Saludos a todos, antes que nada quiero presentarme, me llamo Ivan y soy soporte técnico de una empresa informática, me uno al foro para aportar un tema el cual no creo haber encontrado aquí, o al menos no he dado con las palabras adecuadas para que me lo muestre durante las busquedas.
Quiero felicitar a toda esta comunidad por los aportes que hacen, creo que es uno de los mejores foros que he encontrado en cuanto a calidad de participantes y quiero aportar mi grano de arena para hacer que siga siendo de las mejores.
Bueno, luego de los halagos pertinentes, voy al tema que me preocupa.
En la empresa que trabajo me encargaron configurar una red vpn entre 9 oficinas (1 central y 8 sucursales), normalmente trabajo con equipos netgear, pero en el primer encuentro con los equipos me encuentro con 1 x cisco 1841 y 8 x cisco 877.
Pese a avisar que nunca había configurado routers cisco y que eran tremendamente complicados pero a la vez eran de lo mejor que había en el mercado (probablemente esto último no me ayudó a convencerles del cambio :P) me encomendaron la configuración de los mismos. Me dieron 7 días, el tema es que ya pasaron 15 y estoy que me corto las venas pues no consigo hacer funcionar correctamente esta vpn.
La vpn tiene que ofrecer:
- voz sobre ip (lo que me obliga a configurar qos)
- datos (escritorio remoto al servidor de la central)
- permitir ver cámaras ip a traves de la misma.
- interconexión entre las sucursales, entiendase que la sucursal b pueda acceder a las sucursales c,d,e,f,g y h aparte de la central que es a
La topología que hice fue en estrella.
El router central, el 1841 tiene Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5).
Los routers de sucursales, los 877 tienen Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5).
He utilizado la nomenclatura a.a.a.a para indicar la ip pública de la oficina a, se aplica la misma regla para todas las oficinas (b.b.b.b para sucursal b, c.c.c.c para sucursal c, etc)
He utilizado SDM para la configuración de los túneles.
La configuración del 1841 es esta:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname VPN_01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.4.0 255.255.255.0
dns-server 80.58.0.33 80.58.32.97
default-router 192.168.4.254
!
!
no ip bootp server
ip domain name dominio.local
ip name-server 80.58.0.33
ip name-server 80.58.32.97
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-2868054754
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2868054754
revocation-check none
rsakeypair TP-self-signed-2868054754
!
!
!
!
!
username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address b.b.b.b
crypto isakmp key XXXXXXXX address c.c.c.c
crypto isakmp key XXXXXXXX address d.d.d.d
crypto isakmp key XXXXXXXX address e.e.e.e
crypto isakmp key XXXXXXXX address f.f.f.f
crypto isakmp key XXXXXXXX address g.g.g.g
crypto isakmp key XXXXXXXX address h.h.h.h
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tob.b.b.b
set peer b.b.b.b
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toc.c.c.c
set peer c.c.c.c
set transform-set ESP-3DES-SHA1
match address 105
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel tod.d.d.d
set peer d.d.d.d
set transform-set ESP-3DES-SHA2
match address 107
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel toe.e.e.e
set peer e.e.e.e
set transform-set ESP-3DES-SHA3
match address 109
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel tof.f.f.f
set peer f.f.f.f
set transform-set ESP-3DES-SHA4
match address 111
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel tog.g.g.g
set peer g.g.g.g
set transform-set ESP-3DES-SHA5
match address 113
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel toh.h.h.h
set peer h.h.h.h
set transform-set ESP-3DES-SHA6
match address 115
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 112
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 116
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 114
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class type inspect sdm-cls-VPNOutsideToInside-5
inspect
class type inspect sdm-cls-VPNOutsideToInside-6
inspect
class type inspect sdm-cls-VPNOutsideToInside-7
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.4.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/32
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 7 00051715084B1B16
ppp pap sent-username adslppp@telefonicanetpa password 7 01120217571B161F
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host b.b.b.b any
access-list 102 permit ip host c.c.c.c any
access-list 102 permit ip host d.d.d.d any
access-list 102 permit ip host e.e.e.e any
access-list 102 permit ip host f.f.f.f any
access-list 102 permit ip host g.g.g.g any
access-list 102 permit ip host h.h.h.h any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 108 remark SDM_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 remark SDM_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.4.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 114 remark SDM_ACL Category=0
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 115 remark SDM_ACL Category=4
access-list 115 remark IPSec Rule
access-list 115 permit ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 116 remark SDM_ACL Category=0
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
control-plane
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
-----------------------------------------------------------------------
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end
La de los 877 es ésta.
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname VPN_02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1910646750
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1910646750
revocation-check none
rsakeypair TP-self-signed-1910646750
!
!
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.12.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.12.0 255.255.255.0
dns-server 80.58.0.33 80.58.32.97
default-router 192.168.12.1
!
!
no ip bootp server
ip domain name dominio.local
ip name-server 80.58.0.33
ip name-server 80.58.32.97
!
!
!
username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address a.a.a.a
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toaaa.aaa.aaa.aaa
set peer aaa.aaa.aaa.aaa
set transform-set ESP-3DES-SHA
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 107
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all SDM_VPN_PT0
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 105
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT0
pass
class type inspect sdm-access
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/32
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 7 01120217571B161F
ppp pap sent-username adslppp@telefonicanetpa password 7 03055F180A1F315C
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 217.125.40.108 any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 permit ip 192.168.12.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=128
access-list 105 permit ip any any
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 217.125.40.108 any
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Los problemas que tengo:
- Consigo crear los túneles, puedo acceder a los archivos a traves de la ip entre la central y las sucursales (no lo consigo con el nombre del host, presumo que tiene que ver con dns) pero no consigo acceder a los ordenadores entre sucursales.
- No puedo usar el programa de grabación de video pues no logro acceder a las cámaras desde el mismo, al intentar acceder via web me aparece el título de la página (en la barra de títulos) pero se me queda en blanco y no llega a cargar la página en sí.
- los 877 no me permiten configurar QoS pues el SDM me dice que no tienen esa opción, pero los que me la vendieron aseguran que sí.
- los teléfonos ip funcionan cuando llaman a la centralita que está colgada del 1841, pero no pueden hablar entre sucursales.
Bueno, básicamente esto es todo lo que puedo decir, ya se que no es problema vuestro, pero estoy DESESPERADO con este problema, es un cliente grande e importante y mi cabeza parece estar en juego.
Agradeceré cualquier ayuda que podais brindarme.