Cisco VPN distant monte mais impossible de pinger quoi que ce soit

labtech85 · 28/12/2012, 08h27

Bonjour à tous,

je fais appel à vous car je viens de configurer un remote vpn sur un routeur cisco 1800 mais je rencontre un soucis:

La connexion sur ce denier depuis un poste Windows exécutant le client vpn cisco se fait bien mais une fois connecté il mais impossible de pinger ou contacter quoi que ce soit sur le réseaux distant.

Mon client vpn se connecte bien et récupère une adresse dans le pool 192.168.4.X mais avec une passerelle en 192.168.4.1 ????

Quelqu'un aurait il une idée du pourquoi je n'arrive pas à communiquer avec n'importe quelle machines du réseaux distant malgré le client connecté ?

Merci beaucoup

voici la config utilisé:

ROUTEUR#sh startup-config
Current configuration : 5323 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTEUR
!
boot-start-marker
boot-end-marker
!
enable password blabla
!
aaa new-model
aaa authentication login default local
username toto password toto
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
no ip domain lookup
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key bip address 8xxxx
crypto isakmp key bip address 8xxxx
!
crypto isakmp policy 10
authentication pre-share
encryption aes
group 2
!
crypto isakmp client configuration group TG-VPNDB
key blabla
pool VPNCLIENTS
acl 110
netmask 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
crypto ipsec profile SDM_Profile2
set transform-set ESP-3DES-SHA1
!
crypto ipsec profile SDM_Profile3
set transform-set ESP-3DES-SHA2
!
crypto dynamic-map VPNMAP 10
set transform-set VPNTRANS
reverse-route
!
!
crypto map VPNMAP client configuration address respond
crypto map VPNMAP isakmp authorization list VPNAUTH
crypto map VPNMAP 10 ipsec-isakmp dynamic VPNMAP
crypto map VPNMAP client authentication list VPNAUTH
!
!
crypto isakmp keepalive 30 5
crypto isakmp xauth timeout 60
!
!
interface Tunnel0
bandwidth 1000
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.10.10.2
ip nhrp nhs 10.10.10.3
ip tcp adjust-mss 1360
ip ospf network point-to-multipoint
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile2
!
interface FastEthernet0/0
description $FW_OUTSIDE$
bandwidth 2048
ip address 86.66.XX.XX 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
crypto map VPNMAP
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 1
!
ip local pool ip_vpn_test 192.168.254.1 192.168.254.5
ip local pool VPNCLIENTS 192.168.4.20 192.168.4.30
ip classless
ip route 0.0.0.0 0.0.0.0 86.66.XX.XX permanent
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 86.66.XX.XX 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip any any log
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 110 permit ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
end

28/12/2012, 08h27	#1
labtech85 Invité de passage Inscription : décembre 2012 Messages : 1 Détails du profil Informations forums : Inscription : décembre 2012 Messages : 1 Points : 0 Points : 0	Cisco VPN distant monte mais impossible de pinger quoi que ce soit Bonjour à tous, je fais appel à vous car je viens de configurer un remote vpn sur un routeur cisco 1800 mais je rencontre un soucis: La connexion sur ce denier depuis un poste Windows exécutant le client vpn cisco se fait bien mais une fois connecté il mais impossible de pinger ou contacter quoi que ce soit sur le réseaux distant. Mon client vpn se connecte bien et récupère une adresse dans le pool 192.168.4.X mais avec une passerelle en 192.168.4.1 ???? Quelqu'un aurait il une idée du pourquoi je n'arrive pas à communiquer avec n'importe quelle machines du réseaux distant malgré le client connecté ? Merci beaucoup voici la config utilisé: ROUTEUR#sh startup-config Current configuration : 5323 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ROUTEUR ! boot-start-marker boot-end-marker ! enable password blabla ! aaa new-model aaa authentication login default local username toto password toto ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ! no ip domain lookup ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key bip address 8xxxx crypto isakmp key bip address 8xxxx ! crypto isakmp policy 10 authentication pre-share encryption aes group 2 ! crypto isakmp client configuration group TG-VPNDB key blabla pool VPNCLIENTS acl 110 netmask 255.255.255.0 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac mode transport crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA ! crypto ipsec profile SDM_Profile2 set transform-set ESP-3DES-SHA1 ! crypto ipsec profile SDM_Profile3 set transform-set ESP-3DES-SHA2 ! crypto dynamic-map VPNMAP 10 set transform-set VPNTRANS reverse-route ! ! crypto map VPNMAP client configuration address respond crypto map VPNMAP isakmp authorization list VPNAUTH crypto map VPNMAP 10 ipsec-isakmp dynamic VPNMAP crypto map VPNMAP client authentication list VPNAUTH ! ! crypto isakmp keepalive 30 5 crypto isakmp xauth timeout 60 ! ! interface Tunnel0 bandwidth 1000 ip address 10.10.10.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPN_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.10.10.2 ip nhrp nhs 10.10.10.3 ip tcp adjust-mss 1360 ip ospf network point-to-multipoint delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SDM_Profile2 ! interface FastEthernet0/0 description $FW_OUTSIDE$ bandwidth 2048 ip address 86.66.XX.XX 255.255.255.240 ip access-group 101 in ip verify unicast reverse-path ip inspect SDM_LOW out ip nat outside crypto map VPNMAP ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description $FW_INSIDE$ ip address 192.168.1.254 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.10.10.0 0.0.0.255 area 1 network 192.168.1.0 0.0.0.255 area 1 ! ip local pool ip_vpn_test 192.168.254.1 192.168.254.5 ip local pool VPNCLIENTS 192.168.4.20 192.168.4.30 ip classless ip route 0.0.0.0 0.0.0.0 86.66.XX.XX permanent ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 86.66.XX.XX 0.0.0.15 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip any any log access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 110 permit ip any any ! control-plane ! line con 0 line aux 0 line vty 0 4 login ! end
	00

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email