan

authentication open

 

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

no cdp enable

bridge-group 1

bridge-group 1 spanning-disabled

 

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

bridge-group 1

 

interface BVI1

description $ES_LAN$

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

 

ip local pool SDM_POOL_1 192.168.5.10 192.168.5.15

ip classless

ip route 0.0.0.0 0.0.0.0 86.59.24.121

 

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

 

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip any host 192.168.5.10

access-list 100 deny ip any host 192.168.5.11

access-list 100 deny ip any host 192.168.5.12

access-list 100 deny ip any host 192.168.5.13

access-list 100 deny ip any host 192.168.5.14

access-list 100 deny ip any host 192.168.5.15

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 100

Link to comment

control-plane

 

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

 

line con 0

no modem enable

transport preferred all

transport output telnet

line aux 0

transport preferred all

transport output telnet

line vty 0 4

transport preferred all

transport input telnet ssh

transport output all

 

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

 

-

 

Auszug aus ipconfig des Client

 

Verbindungsspezifisches DNS-Suffix: fodt.local

Beschreibung: Cisco Systems VPN Adapter

Physikalische Adresse: 00-05-9A-3C-78-00

DHCP aktiviert.: Nein

IP-Adresse: 192.168.5.15

Subnetzmaske: 255.255.255.0

Standardgateway : 192.168.5.15

DNS-Server.: 192.168.5.20

 

-

 

Auszug aus ipconfig des Servers im 192.168.10.0/24

 

 

 

Ethernet-Adapter fodt.local.2:

...

IP-Adresse : 192.168.5.21

Subnetzmaske: 255.255.255.0

IP-Adresse: 192.168.10.21

Subnetzmaske: 255.255.255.0

Standardgateway: 192.168.10.1

DNS-Server : 127.0.0.1

 

Ethernet-Adapter fodt.local:

IP-Adresse: 192.198.5.20

Subnetzmaske: 255.255.255.0

IP-Adresse: 192.168.10.20

Subnetzmaske: 255.255.255.0

Standardgateway:

DNS-Server: 127.0.0.1

 

Ich denke nicht das es an den ACL`s liegt da ja nun keine vorhanden sind, ich denke eher das es am Routing liegt, den nach meinem Verständniss ist jtzt die 192.168.5.* er Adresse im Cisco gekapselt.

 

Ich brauche eigentlich nur eine Konfigurationshilfe das die gekapselte IP weiter nach 192.168.10. geroutet wird nur bring ich das nicht zusammen.

Link to comment
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte erstelle einen neuen Beitrag zu Deiner Anfrage!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...