Samuraj fórum - Cisco, sítě, doména

[lukemikro]

Ahoj,
mám rozjetou site-to-site VPN mezi Cisco 1812 a ASA, jenže mi z routeru 1812 nefunguje provoz do Internetu, veškerý provoz mi jde do tunelu. Z routeru nepingnu ani GW providera. Nějaký nápad? Díky moc

[tata_tulen]

Imho to bude chyba v ACLku na strane routeru... Konfigurace by nebyla?

[lukemikro]

Tady je runconfig z 1812-tky
!
version 12.4
!
resource policy
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.4.1 172.20.4.49
ip dhcp excluded-address 172.20.4.101 172.20.4.255
!
ip dhcp pool dhcppool1
import all
network 172.20.4.0 255.255.255.0
default-router 172.20.4.1
dns-server 172.19.100.1 172.19.100.2
lease 7
!
!
ip inspect name myfirewall tcp
ip inspect name myfirewall udp
ip inspect name myfirewall icmp
ip inspect name myfirewall ftp
ip inspect name myfirewall isakmp
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXX address X.X.50.22 no-xauth
crypto isakmp nat keepalive 20
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map wants_map 1 ipsec-isakmp
set peer X.X.50.22
set ip access-group acl-vpn in
set ip access-group acl-vpn out
set transform-set ESP-3DES-SHA
match address VPNlist
!
!
interface FastEthernet0
ip address X.X.50.37 255.255.255.0
ip nat outside
ip inspect myfirewall out
ip virtual-reassembly
duplex auto
speed auto
crypto map wants_map
!
!
interface Vlan1
ip address 172.20.4.1 255.255.255.0
ip access-group from-LAN in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 X.X.50.1
!
!
ip nat inside source list nat-acl interface FastEthernet0 overload
!
ip access-list extended VPNlist
permit ip 172.20.4.0 0.0.0.255 172.19.0.0 0.0.255.255
ip access-list extended acl-vpn
permit ip any any
ip access-list extended from-LAN
permit tcp any host 172.19.100.5 eq smtp
deny tcp any any eq smtp
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended nat-acl
deny ip 172.20.4.0 0.0.0.255 172.19.0.0 0.0.255.255
permit ip 172.20.4.0 0.0.0.255 any
!



Díky za každou pomoc

[tata_tulen]

No jasny - kdyz je v definici tunelu aclko s "ip any any", tak do toho tunelu samozrjeme komplet traffic, protoze kryptomapy se procesujou driv nez routing (nebo jak je to poradi, uz nevim). ACLko pro tunel zasadne musi popisovat jen traffic, kterej skrz tunel ma jit, tedy v tomto pripade extended ip ACL s LAN subnetem jako source a subnetem za tunelem jako destination. Tento provoz se pak samozrjeme musi vyjmout z NATu, aby se to mohlo priradit spravny cryptomape (nekdy se to znaci "NAT 0", ale nevim, jak je to na routerech, mam s tim zkusenost jen z PIX/ASA)

[tata_tulen]

Tuhle je vycuc z konfigu nasi ASA, myslim, ze to bude zrejmy (10.254.254.0/24 je LAN subnet, ostatni dva C subnety jsou za tunelem):

Kód: Vybrat vše

access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 192.168.253.0 255.255.255.0
!
access-list outside_cryptomap_3 extended permit ip 10.254.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.254.254.0 255.255.255.0 192.168.253.0 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer w.x.y.z
crypto map outside_map 3 set transform-set esp-3des-sha
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key <sekret>
isakmp keepalive threshold 180 retry 2


[lukemikro]

áááá, no to je hold chyba začátečníka. Díky moc za pomoc, už to jede. To pořadí v jakém se jednotlivé kroky provádí, mi nějak uniklo. Ještě jednou díky, díky, díky.

[tata_tulen]

Za malo, takhle jsem si sam parkrat naletel

P.S. - at zije (temer) absolutni rym (diky moc za pomoc )

[lukemikro]

Ještě bych měl otázku. Za Cisco 1812 mám síť 172.20.4.0 a za ASA má sítě 172.19.0.0 a 192.168.3.0. Je možné přistupovat ze sítě za 1812 do obou sítí za ASA skrz tu jednu site-to-site VPN?

[tata_tulen]

Ano, to je presne pripad konfigurace, kterou jsem postnul - ASA ma lokalni sit 10.254.254.0/24, ktera via tunel pristupuje na site 192.168.1.0/24 a 192.168.253.0/24. Co napises do ACLka, to kryptomapa chyti, zasifruje a posle do tunelu. Na druhy strane samozrejme musi bejt tunel nastavenej zrcadlove, aby dorazila odpoved