Добрый день, уважаемые. Имеем следующую структуру сети192.168.3.х - router 1841 - xxx.xxx.xxx.xxx - провайдер
с одной стороны
192.168.9.х - router 3825 - yyy.yyy.yyy.yyy - провайдерв настоящий момент к внешним интерфейсам на обоих железках примотаны криптомапы и локалка с локалкой общаются через IPSEc site-2-site. Для увеличения скорости, провайдером было выделено по дополнительному порту с каждой стороны с адресами вида 192.167.100.6 (шлюз 192.167.100.5) для первой железки. 192.167.100.2 (шлюз 192.167.100.1) для второй.
т.е. необходимо трафик, ранее идущий в тунель, заворачивать на физический порт. Не могли бы ткнуть носом в мануал по настройке такой схемы. Также интерсует вопрос, как заставить этот трафик шифроваться? Хотелось бы конечно еще и при падении этого тунеля трафик в старый отправлять, возможно ли это?
ver и run со второй железяки. на первой все идентично, только тунелей поменьше.
cisco3825#sh ver
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(22)T,
RELEASE SOFTWARE (fc1)Building configuration...
Current configuration : 22058 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco3825
!
boot-start-marker
boot system flash:c3825-adventerprisek9-mz.124-22.T.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$YBWH$EUoUVVUcDycLaGKpZ3lFn.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name XXX.ru
ip name-server 192.168.9.1
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ips config location flash:/ips5/ retries 1
ip ips name IPS1
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip inspect name OUT_LOW cuseeme
ip inspect name OUT_LOW dns
ip inspect name OUT_LOW ftp
ip inspect name OUT_LOW h323
ip inspect name OUT_LOW https
ip inspect name OUT_LOW icmp
ip inspect name OUT_LOW imap
ip inspect name OUT_LOW pop3
ip inspect name OUT_LOW netshow
ip inspect name OUT_LOW rcmd
ip inspect name OUT_LOW realaudio
ip inspect name OUT_LOW rtsp
ip inspect name OUT_LOW esmtp
ip inspect name OUT_LOW sqlnet
ip inspect name OUT_LOW streamworks
ip inspect name OUT_LOW tftp
ip inspect name OUT_LOW tcp
ip inspect name OUT_LOW udp
ip inspect name OUT_LOW vdolive
ip reflexive-list timeout 200
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!crypto pki trustpoint TP-self-signed-1773020717
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1773020717
revocation-check none
rsakeypair TP-self-signed-1773020717
!
crypto pki certificate chain TP-self-signed-1773020717
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373733 30323037 3137301E 170D3038 31313036 32333130
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37373330
32303731 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009614 32F30347 97A85032 DEB2482C D8A44212 B9AD31F9 D5F4496F 2C1D3E75
C0275E2A 265AD9F5 475E7860 D87A1A51 8870E4E7 C1A0CA5D B426EF57 19F164FC
B37BFD1C 1280295F 2587533B C6ABA39F 50304832 841C7765 4F60A532 D041816A
23B19C60 C19C0B95 49B21A53 FEF3259E 4654AD21 72CD0B85 F6935D31 0E930569
78770203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636973 636F3338 32352E7A 616F746D 6B2E7275 301F0603
551D2304 18301680 14FC2F90 6310B619 0BAB2B78 ED2CFE0A D68DE716 87301D06
03551D0E 04160414 FC2F9063 10B6190B AB2B78ED 2CFE0AD6 8DE71687 300D0609
2A864886 F70D0101 04050003 81810029 F182434C E34C9309 82325242 C916D996
D7A2FFCF 82260F0B 236E33E1 1B76A9F0 DB4B2751 39D2E795 B02AD923 3A890C2B
A55F29B9 134A5476 DC54CEA7 671A3C5E 3D3E107F 2D92917B 02207262 E9AF72C0
2FFD27D0 E1F61329 9C5E347D A0441EBF 9B82E0A4 C1F8B3CF 9320DF3C 17C4DFF2
333D830D 40BBA51A B306DC8A 52C08C
quit
!
username 1 privilege 15 secret 5 $1$Fdyo$BYUB6BVEQtFLVXXNTEb1N/
username 1 privilege 15 secret 5 $1$wbZS$ZuQluKzrLSA112Ckf8i9q1
username 1 secret 5 $1$NkyQ$1mN6eGZKQajBI.bCX4p4p1
username 1 secret 5 $1$X/1d$ALGAVEnB5USIK03oZeGiz0
username 1 secret 5 $1$9e0b$Ne.HZgKUrsNIVETAPVxE71
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
group 2
crypto isakmp key KEY address 111.111.111.111
crypto isakmp key KEY address 222.222.222.222 no-xauth
crypto isakmp key KEY address XXX.XXX.XXX.XXX no-xauth
crypto isakmp key KEY address ZZZ.ZZZ.ZZZ.ZZZ no-xauth
crypto isakmp key KEY address TTT.TTT.TTT.TTT no-xauth
crypto isakmp key KEY address FFF.FFF.FFF.FFF
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group vpn
key KEY
dns 192.168.9.1 192.168.3.1
domain XXX.ru
pool SDM_POOL_1
acl 106
save-password
include-local-lan
netmask 255.255.255.0
banner ^CWelcome to Company Network ^C
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
keepalive 30 retry 2
virtual-template 1
!
crypto ipsec transform-set popova esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set neftevetka esp-3des esp-md5-hmac
crypto ipsec transform-set svetlanskaya esp-3des esp-md5-hmac
crypto ipsec transform-set dobropolye esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set transform-set popova neftevetka ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to XXX.XXX.XXX.XXX
set peer XXX.XXX.XXX.XXX
set transform-set popova
set pfs group2
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to neftevetka
set peer 111.111.111.111
set peer ZZZ.ZZZ.ZZZ.ZZZ
set peer TTT.TTT.TTT.TTT
set transform-set neftevetka
set pfs group2
match address 107
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to FFF.FFF.FFF.FFF
set peer FFF.FFF.FFF.FFF
set transform-set dobropolye
set pfs group2
match address 110
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
address 208.69.34.132
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
ip tcp synwait-time 10
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface Loopback0
description Do not delete - SDM WebVPN generated interface
ip address 192.168.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
description Local$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$$FW_INSIDE$
ip address 192.168.9.4 255.255.255.0
ip access-group 100 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
media-type rj45
no mop enabled
!interface GigabitEthernet0/1
description Rostelekom$ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address YYY.YYY.YYY.YYY 255.255.255.252
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips IPS1 in
ip inspect OUT_LOW out
p virtual-reassembly
duplex auto
speed auto
media-type rj45
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
description $ETH-LAN$
ip address 192.168.11.4 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/2/0
description $ETH-WAN$
no ip address
shutdown
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/2/1
description $ETH-LAN$
ip address 192.167.100.2 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Async0/1/0
no ip address
encapsulation slip
!
interface Async0/1/1
no ip address
encapsulation slip
!
interface Async0/3/0
no ip address
encapsulation slip
!
interface Async0/3/1
no ip address
encapsulation slip
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip inspect OUT_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname pppoe-uss-
ppp chap password 7 075F731F175D4D53444A5E59
ppp pap sent-username pppoe-uss- password 7 035409585F5B751A1D514C50
!
ip local pool SDM_POOL_1 192.168.12.1 192.168.12.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYZ track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 100 track 2
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export version 9
ip flow-export destination 192.168.11.10 9996
!
ip nat inside source static tcp 192.168.9.1 4899 interface GigabitEthernet0/1 4899
ip nat inside source static tcp 192.168.9.149 34801 interface GigabitEthernet0/1 34801
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.11.10 21 YYY.YYY.YYY.YYY 21 route-map RMAP_ftp extendable
ip nat inside source static tcp 192.168.11.10 25 YYY.YYY.YYY.YYY 25 route-map RMAP_25 extendable
ip nat inside source static tcp 192.168.11.10 80 YYY.YYY.YYY.YYY 80 route-map RMAP_WWW extendable
ip nat inside source static tcp 192.168.11.10 110 YYY.YYY.YYY.YYY 110 route-map RMAP_110 extendable
ip nat inside source static tcp 192.168.11.10 443 YYY.YYY.YYY.YYY 443 route-map RMAP_443 extendable
ip nat inside source static tcp 192.168.11.10 3000 YYY.YYY.YYY.YYY 3000 route-map RMAP_3000 extendable
ip nat inside source static tcp 192.168.1.1 443 YYY.YYY.YYY.YYY 4443 extendable
!
ip access-list extended inlist_rostelekom
permit icmp any host YYY.YYY.YYY.YYY
permit tcp any host YYY.YYY.YYY.YYY eq 443
permit tcp any host YYY.YYY.YYY.YYY eq 4443
permit udp any host YYY.YYY.YYY.YYY eq non500-isakmp
permit udp any host YYY.YYY.YYY.YYY eq isakmp
permit esp any host YYY.YYY.YYY.YYY
permit ahp any host YYY.YYY.YYY.YYY
permit udp host 207.46.197.32 eq ntp host YYY.YYY.YYY.YYY eq ntp
permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
permit tcp any host YYY.YYY.YYY.YYY eq 4899
permit tcp any host YYY.YYY.YYY.YYY eq www
permit tcp any host YYY.YYY.YYY.YYY eq ftp
permit tcp any host YYY.YYY.YYY.YYY eq pop3
permit tcp any host YYY.YYY.YYY.YYY eq smtp
permit tcp any host YYY.YYY.YYY.YYY eq 8080
permit tcp any host YYY.YYY.YYY.YYY eq 1494
deny ip 192.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
evaluate tmplist
deny ip any any log
ip access-list extended outlist
permit tcp any any reflect tmplist timeout 300
permit ip any any
!
ip sla 1
icmp-echo YYY.YYY.YYY.YYY source-interface GigabitEthernet0/1
timeout 2000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 212.122.1.2 source-interface Dialer0
timeout 2000
frequency 3
ip sla schedule 2 life forever start-time now
logging 192.168.9.1
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.0.0 0.0.255.255
access-list 100 remark inbound local net
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.9.4 eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.9.4 eq 22
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.9.4 eq www
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.9.4 eq 443
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 192.168.9.4 eq cmd
access-list 100 deny tcp any host 192.168.9.4 eq telnet
access-list 100 deny tcp any host 192.168.9.4 eq 22
access-list 100 deny tcp any host 192.168.9.4 eq www
access-list 100 deny tcp any host 192.168.9.4 eq 443
access-list 100 deny tcp any host 192.168.9.4 eq cmd
access-list 100 deny udp any host 192.168.9.4 eq snmp
access-list 100 permit udp host 192.168.9.1 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark SDM_ACL Category=18
access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.9.0 0.0.0.255 any
access-list 104 permit ip 192.168.11.0 0.0.0.255 any
access-list 105 remark Inbound Rostelecom
access-list 105 remark SDM_ACL Category=17
access-list 105 permit ip 192.168.6.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 105 permit ip 192.168.6.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 permit udp host FFF.FFF.FFF.FFF host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host FFF.FFF.FFF.FFF host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host FFF.FFF.FFF.FFF host YYY.YYY.YYY.YYY
access-list 105 permit ahp host FFF.FFF.FFF.FFF host YYY.YYY.YYY.YYY
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 105 permit udp host ZZZ.ZZZ.ZZZ.ZZZ host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host ZZZ.ZZZ.ZZZ.ZZZ host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host ZZZ.ZZZ.ZZZ.ZZZ host YYY.YYY.YYY.YYY
access-list 105 permit ahp host ZZZ.ZZZ.ZZZ.ZZZ host YYY.YYY.YYY.YYY
access-list 105 permit udp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
access-list 105 permit ahp host XXX.XXX.XXX.XXX host YYY.YYY.YYY.YYY
access-list 105 permit ip 192.168.14.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 permit udp host 333.333.333.333 host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host 333.333.333.333 host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host 333.333.333.333 host YYY.YYY.YYY.YYY
access-list 105 permit ahp host 333.333.333.333 host YYY.YYY.YYY.YYY
access-list 105 remark icmp
access-list 105 permit icmp any host YYY.YYY.YYY.YYY
access-list 105 permit udp host 222.222.222.222 host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host 222.222.222.222 host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host 222.222.222.222 host YYY.YYY.YYY.YYY
access-list 105 permit ahp host 222.222.222.222 host YYY.YYY.YYY.YYY
access-list 105 permit udp host 111.111.111.111 host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host 111.111.111.111 host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host 111.111.111.111 host YYY.YYY.YYY.YYY
access-list 105 permit ahp host 111.111.111.111 host YYY.YYY.YYY.YYY
access-list 105 remark TORENT
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 34801
access-list 105 remark icmp
access-list 105 permit icmp any host YYY.YYY.YYY.YYY echo-reply
access-list 105 remark icmp
access-list 105 permit icmp any host YYY.YYY.YYY.YYY time-exceeded
access-list 105 remark icmp
access-list 105 permit icmp any host YYY.YYY.YYY.YYY unreachable
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 443
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 4443
access-list 105 permit udp any host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp any host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp any host YYY.YYY.YYY.YYY
access-list 105 permit ahp any host YYY.YYY.YYY.YYY
access-list 105 remark time.windows.com
access-list 105 permit udp host 207.46.197.32 eq ntp host YYY.YYY.YYY.YYY eq ntp
access-list 105 remark IPSec Rule POPOVA
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 remark IPSec Rule POPOVA
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 105 remark IPSec Rule NEFTEVETKA
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 remark Radmin
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 4899
access-list 105 remark WWW
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq www
access-list 105 remark ftp
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq ftp
access-list 105 remark pop3
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq pop3
access-list 105 remark smtp
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq smtp
access-list 105 remark citrix www
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 8080
access-list 105 remark citrix
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 1494
access-list 105 remark WebMail
access-list 105 permit tcp any host YYY.YYY.YYY.YYY eq 3000
access-list 105 permit udp host TTT.TTT.TTT.TTT host YYY.YYY.YYY.YYY eq non500-isakmp
access-list 105 permit udp host TTT.TTT.TTT.TTT host YYY.YYY.YYY.YYY eq isakmp
access-list 105 permit esp host TTT.TTT.TTT.TTT host YYY.YYY.YYY.YYY
access-list 105 permit ahp host TTT.TTT.TTT.TTT host YYY.YYY.YYY.YYY
access-list 105 deny ip 192.0.0.0 0.255.255.255 any
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip any any
access-list 106 remark EasyVPNServer
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.9.0 0.0.0.255 any
access-list 106 permit ip 192.168.3.0 0.0.0.255 any
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark Route_Map_Web
access-list 108 remark SDM_ACL Category=2
access-list 108 permit tcp any host YYY.YYY.YYY.YYY eq www
access-list 108 deny ip any any
access-list 109 remark Route_Map_443
access-list 109 remark SDM_ACL Category=2
access-list 109 permit tcp any host YYY.YYY.YYY.YYY eq 443
access-list 109 deny ip any any
access-list 110 remark SDM_ACL Category=4
access-list 110 permit ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 permit ip 192.168.11.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 remark Route_Map_3000
access-list 111 remark SDM_ACL Category=2
access-list 111 permit tcp any host YYY.YYY.YYY.YYY eq 3000
access-list 111 deny ip any any
access-list 112 remark Route_Map_25
access-list 112 remark SDM_ACL Category=2
access-list 112 permit tcp any host YYY.YYY.YYY.YYY eq smtp
access-list 112 deny ip any any
access-list 113 remark Route_Map_110
access-list 113 remark SDM_ACL Category=2
access-list 113 permit tcp any host YYY.YYY.YYY.YYY eq pop3
access-list 113 deny ip any any
access-list 114 remark Route_Map_21
access-list 114 remark SDM_ACL Category=2
access-list 114 permit tcp any host YYY.YYY.YYY.YYY eq ftp
access-list 114 deny ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
route-map RMAP_WWW permit 1
match ip address 108
!
route-map RMAP_ftp permit 1
match ip address 114
!
route-map RMAP_3000 permit 1
match ip address 111
!
route-map RMAP_25 permit 1
match ip address 112
!
route-map RMAP_110 permit 1
match ip address 113
!
route-map RMAP_443 permit 1
match ip address 109
!
route-map DSL_RMAP_1 permit 1
match ip address 104
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
control-plane
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line 0/1/0 0/1/1
stopbits 1
speed 115200
flowcontrol hardware
line 0/3/0 0/3/1
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class 101 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
transport input telnet
!
scheduler allocate 20000 1000
!
webvpn gateway XXX
ip address YYY.YYY.YYY.YYY port 443
http-redirect port 8081
ssl trustpoint TP-self-signed-1773020717
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn install csd flash:/webvpn/sdesktop.pkg
end
sh ip route
192.168.12.0/32 is subnetted, 2 subnets
S 192.168.12.44 [1/0] via 93.88.215.129, Virtual-Access4
S 192.168.12.43 [1/0] via 94.28.108.86, Virtual-Access3
C 192.168.9.0/24 is directly connected, GigabitEthernet0/0
C 192.168.11.0/24 is directly connected, FastEthernet0/0/0
94.0.0.0/30 is subnetted, 1 subnets
C YYY.YYY.YYY.YYX is directly connected, GigabitEthernet0/1
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.0 is directly connected, Loopback0
192.167.100.0/30 is subnetted, 1 subnets
C 192.167.100.0 is directly connected, FastEthernet0/2/1
S* 0.0.0.0/0 [1/0] via YYY.YYY.YYY.YYZопробовал прямо с кошки пинги
cisco3825#ping 192.167.100.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.167.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms
cisco3825#ping 192.167.100.5Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.167.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
cisco3825#ping 192.167.100.6Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.167.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)как видно, дальше шлюза для ее IP не проходит.
с клиента в сети 192.168.9.х не идет дальше ее IP.
Помогайте, друзья.
Я бы делал 2 тунеля (1 старый, воторой новый) по технологии GRE, внутри сети поднял EIGRP (лично мне нравиться больше чем OSPF), баллансирвку осуществил по variance (если пропускная способность каналов неравнозначны) сами тунели криптовать криптопрофилями.
>Я бы делал 2 тунеля (1 старый, воторой новый) по технологии GRE,
>внутри сети поднял EIGRP (лично мне нравиться больше чем OSPF), баллансирвку
>осуществил по variance (если пропускная способность каналов неравнозначны) сами тунели криптовать
>криптопрофилями.Ткни носом в примеры настройки. Не сталкивался ранее с GRE, может кусок конфы на моем примере?
По поводу пинга? Почему не идет дальше нехт-хопа? ставили ноуты изначально с двух сторон, чтобы iperf замерить ширину канала (провайдера проверяли). Все пингуется в обе стороны.
>>Я бы делал 2 тунеля (1 старый, воторой новый) по технологии GRE,
>>внутри сети поднял EIGRP (лично мне нравиться больше чем OSPF), баллансирвку
>>осуществил по variance (если пропускная способность каналов неравнозначны) сами тунели криптовать
>>криптопрофилями.
>
>Ткни носом в примеры настройки. Не сталкивался ранее с GRE, может кусок
>конфы на моем примере?
>По поводу пинга? Почему не идет дальше нехт-хопа? ставили ноуты изначально с
>двух сторон, чтобы iperf замерить ширину канала (провайдера проверяли). Все пингуется
>в обе стороны.пока что завернул трафик в тунель настроив маршруты на обоих кошках. Поясните как мне правильно их в ipsec завернуть.
вот те дока в принципе она частично отражает то что ты хочеш реализовать...
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_con...