|
|
|
|
Bonjour,
Je vous expose mon problème :
réseau local : 192.168.20.0/24
Réseau distant : 194.138.xxx.xxx/7
tunnel VPN : OK
Adresse IP autorisées sur site distant : 192.168.20.112-113
Ping réseau local vers réseau distant : OK
Ping réseau distant vers réseau local : KO
le réseau distant a surtout besoin d'accéder au port 80 de 112 et 113
Pour le réseau distant n'arrive pas à contacter le réseau local ?
voici la conf : j'ai retiré le pas utile et remplacer le confidentiel par xxxxx
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 192.168.20.0 255.255.255.0
dns-server 80.10.246.2
default-router 192.168.20.240
lease infinite
!
!
ip domain name yourdomain.com
ip name-server 80.10.246.2
ip name-server 80.10.246.129
ip inspect log drop-pkt
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
multilink bundle-name authenticated
!
!
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address 194.138.xxx.xxx
!
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.138.xxx.xxx
set peer 194.138.xxx.xxxx
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA1
match address client
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip nat inside
ip virtual-reassembly
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.20.240 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
crypto map SDM_CMAP_1
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended client
remark SDM_ACL Category=4
permit ip host 192.168.20.112 194.138.xxx.xxx 0.0.0.7 log
permit ip host 192.168.20.113 194.138.xxx.xxx 0.0.0.7 log
permit ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.112 log
permit ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.113 log
!
access-list 100 remark SDM_ACL Category=1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 192.168.20.112 194.138.xxx.xxx 0.0.0.7 log
access-list 100 permit ip host 192.168.20.113 194.138.xxx.xxx 0.0.0.7 log
access-list 100 permit ip any any log
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.20.113 194.138.xxx.xxx 0.0.0.7 log
access-list 101 permit ip host 192.168.20.112 194.138.xxx.xxx 0.0.0.7 log
access-list 101 permit ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.113 log
access-list 101 permit ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.112 log
access-list 101 permit udp host 194.138.xxx.xxx any eq non500-isakmp
access-list 101 permit udp host 194.138.xxx.xxx any eq isakmp
access-list 101 permit esp host 194.138.xxx.xxx any
access-list 101 permit ahp host 194.138.xxx.xxx any
access-list 101 deny ip 192.168.20.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 permit tcp any any eq 1433
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp host 80.10.246.129 eq domain any
access-list 101 permit udp host 80.10.246.2 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.113 log
access-list 103 deny ip 194.138.xxx.xxx 0.0.0.7 host 192.168.20.112 log
access-list 103 deny ip host 192.168.20.113 194.138.xxx.xxx 0.0.0.7 log
access-list 103 deny ip host 192.168.20.112 194.138.xxx.xxx 0.0.0.7 log
access-list 103 permit ip 192.168.20.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
MERCI
Configuration: Windows XP Internet Explorer 8.0
T'as une access-list "access-list 101 permit icmp any any echo-reply"
|
Pour du Cisco, postes sur le forum du site Cisco Lab, t'auras toujours plus de renseignement et surtout plus précis!!!
|
Merci
|
Cisco vpn client reseau local Cisco vpn sur iphone Cisco windows server 2008 vpn site-to-site ipsec Command module configuration router vpn cisco 2800 Configuration vpn cisco nomade Cours cisco Creer un tunnel vpn Créer un tunnel vpn rv082 Ipsec vpn cisco Mise en oeuvre d'un vpn cisco Passerelle sécurité vpn cisco 412 Routeur vpn cisco 871 et 877 Telecharger client vpn cisco Tunnel vpn Tunnel vpn cisco mtu V tunnel Vpn cisco vista Windows doit installer le pilote logiciel de votre cisco systeme vpn adapter
