Forum Cisco-BR Simulados, simuladores, apostilas, forum brasileiro |
| | vpn | |
| | Autor | Mensagem |
---|
brangel Associate
Número de Mensagens : 59 Idade : 44 Localização : sao paulo Reputação : 3 Pontos : 72 Data de inscrição : 17/04/2009
| Assunto: vpn Sex Jul 17, 2009 10:11 pm | |
| Galera preciso configurar outra VPN!
Fiz o script e ficou assim!!!
Cofiguração do Router Hub 2811 (IOS c2800nm-adventerprisek9-mz.124-24.T.bin)
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco19216 address 187.X.X.X no-xauth !
crypto ipsec transform-set 192168cisco esp-3des esp-md5-hmac ! crypto map VPN 19216 ipsec-isakmp set peer 187.X.X.X set transform-set 192168cisco match address 192 reverse-route !
ip route 192.168.5.0 255.255.255.0 187.X.X.X ip route 192.168.6.0 255.255.255.0 187.X.X.X
interface FastEthernet0/1 description ****CONEXAO INTERNET**** ip address 200.X.X.X 255.255.255.248 duplex auto speed auto crypto map VPN ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuração da Localidade Remota (IOS c2801-adventerprisek9-mz.124-22.T1.bin)
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco192168 address 200.X.X.X no-xauth ! ! crypto ipsec transform-set 192168cisco esp-3des esp-md5-hmac ! crypto map VPN 192168 ipsec-isakmp set peer 200.X.X.X set transform-set 192168cisco match address 192 reverse-route ! ! ! ! interface FastEthernet0/0.1 description ****VLAN DADOS**** encapsulation dot1Q 1 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly no shut ! interface FastEthernet0/0.2 description ****VLAN VOZ**** encapsulation dot1Q 2 ip address 192.168.5.1 255.255.255.0 ip nat outside ip virtual-reassembly
! ! interface FastEthernet0/1 ip address 187.X.X.X 255.255.255.224.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map VPN ! ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 187.X.X.X ip route 192.168.1.0 255.255.255.0 200.X.X.X ip route 192.168.2.0 255.255.255.0 200.X.X.X ip route 192.168.3.0 255.255.255.0 200.X.X.X ip route 192.168.4.0 255.255.255.0 200.X.X.X ip http server no ip http secure-server ! !
ip nat inside source route-map nonat interface FastEthernet0/1 overload ! access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 permit ip 192.168.5.0 0.0.0.255 any access-list 111 permit ip 192.168.6.0 0.0.0.255 any ! ! route-map nonat permit 10 match ip address 111 !
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Caso alguem puder verificar se as configurações estão corretas seria muito grato! | |
| | | Nakano Admin
Número de Mensagens : 467 Idade : 41 Localização : São Paulo Reputação : 43 Pontos : 336 Data de inscrição : 21/07/2007
| Assunto: Re: vpn Sáb Jul 18, 2009 12:37 am | |
| Ola boa noite
Aparentemente a config esta correta na parte da VPN, mas a parte de roteamento parece meio estranha.
No caso do Router Hub 2811 é necessária uma rota de saída, pode ser uma default igual ao caso de baixo, pois é necessário que o CPE saiba como alcançar o peer 187.X.X.X
Além disso, ou vc omitiu a 192 ou esqueceu dela (selecionar o tráfego de interesse por dentro da VPN).
abs | |
| | | brangel Associate
Número de Mensagens : 59 Idade : 44 Localização : sao paulo Reputação : 3 Pontos : 72 Data de inscrição : 17/04/2009
| Assunto: Re: vpn Dom Jul 19, 2009 5:56 pm | |
| Ola Nakano! Então eu preciso criar um ACL semelhante a que foi criada?
obrigado | |
| | | Nakano Admin
Número de Mensagens : 467 Idade : 41 Localização : São Paulo Reputação : 43 Pontos : 336 Data de inscrição : 21/07/2007
| Assunto: Re: vpn Dom Jul 19, 2009 11:10 pm | |
| | |
| | | brangel Associate
Número de Mensagens : 59 Idade : 44 Localização : sao paulo Reputação : 3 Pontos : 72 Data de inscrição : 17/04/2009
| Assunto: Re: vpn Seg Jul 20, 2009 12:18 pm | |
| Nakano Criei a ACL, e ficou assim.
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit ip 192.168.2.0 0.0.0.255 any access-list 111 permit ip 192.168.3.0 0.0.0.255 any access-list 111 permit ip 192.168.4.0 0.0.0.255 any
como faço pra testar se minha VPN está ok | |
| | | brangel Associate
Número de Mensagens : 59 Idade : 44 Localização : sao paulo Reputação : 3 Pontos : 72 Data de inscrição : 17/04/2009
| Assunto: Re: vpn Seg Jul 20, 2009 3:48 pm | |
| Ola Nakano não consegui conectar minha config ficou assim!
Matriz
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco19216 address 187.X.X.X no-xauth !
crypto ipsec transform-set 192168cisco esp-3des esp-md5-hmac ! crypto map VPN 19216 ipsec-isakmp set peer 187.X.X.X set transform-set 19216cisco match address 111 reverse-route !
ip route 192.168.5.0 255.255.255.0 187.X.X.X ip route 192.168.6.0 255.255.255.0 187.X.X.X
interface FastEthernet0/1 description ****CONEXAO INTERNET**** ip address 200.X.X.X 255.255.255.248 duplex auto speed auto crypto map VPN
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 permit ip 192.168.1.0 0.0.0.255 any access-list 111 permit ip 192.168.2.0 0.0.0.255 any access-list 111 permit ip 192.168.3.0 0.0.0.255 any access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 192 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 permit ip 192.168.1.0 0.0.0.255 any access-list 192 permit ip 192.168.2.0 0.0.0.255 any access-list 192 permit ip 192.168.3.0 0.0.0.255 any access-list 192 permit ip 192.168.4.0 0.0.0.255 any
route-map nonat permit 10 match ip address 192
---------------------------------------------------------------------------------------
Filial
! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco192168 address 200.X.X.X no-xauth ! ! crypto ipsec transform-set 192168cisco esp-3des esp-md5-hmac ! crypto map VPN 19216 ipsec-isakmp set peer 200.X.X.X set transform-set 19216cisco match address 111 reverse-route ! ! ! ! interface FastEthernet0/0.1 description ****VLAN DADOS**** encapsulation dot1Q 1 ip address 192.168.5.1 255.255.255.0 ip nat inside ip virtual-reassembly no shut ! interface FastEthernet0/0.2 description ****VLAN VOZ**** encapsulation dot1Q 2 ip address 192.168.5.1 255.255.255.0 ip nat outside ip virtual-reassembly
! ! interface FastEthernet0/1 ip address 187.X.X.X 255.255.255.224.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map VPN ! ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 187.X.X.X ip route 192.168.1.0 255.255.255.0 200.X.X.X ip route 192.168.2.0 255.255.255.0 200.X.X.X ip route 192.168.3.0 255.255.255.0 200.X.X.X ip route 192.168.4.0 255.255.255.0 200.X.X.X ip http server no ip http secure-server ! !
ip nat inside source route-map nonat interface FastEthernet0/1 overload ! access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 permit ip 192.168.5.0 0.0.0.255 any access-list 111 permit ip 192.168.6.0 0.0.0.255 any
access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 192 permit ip 192.168.5.0 0.0.0.255 any access-list 192 permit ip 192.168.6.0 0.0.0.255 any
! route-map nonat permit 10 match ip address 192 !
---------------------------------------------------------------------------------------
Se possivel verifique se as configs estão ok
e como faço para testar? | |
| | | brangel Associate
Número de Mensagens : 59 Idade : 44 Localização : sao paulo Reputação : 3 Pontos : 72 Data de inscrição : 17/04/2009
| Assunto: Resolução Sex Out 09, 2009 10:25 am | |
| Bom Dia Galera! Consegui resolver esse problema da VPN, não consegui responder antes pois tive um periodo de ausencia. Mas como foi resolvido o proble achei que seria legal deixar postado o Script de configuração dos Sites, assim poder ajudar outras pessoas.
Na verdade percebi que as localidades não estavam fechando tunel pois tinha uma ACL que bloqueava o trafego entre as localidades(percebi apos a orientação do comentário acima), portanto separei as ACL's de trafego pelo tunel (access-list 111) ea ACL do processo de NAT(access-list 192).
Portanto a Configuração ficou assim: Cofiguração do Router Hub 2811 (IOS c2800nm-adventerprisek9-mz.124-24.T.bin)
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco19216 address 187.X.X.X no-xauth !
crypto ipsec transform-set 19216cisco esp-3des esp-md5-hmac ! crypto map VPN 19216 ipsec-isakmp set peer 187.X.X.X set transform-set 192168cisco match address 111 reverse-route !
ip route 192.168.5.0 255.255.255.0 187.X.X.X ip route 192.168.6.0 255.255.255.0 187.X.X.X
interface FastEthernet0/1 description ****CONEXAO INTERNET**** ip address 200.X.X.X 255.255.255.248 duplex auto speed auto crypto map VPN
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 192 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 permit ip 192.168.1.0 0.0.0.255 any access-list 192 permit ip 192.168.2.0 0.0.0.255 any access-list 192 permit ip 192.168.3.0 0.0.0.255 any access-list 192 permit ip 192.168.4.0 0.0.0.255 any ! ! route-map nonat permit 10 match ip address 192 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configuração da Localidade Remota (IOS c2801-adventerprisek9-mz.124-22.T1.bin)
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco192168 address 200.X.X.X no-xauth ! ! crypto ipsec transform-set 192168cisco esp-3des esp-md5-hmac ! crypto map VPN 192168 ipsec-isakmp set peer 200.X.X.X set transform-set 192168cisco match address 111 reverse-route ! ! ! !
! interface FastEthernet0/1 ip address 187.X.X.X 255.255.255.224.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map VPN ! ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 187.X.X.X ip route 192.168.1.0 255.255.255.0 200.X.X.X ip route 192.168.2.0 255.255.255.0 200.X.X.X ip route 192.168.3.0 255.255.255.0 200.X.X.X ip route 192.168.4.0 255.255.255.0 200.X.X.X ip http server no ip http secure-server ! !
ip nat inside source route-map nonat interface FastEthernet0/1 overload ! access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 192 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 192 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 192 permit ip 192.168.5.0 0.0.0.255 any access-list 192 permit ip 192.168.6.0 0.0.0.255 any ! ! route-map nonat permit 10 match ip address 192 ---------------------------------------------------------------------------------------
Agradeço a todos que me auxiliaram e espero que esse tópico ajude outras pessoas assim como me ajudou!!!
abço | |
| | | Conteúdo patrocinado
| Assunto: Re: vpn | |
| |
| | | | vpn | |
|
| Permissões neste sub-fórum | Não podes responder a tópicos
| |
| |
| |
|