URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 20802
[ Назад ]

Исходное сообщение
"Помогите пож!ipsec site-to-site c1841 pix515 одна сеть не видна"

Отправлено jon75 , 02-Апр-10 10:32 
Есть cisco 1841 и pix515e, между ними работает ipsec site-to-site, за pix лок.сеть 192.168.100.0, за 1841 лок. сеть 192.168.129.0. из 129 сети (за 1841) видна вся 100 нормально, а вот из 100 пингуется только интерфейс на циске, на котором висит vlan с 129 сетью и дальше ничего не проходит. 3 дня сижу, подскажите что можно сделать?. Я так понимаю что нет роутинга в между wan и vlan?как быть?
Я начинающий цисковод, что то не так сделал наверно...
Конфиги:
1841
Building configuration...
Current configuration : 9452 bytes
!
! Last configuration change at 03:51:13 UTC Fri Apr 2 2010 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AGRouter
!
boot-start-marker

boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$pu8w$Iph4loP0V7LliCdnEgbOq.
enable password ***
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authentication login ciscocp_vpn_xauth_ml_4 local
aaa authentication enable default enable
aaa authorization network default if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
aaa authorization network ciscocp_vpn_group_ml_4 local
aaa authorization network ciscocp_vpn_group_ml_5 local
!
aaa session-id common
ip cef table adjacency-prefix validate
ip cef
!
ip domain lookup source-interface Vlan1
ip domain name agcapital.ru
ip name-server 192.168.129.9
ip name-server 192.168.129.3
ip multicast-routing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
crypto pki server AGRouter
database archive pem password 7 1056081009021E120D
issuer-name O=**, OU=IT, CN=AGRouter, C=Ru, ST=Moscow, E=agcapital@agcapital.ru
!
crypto pki trustpoint TP-self-signed-835868044
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-835868044
revocation-check none
rsakeypair TP-self-signed-835868044
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint AGRouter
revocation-check crl
rsakeypair AGRouter
!
crypto pki certificate chain TP-self-signed-835868044
certificate self-signed 01
  *****
  quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain AGRouter
certificate ca 01
  ********
  quit
username admin privilege 15 secret 5 $1$vD48$UfBrRy0oh.EBhQhYuUAEm.
username kosnichev privilege 15 view root secret 5 $1$PDm0$TNoIe1fLOz0gHkTTULez7/
username sshuser privilege 15 view root secret 5 $1$ncLs$Vl3tlDgdwnlzmJYLGyBIV.
username remote1 secret 5 $1$Tvsr$ouTkZOjcUvVrIrYWyOrr5/
username remote secret 5 $1$h2yO$yHBauZJSK.gGohZ.HftFL.
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ***** address 82.204.243.146
!
crypto ipsec security-association lifetime kilobytes 100000
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set S-T-S_TRANSFORM esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.204.243.146
set peer 82.204.243.146
set transform-set S-T-S_TRANSFORM
match address 100
reverse-route
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
ip address 213.79.90.11 255.255.255.248
ip mask-reply
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
  speed auto
  crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
vlan-id dot1q 1
  exit-vlan-config
!
interface FastEthernet0/0/1
switchport access vlan 2
switchport trunk native vlan 2
shutdown
!
interface FastEthernet0/0/2
switchport access vlan 3
!
interface FastEthernet0/0/3
switchport access vlan 4
!
interface Vlan1
ip address 192.168.129.102 255.255.255.0
ip mask-reply
ip directed-broadcast
ip nat inside
ip nat allow-static-host
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
ip address 10.77.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 10.77.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
ip address 192.168.130.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip default-gateway 213.79.90.9
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 213.79.90.9
ip route 192.168.100.0 255.255.255.0 82.204.243.146
!
ip flow-top-talkers
top 1
sort-by bytes
cache-timeout 30
!
ip http server
ip http access-class 3
ip http secure-server
ip nat inside source route-map SDM_RMAP_11 interface FastEthernet0/1 overload
!
ip access-list standard vty_out
remark vty outdound polisy
remark CCP_ACL Category=1
permit any log
!
access-list 3 permit 83.204.243.146
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 0.0.0.0 0.255.255.255
access-list 3 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 100 permit ip 192.168.129.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 remark CCP_ACL Category=18
access-list 102 deny   ip 192.168.129.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.129.0 0.0.0.255 any
snmp-server community 1 RO
!
route-map SDM_RMAP_11 permit 1
match ip address 102
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map mol permit 10
!
control-plane
!
line con 0
line aux 0
transport input all
transport output all
line vty 0 4
session-timeout 15
notify
transport input telnet ssh
transport output telnet ssh
line vty 5 807
session-timeout 15
notify
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178591
ntp update-calendar
ntp server 83.229.210.18 source FastEthernet0/1
ntp server 62.117.76.142 source FastEthernet0/1
end
_________

pix

: Saved
:
PIX Version 8.0(4)32
!
hostname agpix
domain-name agcapital.ru
enable password /BbXQlNXkwDvseTM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.129.102 AGRouter
name 192.168.100.100 molserv.agmol.mos
!
interface Ethernet0
nameif outside
security-level 0
ip address 82.204.243.146 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 83.242.139.10
name-server 83.242.140.10
name-server molserv.agmol.mos
domain-name agcapital.ru
same-security-traffic permit intra-interface
access-list s-t-s_acl extended permit ip 192.168.100.0 255.255.255.0 192.168.129                                      

        .0 255.255.255.0
access-list s-t-s_acl extended permit ip 192.168.129.0 255.255.255.0 192.168.100                                      

        .0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.129.0 2                                      

        55.255.255.0
access-list nonat extended permit ip 192.168.129.0 255.255.255.0 192.168.100.0 2                                      

        55.255.255.0
access-list ACCESSNAT extended permit ip 192.168.100.0 255.255.255.0 any log
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo inside
asdm image flash:/asdm-61557.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 82.204.243.145 1
route outside 192.168.129.0 255.255.255.0 213.79.90.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication secure-http-client
aaa authentication listener http inside port www
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.106 255.255.255.255 inside
http 192.168.100.0 255.255.255.255 inside
http 192.168.129.0 255.255.255.0 inside
http 192.168.100.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set s-t-s esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 100000
crypto map s-t-s_map 10 match address s-t-s_acl
crypto map s-t-s_map 10 set peer 213.79.90.11
crypto map s-t-s_map 10 set transform-set s-t-s
crypto map s-t-s_map 10 set reverse-route
crypto map s-t-s_map interface outside
crypto ca trustpoint agcapital.mos
revocation-check crl
crl configure
crypto ca trustpoint AGRouter
enrollment terminal
subject-name cn=AGRouter,ou=IT,o=*,st=Moscow,c=R                                      

        u
serial-number
password *
id-usage ssl-ipsec code-signer
crl configure
crypto ca trustpoint virt2.agcapital.mos
enrollment terminal
crl configure
crypto ca certificate map DefaultCertificateMap 1
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1 null-sha1
ssl trust-point AGRouter inside
ssl certificate-authentication interface inside port 443
username admin password c2NRrs0Ovu4Lznjx encrypted privilege 15
tunnel-group 213.79.90.11 type ipsec-l2l
tunnel-group 213.79.90.11 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d8d06522f1e51d28f819aaabebd93fd2
: end

Содержание

Сообщения в этом обсуждении
"Помогите пож!ipsec site-to-site c1841 pix515 одна сеть не ви..."
Отправлено jon75 , 02-Апр-10 13:27 
Господа!Проблема решена.
на конечной машине, адрес циски должен быть прописан как шлюз