URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 18340
[ Назад ]

Исходное сообщение
"Easy VPN cant acces LAN"

Отправлено abalamut , 03-Мрт-09 19:17 
Здравствуйте
Есть Cisco 1811 Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
Настраивал с мощью SDM. Поднял Easy VPN Server. Могу коннектиться но не имею доступа к тому что внутри.
Подскажите что не так?

Current configuration : 10088 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$8ujH$vKMfBpHdqzcLkpilvA3kt0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3036036324
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3036036324
revocation-check none
rsakeypair TP-self-signed-3036036324
!
!
crypto pki certificate chain TP-self-signed-3036036324
certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303336 30333633 3234301E 170D3039 30333033 31343336
  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333630
  33363332 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A7E4 8783DC34 625A836B 3500E57A E874620C 9BC44D61 8B61352D E28A23BE
  F93B5666 5C932621 553034E6 80A0C530 8C64FF89 65C5ACC4 DA7175BB 0ADE3FB9
  7354A54D 8A24A018 CE09A6C8 86733504 E5C56643 0FDD5EEE DE3DF60F 916F8C7A
  B4F6F1EB 50EBEE8F B3CB4438 88FA37EF D1E212A1 0AA38FA0 2ADCED65 B604C365
  05C10203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18636973 636F3138 31312E79 6F757264 6F6D6169 6E2E636F
  6D301F06 03551D23 04183016 8014E0C5 5723270A 83696554 6394A25F 54634671
  0D48301D 0603551D 0E041604 14E0C557 23270A83 69655463 94A25F54 6346710D
  48300D06 092A8648 86F70D01 01040500 03818100 76647A1B 3E0AC13E 47B9E8BC
  187519B6 BC352604 D18E333C AF31184B 29C4E628 F87EB100 F982E5C2 68707BA2
  9998AD57 611EBA4B 026C2481 31DC8CD7 69030562 69188890 814333AA 86B310E1
  627E37EA 7CF8C71C D56B9F47 735D57B1 BB021120 F01CFA56 4DFE1982 7DF71B4D
  BFE7CA66 2A2391BC 8E66802F 9CC1855F 3CA9C225
      quit
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip port-map user-ctcp-ezvpnsvr port tcp 10000
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username apronin privilege 15 secret 5 $1$dxA.$ol2ST/LHMrMJpc.TtOybi/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key exchange
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpn
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match protocol user-ctcp-ezvpnsvr
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class class-default
  drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
ip address 192.168.6.1 255.255.255.248
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 192.168.5.90 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.7.1 192.168.7.6
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.5
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet0 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
no cdp run

!
!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler interval 500
end


Содержание

Сообщения в этом обсуждении
"Разобрался"
Отправлено abalamut , 04-Мрт-09 09:00 
Разобрался, надо было сделать сплит тунель