Jump to content
Sign in to follow this  
Sternenkind

Vpn 836 - 836

Recommended Posts

Da der letzte Thread irreführend bezeichnet ist (NHRP war n Griff ins Klo) und inzwischen auch schon sehr unübersichtlich ist, kommt hier ein neuer Versuch:

 

Sinn der Übung ist ein VPN zwischen Kiel - dynamische IP - und Lübeck - feste IP

 

Der Kieler Router steht zum Testen auf meinem Schreibtisch und ist noch mit ISDN im Internet. Er soll die Verbindung automatisch aufbauen und offen halten.

 

Der Lübecker ist an DSL bei getacom als Anbieter.

Das ISDN Interface macht bei Bedarf eine T-Online Anwahl um Mails zu holen

Er nimmt VPN Verbindungen von Windows Clients an

Soll, was nicht geht, eine Verbindung vom Kieler Router annehmen.

 

Config Lübeck etwas gekürzt:

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname shandy

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging buffered

enable secret xxxxxxxxxxxxx

!

no aaa new-model

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.1.1

!

!

ip domain name IT-Blankensee.de

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip inspect name myfw http

ip ips po max-events 100

ip ssh version 2

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

ip mtu adjust

!

vpdn-group 2

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

no ftp-server write-enable

isdn switch-type basic-net3

!

!

username xxx

username xxx

username xxx

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 0.0.0.0 0.0.0.0

crypto isakmp identity dn

crypto isakmp keepalive 30 3

crypto isakmp aggressive-mode disable

no crypto isakmp ccm

!

!

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto dynamic-map dynvpn 10

set transform-set strong

match address 104

!

!

crypto map vpn 10 ipsec-isakmp dynamic dynvpn

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0

ip address 192.168.1.1 255.255.255.0

ip mtu 1456

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface BRI0

description connected to T-Online

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw in

ip virtual-reassembly

encapsulation ppp

dialer string 0191011

dialer hold-queue 10

dialer-group 2

isdn switch-type basic-net3

isdn answer1 4982860

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxx

ppp ipcp dns request

ppp ipcp wins request

!

interface ATM0

no ip address

load-interval 30

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 1/32

encapsulation aal5snap

pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

Share this post


Link to post
Share on other sites

interface FastEthernet4

duplex auto

speed 10

!

interface Virtual-Template2

ip unnumbered Ethernet0

peer default ip address pool mypool

ppp pfc local request

ppp pfc remote apply

ppp acfc local request

ppp acfc remote apply

ppp encrypt mppe 128

ppp authentication ms-chap-v2

ppp ipcp dns 192.168.1.34

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname xxx

ppp chap password xxx

ppp ipcp dns request

ppp ipcp wins request

crypto map vpn

!

ip local pool mypool 192.168.2.1 192.168.2.254

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 194.25.134.0 255.255.255.0 BRI0

!

ip http server

no ip http secure-server

!

ip nat inside source route-map bri interface BRI0 overload

ip nat inside source route-map dial interface Dialer1 overload

!

logging 192.168.1.2

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 permit tcp any any eq pop3

access-list 103 permit tcp any any eq smtp

access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 remark NAT

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit tcp any any established

access-list 111 permit tcp any any eq 1723

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

access-list 111 permit tcp any any eq 22

access-list 111 permit udp any any eq non500-isakmp

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip list 103

!

route-map dial permit 10

match ip address 110

match interface Dialer1

!

route-map bri permit 10

match ip address 110

match interface BRI0

!

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

login local

length 0

transport preferred ssh

transport input ssh

transport output telnet ssh

!

scheduler max-task-time 5000

no rcapi server

!

!

end

Share this post


Link to post
Share on other sites

Kieler Config:

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname sarah

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging buffered

enable secret xxx

!

no aaa new-model

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.3.1

!

!

ip domain name IT-Blankensee.de

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip ips po max-events 100

ip ssh version 2

no ftp-server write-enable

isdn switch-type basic-net3

!

!

username xxx

!

!

crypto isakmp key xxx address 213.9.122.185

crypto isakmp identity dn

crypto isakmp keepalive 30 3

crypto isakmp aggressive-mode disable

no crypto isakmp ccm

!

!

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 213.9.122.185

set transform-set strong

match address 104

!

!

!

interface Ethernet0

description innen

ip address 192.168.3.1 255.255.255.0

ip mtu 1456

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface BRI0

description connected to T-Online

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw in

ip virtual-reassembly

encapsulation ppp

dialer string 0191011

dialer hold-queue 10

dialer-group 2

isdn switch-type basic-net3

isdn answer1 4982860

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxx

ppp ipcp dns request

ppp ipcp wins request

crypto map vpn

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 BRI0

Share this post


Link to post
Share on other sites

!

ip http server

no ip http secure-server

!

ip nat inside source list 102 interface BRI0 overload

!

logging 192.168.3.2

access-list 23 permit 192.168.3.0 0.0.0.255

access-list 102 permit ip 192.168.3.0 0.0.0.255 any

access-list 103 permit tcp any any eq pop3

access-list 103 permit tcp any any eq smtp

access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit tcp any any established

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

control-plane

!

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

login local

length 0

transport input ssh

!

scheduler max-task-time 5000

no rcapi server

!

!

end

 

Für Hilfe wäre ich sehr dankbar :)

 

Und da ich nicht immer doof Fragen will noch eine Frage :D

Gibt es einen praxisorientierten bezahlbaren Ciscolehrgang für Leute, die es einigermaßen können wopllen und nicht unbedingt auf ne Prüfung aus sind?

Share this post


Link to post
Share on other sites
Der letzte Beitrag zu diesem Thema ist mehr als 180 Tage alt. Bitte überlege Dir, ob es nicht sinnvoller ist ein neues Thema zu erstellen.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

Werbepartner:



×
×
  • Create New...