1
Site to Site VPN zw. mobilem Cisco 881 und Zywall USG300
Das meiste an dem Cisco Router habe ich hinbekommen, jedoch scheitert es kläglich an einer funktionsfähigen VPN-Verbindung. Daher erbitte ich eure Hilfe, denn aus den allg. Anleitungen, Hilfestellungen hier im Forum und den Cisco Wizzards bin ich bisher nicht ausreichend schlau geworden.
Danke
Ich bin Systemadministrator einer TV-Produktionsfirma. In unserem neuesten Übertragungswagen kommt ein Cisco 881G zum Einsatz, der per VPN mit unserem Hauptquartier (Zywall USG300) in Verbindung treten soll. Das Fahrzeug ist intern in 3 Subnetzte aufgeteilt und soll selbstständig aus drei Verbindungsmöglichkeiten einen Weg ins Internet finden/aufbauen. Die Hierarchie beginnt mit einem LAN to LAN per DHCP durch ein Fremdnetz (FE0), Variante zwei ist mittels PPPOE und einem DSL-Modem (FE4), und wenn kein Kabel zur Verfügung steht, so soll der Router via eingebautem UMTS-Router online gehen. Mit anderen Worten: es ist auf jeden Fall NAT im Spiel.
Das automatische umschalten von Kabel auf UMTS und zurück, sowie das NAT, WLAN und die ACLs funktionieren. Jetzt muss ich es nur noch schaffen, darüber einen VPN Tunnel aufzubauen. Ziel ist es, dass Personal im Büro Support auf Technik im Ü-Wagen ausüben kann. Parallel kann das Personal im Ü-Wagen regulär im Netz surfen ohne dabei durch den Tunnel zu müssen.
In dem Zyxel Router mit fester IP existiert schon eine VPN-Verbindung mit einem Rechner (Zyxell VPN-Software) in einer Außenfilliale. Mit dieser Software habe ich auch schon erfolgreich die Daten für unseren Ü-Wagen getestet. Jedoch konnte ich bisher keinen Erfolg vom Cisco zum Zyxel verbuchen.
Zusammenfassung: Cisco 881 soll auf unterschiedlichen Wegen eine VPN Verbindung mit dem Firmennetzwerk aufbauen. Im Router selbst und ggf. in folgenden Routern ist NAT aktiv.
Im Anhang ein Auszug der Konfiguration des Zyxels, sowie des Ciscos. (Die öffentlichen IPs etc. sind geändert)
zur Erläuterung: VPN_Halle ist der Rechner in der Außenfiliale, HD940 der Ü-Wagen um den es hier geht!
Vielen Dank im Vorraus.
Jörg
Zyxell Zywall USG 300 (Firmenzentrale):
*
! saved at 2010-06-07 07:35:39
! model: ZyWALL USG 300
! firmware version: 2.11(AQE.2)
ad-server host 192.168.0.2
ad-server port 389
aaa authentication default local
!
ip dhcp pool Network_Pool_GE1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
starting-address 192.168.0.30 pool-size 29
first-dns-server 192.168.0.2
first-wins-server 192.168.0.2
lease 1 0 0
!
interface ge1
ip address 192.168.0.1 255.255.255.0
description LAN
ping-check default-gateway method icmp period 30 timeout 5 fail-tolerance 5
no ping-check activate
ip dhcp-pool Network_Pool_GE1
ip dhcp-pool Static_GE1_001C23AB6D7F
!
!
interface ge2
ip address 1.1.1.1 255.255.255.248 !! WAN IP
ip gateway 1.1.1.2 metric 0 !! Route von Provider vorgegeben
ping-check default-gateway method icmp period 30 timeout 5 fail-tolerance 5
no ping-check activate
!
address-object VPN_Mobil_local interface-ip ge2
address-object VPN_Halle_local 192.168.0.0/24
address-object VPN_Halle_Remote 0.0.0.0
address-object VPN_Mobil_remote_Pool 192.168.99.1-192.168.99.20
address-object L2TP_Pool 192.168.10.110-192.168.10.120
address-object L2TP_IFACE 194.162.85.10
address-object L2TP_HOST 0.0.0.0
address-object VPN_HD940_local 192.168.0.0/24
address-object VPN_HD940_remote 192.168.20.0/24
!
!
isakmp policy VPN_Halle_GW
mode main
transform-set des-md5
lifetime 86400
natt
no dpd
local-ip interface ge2
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
keystring 1772833293
local-id type ip 194.162.85.10
peer-id type ip 192.168.3.2
xauth type server default deactivate
group1
!
isakmp policy VPN_HD940
mode aggressive
transform-set aes128-sha
lifetime 28800
local-ip interface ge2
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
keystring satcom63303
local-id type ip 194.162.85.10
peer-id type any
xauth type server default deactivate
group5
no dpd
!
crypto map L2TP_VPN_Conn
ipsec-isakmp VPN_Halle_GW
encapsulation transport
scenario site-to-site-dynamic
transform-set esp-des-sha
set security-association lifetime seconds 3600
set pfs none
local-policy L2TP_IFACE
remote-policy L2TP_HOST
no conn-check activate
deactivate
!
crypto map VPN_Halle_Conn
ipsec-isakmp VPN_Halle_GW
encapsulation tunnel
scenario remote-access-server
transform-set esp-des-sha
set security-association lifetime seconds 86400
set pfs none
local-policy VPN_Halle_local
remote-policy any
no conn-check activate
!
crypto map VPN_HD940
ipsec-isakmp VPN_HD940
encapsulation tunnel
scenario site-to-site-dynamic
transform-set esp-aes128-sha
set security-association lifetime seconds 28800
set pfs none
local-policy VPN_HD940_local
remote-policy VPN_HD940_remote
no conn-check activate
activate
!
interface-group WAN_TRUNK
mode trunk
algorithm llf
interface 1 ge2
interface 2 ge3
interface 3 aux passive
!
ip route 192.168.0.0 255.255.255.0 ge1
!
!
zone LAN
interface ge1
interface ge3
!
zone WAN
interface ge2
block
!
!
zone VPN_Halle
crypto VPN_Halle_Conn
!
zone VPN_HD940
crypto VPN_HD940
!
vpn-concentrator VPN_Mobil_Halle
!
firewall 1
service PPTP
action allow
from WAN
to ZyWALL
!
firewall 2
service PPTP_TUNNEL
action allow
from WAN
to ZyWALL
!
firewall 3
action allow
to VPN_HD940
description HD940_VPN
!
policy 1
description VPN_HD940
source VPN_HD940_local
destination VPN_HD940_remote
service any
next-hop tunnel VPN_HD940
!
policy 2
description L2TP_LAN
tunnel L2TP_VPN_Conn
source L2TP_Pool
destination LAN_SUBNET
service any
next-hop interface ge1
!
policy 3
description L2TP_WAN_NAT
tunnel L2TP_VPN_Conn
source L2TP_Pool
destination any
service any
next-hop interface ge2
snat outgoing-interface
!
policy 4
description for_L2TP
source LAN_SUBNET
destination L2TP_Pool
service any
next-hop tunnel L2TP_VPN_Conn
!
policy 5
description VPN_Halle_Pol
source VPN_Halle_local
destination VPN_Halle_Remote
service any
next-hop tunnel VPN_Halle_Conn
*
Cisco 881G:
*
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname HD940
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$pgh/$um8OD9InAYw5Z9eqeU7aW0
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1438674136
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1438674136
revocation-check none
rsakeypair TP-self-signed-1438674136
!
!
crypto pki certificate chain TP-self-signed-1438674136
certificate self-signed 01
XYZ
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.119
ip dhcp excluded-address 192.168.20.126
ip dhcp excluded-address 192.168.20.129 192.168.20.149
ip dhcp excluded-address 192.168.20.161 192.168.20.190
!
ip dhcp pool ccp-pool1
import all
network 192.168.20.0 255.255.255.128
default-router 192.168.20.1
dns-server 130.149.4.20 131.188.3.2
!
ip dhcp pool WLANpool
import all
network 192.168.20.192 255.255.255.192
default-router 192.168.20.193
dns-server 131.188.3.2 130.149.4.20
!
ip dhcp pool AVIDpool
import all
network 192.168.20.128 255.255.255.192
dns-server 130.149.4.20 131.188.3.2
default-router 192.168.20.129
lease 0 6
!
!
ip cef
ip domain name yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script vodafone "" "ATDT*98*1#" TIMEOUT 30 "CONNECT"
!
!
username administrator privilege 15 secret 5 1234
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
track timer interface 1000
!
track 1 interface FastEthernet0 line-protocol
!
track 2 interface Dialer0 ip routing
carrier-delay
!
!
!
interface Loopback0
description StandardRoute
no ip address
!
interface FastEthernet0
description DHCPuplink
switchport access vlan 5
!
interface FastEthernet1
description Techniknetz
!
interface FastEthernet2
description AVIDnetz
switchport access vlan 2
!
interface FastEthernet3
description WLAN_Bridge
switchport access vlan 3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Cellular0
description UMTS-Vodafone
no ip address
ip virtual-reassembly
encapsulation ppp
shutdown
dialer in-band
dialer pool-member 2
async mode interactive
!
interface Vlan1
description Techniknetz$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.20.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
description AVID
ip address 192.168.20.129 255.255.255.192
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description WLAN
ip address 192.168.20.193 255.255.255.192
ip access-group WLAN_surf in
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
shutdown
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname DSLlogin
ppp chap password 0 DSLpass
ppp pap sent-username DSLlogin password 0 DSLpass
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer string vodafone
dialer-group 2
no cdp enable
ppp chap hostname vodafone
ppp chap password 0 vodafone
ppp ipcp dns request accept
!
ip local policy route-map track-primary-if
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 50 track 2
ip route 0.0.0.0 0.0.0.0 Dialer2 250
ip route 0.0.0.0 0.0.0.0 Vlan5 dhcp 10
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns view default
domain resolver source-interface Dialer2
dns forwarding source-interface Dialer2
ip nat inside source route-map nat2DHCP interface Vlan5 overload
ip nat inside source route-map nat2DSL interface Dialer0 overload
ip nat inside source route-map nat2UMTS interface Dialer2 overload
!
ip access-list extended WLAN_surf
remark surfer durfen surfen, sonst nichts
remark CCP_ACL Category=1
permit udp any any eq bootpc
permit udp any any eq bootps
remark no access to Technik
deny ip 192.168.20.192 0.0.0.63 192.168.20.0 0.0.0.127
remark AVIDnetz
deny ip 192.168.20.192 0.0.0.63 192.168.20.128 0.0.0.63
permit ip 192.168.20.192 0.0.0.63 any
deny ip any any
!
ip sla 1
icmp-echo 74.125.39.99 source-interface Loopback0
ip sla schedule 1 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.127
access-list 100 remark SDM_ACL Category=0
access-list 100 permit icmp any host 74.125.39.99
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
route-map track-primary-if permit 1
match ip address 100
set interface Loopback0 Null0
!
route-map nat2DSL permit 10
match ip address 101
match interface Dialer0
!
route-map nat2UMTS permit 10
match ip address 101
match interface Dialer2
!
route-map nat2DHCP permit 10
match ip address 101
match interface Vlan5
!
route-map nat2FE4 permit 10
match ip address 101
match interface FastEthernet4
!
snmp-server community public RO
snmp-server location HD940,Fahrerseite Heck
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
script dialer vodafone
modem InOut
no exec
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
*
Das automatische umschalten von Kabel auf UMTS und zurück, sowie das NAT, WLAN und die ACLs funktionieren. Jetzt muss ich es nur noch schaffen, darüber einen VPN Tunnel aufzubauen. Ziel ist es, dass Personal im Büro Support auf Technik im Ü-Wagen ausüben kann. Parallel kann das Personal im Ü-Wagen regulär im Netz surfen ohne dabei durch den Tunnel zu müssen.
In dem Zyxel Router mit fester IP existiert schon eine VPN-Verbindung mit einem Rechner (Zyxell VPN-Software) in einer Außenfilliale. Mit dieser Software habe ich auch schon erfolgreich die Daten für unseren Ü-Wagen getestet. Jedoch konnte ich bisher keinen Erfolg vom Cisco zum Zyxel verbuchen.
Zusammenfassung: Cisco 881 soll auf unterschiedlichen Wegen eine VPN Verbindung mit dem Firmennetzwerk aufbauen. Im Router selbst und ggf. in folgenden Routern ist NAT aktiv.
Im Anhang ein Auszug der Konfiguration des Zyxels, sowie des Ciscos. (Die öffentlichen IPs etc. sind geändert)
zur Erläuterung: VPN_Halle ist der Rechner in der Außenfiliale, HD940 der Ü-Wagen um den es hier geht!
Vielen Dank im Vorraus.
Jörg
Zyxell Zywall USG 300 (Firmenzentrale):
*
! saved at 2010-06-07 07:35:39
! model: ZyWALL USG 300
! firmware version: 2.11(AQE.2)
ad-server host 192.168.0.2
ad-server port 389
aaa authentication default local
!
ip dhcp pool Network_Pool_GE1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
starting-address 192.168.0.30 pool-size 29
first-dns-server 192.168.0.2
first-wins-server 192.168.0.2
lease 1 0 0
!
interface ge1
ip address 192.168.0.1 255.255.255.0
description LAN
ping-check default-gateway method icmp period 30 timeout 5 fail-tolerance 5
no ping-check activate
ip dhcp-pool Network_Pool_GE1
ip dhcp-pool Static_GE1_001C23AB6D7F
!
!
interface ge2
ip address 1.1.1.1 255.255.255.248 !! WAN IP
ip gateway 1.1.1.2 metric 0 !! Route von Provider vorgegeben
ping-check default-gateway method icmp period 30 timeout 5 fail-tolerance 5
no ping-check activate
!
address-object VPN_Mobil_local interface-ip ge2
address-object VPN_Halle_local 192.168.0.0/24
address-object VPN_Halle_Remote 0.0.0.0
address-object VPN_Mobil_remote_Pool 192.168.99.1-192.168.99.20
address-object L2TP_Pool 192.168.10.110-192.168.10.120
address-object L2TP_IFACE 194.162.85.10
address-object L2TP_HOST 0.0.0.0
address-object VPN_HD940_local 192.168.0.0/24
address-object VPN_HD940_remote 192.168.20.0/24
!
!
isakmp policy VPN_Halle_GW
mode main
transform-set des-md5
lifetime 86400
natt
no dpd
local-ip interface ge2
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
keystring 1772833293
local-id type ip 194.162.85.10
peer-id type ip 192.168.3.2
xauth type server default deactivate
group1
!
isakmp policy VPN_HD940
mode aggressive
transform-set aes128-sha
lifetime 28800
local-ip interface ge2
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
keystring satcom63303
local-id type ip 194.162.85.10
peer-id type any
xauth type server default deactivate
group5
no dpd
!
crypto map L2TP_VPN_Conn
ipsec-isakmp VPN_Halle_GW
encapsulation transport
scenario site-to-site-dynamic
transform-set esp-des-sha
set security-association lifetime seconds 3600
set pfs none
local-policy L2TP_IFACE
remote-policy L2TP_HOST
no conn-check activate
deactivate
!
crypto map VPN_Halle_Conn
ipsec-isakmp VPN_Halle_GW
encapsulation tunnel
scenario remote-access-server
transform-set esp-des-sha
set security-association lifetime seconds 86400
set pfs none
local-policy VPN_Halle_local
remote-policy any
no conn-check activate
!
crypto map VPN_HD940
ipsec-isakmp VPN_HD940
encapsulation tunnel
scenario site-to-site-dynamic
transform-set esp-aes128-sha
set security-association lifetime seconds 28800
set pfs none
local-policy VPN_HD940_local
remote-policy VPN_HD940_remote
no conn-check activate
activate
!
interface-group WAN_TRUNK
mode trunk
algorithm llf
interface 1 ge2
interface 2 ge3
interface 3 aux passive
!
ip route 192.168.0.0 255.255.255.0 ge1
!
!
zone LAN
interface ge1
interface ge3
!
zone WAN
interface ge2
block
!
!
zone VPN_Halle
crypto VPN_Halle_Conn
!
zone VPN_HD940
crypto VPN_HD940
!
vpn-concentrator VPN_Mobil_Halle
!
firewall 1
service PPTP
action allow
from WAN
to ZyWALL
!
firewall 2
service PPTP_TUNNEL
action allow
from WAN
to ZyWALL
!
firewall 3
action allow
to VPN_HD940
description HD940_VPN
!
policy 1
description VPN_HD940
source VPN_HD940_local
destination VPN_HD940_remote
service any
next-hop tunnel VPN_HD940
!
policy 2
description L2TP_LAN
tunnel L2TP_VPN_Conn
source L2TP_Pool
destination LAN_SUBNET
service any
next-hop interface ge1
!
policy 3
description L2TP_WAN_NAT
tunnel L2TP_VPN_Conn
source L2TP_Pool
destination any
service any
next-hop interface ge2
snat outgoing-interface
!
policy 4
description for_L2TP
source LAN_SUBNET
destination L2TP_Pool
service any
next-hop tunnel L2TP_VPN_Conn
!
policy 5
description VPN_Halle_Pol
source VPN_Halle_local
destination VPN_Halle_Remote
service any
next-hop tunnel VPN_Halle_Conn
*
Cisco 881G:
*
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname HD940
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$pgh/$um8OD9InAYw5Z9eqeU7aW0
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1438674136
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1438674136
revocation-check none
rsakeypair TP-self-signed-1438674136
!
!
crypto pki certificate chain TP-self-signed-1438674136
certificate self-signed 01
XYZ
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.119
ip dhcp excluded-address 192.168.20.126
ip dhcp excluded-address 192.168.20.129 192.168.20.149
ip dhcp excluded-address 192.168.20.161 192.168.20.190
!
ip dhcp pool ccp-pool1
import all
network 192.168.20.0 255.255.255.128
default-router 192.168.20.1
dns-server 130.149.4.20 131.188.3.2
!
ip dhcp pool WLANpool
import all
network 192.168.20.192 255.255.255.192
default-router 192.168.20.193
dns-server 131.188.3.2 130.149.4.20
!
ip dhcp pool AVIDpool
import all
network 192.168.20.128 255.255.255.192
dns-server 130.149.4.20 131.188.3.2
default-router 192.168.20.129
lease 0 6
!
!
ip cef
ip domain name yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script vodafone "" "ATDT*98*1#" TIMEOUT 30 "CONNECT"
!
!
username administrator privilege 15 secret 5 1234
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
track timer interface 1000
!
track 1 interface FastEthernet0 line-protocol
!
track 2 interface Dialer0 ip routing
carrier-delay
!
!
!
interface Loopback0
description StandardRoute
no ip address
!
interface FastEthernet0
description DHCPuplink
switchport access vlan 5
!
interface FastEthernet1
description Techniknetz
!
interface FastEthernet2
description AVIDnetz
switchport access vlan 2
!
interface FastEthernet3
description WLAN_Bridge
switchport access vlan 3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Cellular0
description UMTS-Vodafone
no ip address
ip virtual-reassembly
encapsulation ppp
shutdown
dialer in-band
dialer pool-member 2
async mode interactive
!
interface Vlan1
description Techniknetz$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.20.1 255.255.255.128
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Vlan2
description AVID
ip address 192.168.20.129 255.255.255.192
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description WLAN
ip address 192.168.20.193 255.255.255.192
ip access-group WLAN_surf in
ip nat inside
ip virtual-reassembly
!
interface Vlan5
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
shutdown
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname DSLlogin
ppp chap password 0 DSLpass
ppp pap sent-username DSLlogin password 0 DSLpass
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer string vodafone
dialer-group 2
no cdp enable
ppp chap hostname vodafone
ppp chap password 0 vodafone
ppp ipcp dns request accept
!
ip local policy route-map track-primary-if
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 50 track 2
ip route 0.0.0.0 0.0.0.0 Dialer2 250
ip route 0.0.0.0 0.0.0.0 Vlan5 dhcp 10
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns view default
domain resolver source-interface Dialer2
dns forwarding source-interface Dialer2
ip nat inside source route-map nat2DHCP interface Vlan5 overload
ip nat inside source route-map nat2DSL interface Dialer0 overload
ip nat inside source route-map nat2UMTS interface Dialer2 overload
!
ip access-list extended WLAN_surf
remark surfer durfen surfen, sonst nichts
remark CCP_ACL Category=1
permit udp any any eq bootpc
permit udp any any eq bootps
remark no access to Technik
deny ip 192.168.20.192 0.0.0.63 192.168.20.0 0.0.0.127
remark AVIDnetz
deny ip 192.168.20.192 0.0.0.63 192.168.20.128 0.0.0.63
permit ip 192.168.20.192 0.0.0.63 any
deny ip any any
!
ip sla 1
icmp-echo 74.125.39.99 source-interface Loopback0
ip sla schedule 1 life forever start-time now
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.127
access-list 100 remark SDM_ACL Category=0
access-list 100 permit icmp any host 74.125.39.99
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
!
route-map track-primary-if permit 1
match ip address 100
set interface Loopback0 Null0
!
route-map nat2DSL permit 10
match ip address 101
match interface Dialer0
!
route-map nat2UMTS permit 10
match ip address 101
match interface Dialer2
!
route-map nat2DHCP permit 10
match ip address 101
match interface Vlan5
!
route-map nat2FE4 permit 10
match ip address 101
match interface FastEthernet4
!
snmp-server community public RO
snmp-server location HD940,Fahrerseite Heck
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
script dialer vodafone
modem InOut
no exec
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
*
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 144358
Url: https://administrator.de/contentid/144358
Printed on: April 18, 2024 at 20:04 o'clock
1 Comment
Das sollte mit einem IPsec Tunnel vollkommen problemlos funktionieren. Aktuell laufende Beispiele dazu findest du u.a. hier:
IPsec VPNs einrichten mit Cisco, Mikrotik, pfSense Firewall, FritzBox, Smartphone sowie Shrew Client Software
Vernetzung zweier Standorte mit Cisco 876 Router
http://www.zyxeltech.de/SNoteZW5_362/app/zw_cisco.htm
IPsec VPNs einrichten mit Cisco, Mikrotik, pfSense Firewall, FritzBox, Smartphone sowie Shrew Client Software
Vernetzung zweier Standorte mit Cisco 876 Router
http://www.zyxeltech.de/SNoteZW5_362/app/zw_cisco.htm
