URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 17076
[ Назад ]

Исходное сообщение
"Доступ по VPN в LAN через Cisco 2811 help"

Отправлено inkko , 02-Сен-08 19:07 
Здраствуйте всем, первый раз столкнулся с оборудованием cisco, необходимо сделать доступ к ip локальной сети для удаленных клиентов которые используют cisco VPN client.

Оборудование которое находится у нас в оффисе:
c2811 (IOS c2800nm-advsecurityk9-mz.124-20.YA.bin)
2 х c3560
13 x c2960

ip адреса заменил близкими по смыслу.

сеть состоит из 4х сегментов.
10.24.17.0
10.24.18.0
10.24.19.0
10.24.20.0
в последнем сервера, она же vlan1, вот сюда и необходимо сделать доступ к серверам.

я так понимаю все это необходимо делать на с2811...
по поиску нашел похожие ситуации, но сложно сделать самому если мало в этом понимаеш и первый раз у руля....

на мой взгляд в конфиге очень много лишнего и непонятного... помогите пожалуйста разобраться.


Код:
Building configuration...

Current configuration : 6235 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname c2811
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-20.YA.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable password 7 02050D480809
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network groupauthor local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone EKB 5
!
dot11 syslog
no ip subnet-zero
ip source-route
!
!
no ip cef
!
!
ip domain name
ip name-server 92.193.150.129
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group vpnclient
!
!        
!
!
!
!
username vpnclient privilege 7 password 7 15041B02072622212627
username admin privilege 15 password 7 0005170B0D55080104231E1A
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key vpnclient
dns 10.24.20.7
domain *****
pool SDM_POOL_1
acl 151
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group vpnclient
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set myset
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map IPSEC client authentication list userauthen
crypto map IPSEC isakmp authorization list groupauthor
crypto map IPSEC client configuration address respond
crypto map IPSEC 20 ipsec-isakmp
! Incomplete
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
bba-group pppoe pppoex
virtual-template 1
!
!
interface Loopback0
ip address 10.24.24.1 255.255.255.0
!
interface FastEthernet0/0
ip address 92.193.150.150 255.255.255.224
ip access-group 100 in
ip access-group 23 out
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
description $ETH-LAN$
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Virtual-Template1
ip address 10.24.22.1 255.255.255.0
ip access-group 102 in
ip access-group 23 out
peer default ip address pool pixpool
ppp authentication pap
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 10.24.20.4 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 10.24.22.50 10.24.22.100
ip local pool SDM_POOL_1 10.24.24.5 10.24.24.55
ip default-gateway 92.193.150.129
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 92.193.150.129
ip route 10.24.17.0 255.255.255.0 10.24.20.1
ip route 10.24.18.0 255.255.255.0 10.24.20.1
ip route 10.24.19.0 255.255.255.0 10.24.20.1
ip route 10.24.21.0 255.255.255.0 10.24.20.1
ip route 10.24.22.0 255.255.255.0 Vlan1
ip route 10.24.24.0 255.255.255.0 10.24.20.1
!
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.24.20.6 22 92.193.150.150 22 extendable
ip nat inside source static tcp 10.24.20.6 25 92.193.150.150 25 extendable
ip nat inside source static tcp 10.24.20.7 3389 92.193.150.150 3389 extendable
!
ip access-list extended NAT
permit ip 10.24.20.0 0.0.0.255 any
permit ip 10.24.19.0 0.0.0.255 any
permit ip 10.24.18.0 0.0.0.255 any
permit ip 10.24.17.0 0.0.0.255 any
permit ip any 10.24.20.0 0.0.0.255
ip access-list extended sdm_fastethernet0/0.1_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_fastethernet0/1.1_in
remark SDM_ACL Category=1
permit ip any any
!
logging history notifications
logging trap notifications
logging source-interface FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit any
access-list 11 remark SDM_ACL Category=16
access-list 11 permit any
access-list 23 remark SDM_ACL Category=17
access-list 23 permit any log
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any host 92.193.150.150 eq non500-isakmp
access-list 100 permit udp any host 92.193.150.150 eq isakmp
access-list 100 permit esp any host 92.193.150.150
access-list 100 permit ahp any host 92.193.150.150
access-list 100 permit ip any any log
access-list 101 permit ip any any log
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 10.24.22.1 eq non500-isakmp
access-list 102 permit udp any host 10.24.22.1 eq isakmp
access-list 102 permit esp any host 10.24.22.1
access-list 102 permit ahp any host 10.24.22.1
access-list 102 permit ip any any log
access-list 111 remark
access-list 111 permit ip any any log
access-list 151 remark 151
access-list 151 remark SDM_ACL Category=4
access-list 151 permit ip any any
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
time-range WORKTIME
periodic weekdays 9:00 to 18:00
!
end

ICQ:99506392

заранее спасибо.


Содержание

Сообщения в этом обсуждении
"Доступ по VPN в LAN через Cisco 2811 help"
Отправлено AB , 03-Сен-08 13:52 

>enable password 7 02050D480809

Это нужно удалять при выкладывании конфигов.

Да и реальные адреса указывать плохо!


"Доступ по VPN в LAN через Cisco 2811 help"
Отправлено Shutov , 05-Сен-08 12:09 
//включаем NAT-T
crypto ipsec nat-transparency udp-encapsulation

//Dead peer detection
crypto isakmp keepalive 20 10

aaa authentication login VpnClientAuth local
aaa authorization network VpnClientAuthor local

ip local pool VpnClientPool 10.40.254.1 10.40.254.254

crypto isakmp policy 199
encr aes
authentication pre-share
group 2

crypto isakmp client configuration group sgbeasyvpn
key 1993199319
dns 192.168.5.6
wins 192.168.5.6
pool VpnClientPool
acl VpnClientSplitTunneling

crypto ipsec transform-set VpnClientSet esp-aes esp-md5-hmac

crypto dynamic-map VpnClientDynmap 10
set transform-set VpnClientSet
reverse-route

crypto map inetmap client authentication list VpnClientAuth
crypto map inetmap client configuration address respond
crypto map inetmap isakmp authorization list VpnClientAuthor
crypto map inetmap 99 ipsec-isakmp dynamic VpnClientDynmap


//Split tunneling
ip access-list extended VpnClientSplitTunneling
permit ip 192.168.5.0 0.0.0.255 10.40.254.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 10.40.254.0 0.0.0.255


//Если по Radius
aaa group server radius VpnClientRad
server 94.86.51.6 auth-port 1645 acct-port 1646

radius-server host 94.86.51.6 auth-port 1645 acct-port 1646 key cisco

aaa authentication login VpnClientAuth group VpnClientRad


interface FastEthernet0/0
description DIT
encapsulation dot1Q 3
ip address x.x.x.x 255.255.255.192
crypto map inetmap
!