Всем доброго! Ситуация следующая: от циски идет два туннеля в разные удаленные офисы. В обоих офисах стоят IP телефоны, работающие через АТС, находящуюся в главном офисе. Удаленные офисы могут звонить друг другу по туннелям, но друг друга не пингуют. Подскажите, пожалуйста, как смаршрутизировать туннели друг на друга. Я думаю, что должна быть возможность задать статически типа
ip route 10.0.3.0 255.255.255.0 {туннельный интерфейс}?
Туннель висит на FastE4.
sh run
>sh runCurrent configuration : 9851 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 178.107.18.162 no-xauth
crypto isakmp key XXXX address 212.145.31.26 no-xauth
!
crypto isakmp client configuration group XX
key XXXX
dns 10.0.0.4 195.194.224.3
pool SDM_POOL_1
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA2
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to212.145.31.26
set peer 212.145.31.26
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to178.107.18.162
set peer 178.107.18.162
set transform-set ESP-3DES-SHA1
match address 103
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
crypto pki trustpoint TP-self-signed-2376078511
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2376078511
revocation-check none
rsakeypair TP-self-signed-2376078511
!
!
crypto pki certificate chain TP-self-signed-2376078511
certificate self-signed 01
3082024F XXX FB6174
quit
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.50 10.0.0.70
ip dhcp excluded-address 10.0.0.2 10.0.0.4
!
ip dhcp pool sdm-pool
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 10.0.0.4 195.194.224.3
lease 1 2
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name yourdomain.com
ip name-server 10.0.0.4
ip name-server 195.194.224.3
ip name-server 195.194.226.1
!
!
!
username XXX privilege 15 secret XXX
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address 195.194.252.158 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 10.0.0.100 10.0.0.105
ip route 0.0.0.0 0.0.0.0 195.194.252.157
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 100 remark firewall configuration
access-list 100 remark Category=1
access-list 100 permit udp host 10.0.0.4 eq domain any
access-list 100 deny ip 195.194.252.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark firewall configuration
access-list 101 remark Category=1
access-list 101 permit ip host 10.0.0.100 any
access-list 101 permit ip host 10.0.0.101 any
access-list 101 permit ip host 10.0.0.102 any
access-list 101 permit ip host 10.0.0.103 any
access-list 101 permit ip host 10.0.0.104 any
access-list 101 permit ip host 10.0.0.105 any
access-list 101 permit udp any host 195.194.252.158 eq non500-isakmp
access-list 101 permit udp any host 195.194.252.158 eq isakmp
access-list 101 permit esp any host 195.194.252.158
access-list 101 permit ahp any host 195.194.252.158
access-list 101 remark IPSec Rule
access-list 101 permit ip host 10.0.3.1 10.0.0.0 0.0.0.255
access-list 101 permit ip host 10.0.3.2 10.0.0.0 0.0.0.255
access-list 101 permit ip host 10.0.3.3 10.0.0.0 0.0.0.255
access-list 101 permit udp host 178.107.18.162 host 195.194.252.158 eq non500-isakmp
access-list 101 permit udp host 178.107.18.162 host 195.194.252.158 eq isakmp
access-list 101 permit esp host 178.107.18.162 host 195.194.252.158
access-list 101 permit ahp host 178.107.18.162 host 195.194.252.158
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp host 212.145.31.26 host 195.194.252.158 eq non500-isakmp
access-list 101 permit udp host 212.145.31.26 host 195.194.252.158 eq isakmp
access-list 101 permit esp host 212.145.31.26 host 195.194.252.158
access-list 101 permit ahp host 212.145.31.26 host 195.194.252.158
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 195.194.252.158
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 host 10.0.3.1
access-list 103 permit ip 10.0.0.0 0.0.0.255 host 10.0.3.2
access-list 103 permit ip 10.0.0.0 0.0.0.255 host 10.0.3.3
access-list 104 remark Category=2
access-list 104 deny ip any host 10.0.0.100
access-list 104 deny ip any host 10.0.0.101
access-list 104 deny ip any host 10.0.0.102
access-list 104 deny ip any host 10.0.0.103
access-list 104 deny ip any host 10.0.0.104
access-list 104 deny ip any host 10.0.0.105
access-list 104 remark IPSec Rule
access-list 104 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 10.0.0.0 0.0.0.255 host 10.0.3.1
access-list 104 deny ip 10.0.0.0 0.0.0.255 host 10.0.3.2
access-list 104 deny ip 10.0.0.0 0.0.0.255 host 10.0.3.3
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner login ^C Just for authorized users!!! ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
>>sh run
>В смысле, это конфиг роутера основного офиса.