URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 22955
[ Назад ]

Исходное сообщение
"Cisco 871 & Easy Vpn Server "

Отправлено sysadm , 04-Авг-11 18:01 
Понимаю что тема избита, но почитав  по ней здесь + cisco.com так и не могу дать ума Easy VPN Server (Cisco 871) + Cisco VPN client v.5 (winXP) (over UDP)
Соединение успешно устанавливается, но доступа к внутренним ресурсам сети не получаю.
Не пингуется даже внутренний интерфейс маршрутизатора (из клиента).
tracert на клиенте (WinXP) даёт сразу таймауты.
С циски клиент тоже не доступен.
Настрока в клиенте "Allow local lan access" установлена.
конфиг:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
no logging console
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn local
aaa authorization exec default local
aaa authorization network vpn_group local
!
aaa session-id common
!
resource policy
!
clock timezone MSK 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
clock save interval 24
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name company.
ip name-server 192.168.10.252
ip ssh authentication-retries 2
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 h323
!
!
crypto pki trustpoint TP-self-signed-3936300032
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3936300032
revocation-check none
rsakeypair TP-self-signed-3936300032
!
!
username cisco privilege 15 secret 5 xxxxxxxxxxxxxxxx
!
!
class-map match-any torrentz
match protocol bittorrent
!
!
policy-map torrentz
  class torrentz
   drop
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group kifa
key B;TyfvjhtEghfdb19731952IoN
dns 192.168.10.100
wins 192.168.10.100
domain company.local
pool vpnpool
acl 105
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list vpn
crypto map clientmap isakmp authorization list vpn_group
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 3
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.xx  255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.251 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Vlan3
description Guest_Vlan
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
service-policy input torrentz
!
!
ip local pool vpnpool 192.168.5.1 192.168.5.10
ip classless
ip route 0.0.0.0 0.0.0.0 ip_шлюза_провайдера

!
ip flow-export version 5
ip flow-export destination 192.168.10.70 9996
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat translation timeout 130
ip nat translation tcp-timeout 200
ip nat translation udp-timeout 200
ip nat translation syn-timeout 200
ip nat translation max-entries 500
ip nat translation max-entries all-host 400
ip nat pool pool1  xxxxx  xxxxxxx  netmask 255.255.255.248
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.254 80 xxxxxxx  80 extendable
!
!

!
logging trap debugging
logging facility local5
logging 192.168.10.102
access-list 1 permit 192.168.10.49
access-list 1 permit 192.168.1.9
access-list 1 permit 192.168.1.7
access-list 1 permit 192.168.1.6
access-list 1 permit 192.168.10.24
access-list 1 permit 192.168.10.30
access-list 1 permit 192.168.10.254
access-list 1 permit 192.168.10.252
access-list 1 permit 192.168.10.140
access-list 1 permit 192.168.10.154
access-list 5 permit 192.168.10.49
access-list 100 permit ip host 192.168.5.1 any
access-list 100 permit ip host 192.168.5.2 any
access-list 100 permit ip host 192.168.5.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 192.168.10.254 any
access-list 100 deny   ip any any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any log
access-list 101 deny   ip host 95.169.186.108 any log
access-list 101 deny   ip host 208.64.123.177 any log
access-list 101 deny   ip host 109.72.146.154 any log
access-list 101 deny   ip host 109.72.146.202 any log
access-list 101 permit tcp any any established
access-list 101 permit tcp any eq domain any gt 1023
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit tcp any eq ftp-data any gt 1023
access-list 101 deny   icmp any any redirect log
access-list 101 permit icmp any any
access-list 101 permit udp any any eq ntp
access-list 101 deny   tcp any any log
access-list 101 deny   udp any any log
access-list 102 permit ip host 192.168.1.1 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip host 192.168.1.3 any
access-list 102 permit ip host 192.168.1.4 any
access-list 102 permit ip host 192.168.1.5 any
access-list 102 permit ip host 192.168.1.6 any
access-list 102 permit ip host 192.168.1.7 any
access-list 102 permit ip host 192.168.1.8 any
access-list 102 permit ip host 192.168.1.9 any
access-list 102 permit ip host 192.168.1.10 any
access-list 102 permit ip host 192.168.1.11 any
access-list 102 permit ip host 192.168.1.12 any
access-list 102 deny   ip any any
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
snmp-server community public RO
snmp-server ifindex persist
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server host 192.168.10.42 inform version 2c public
snmp-server host 192.168.10.42 version 2c public
no cdp run
!
control-plane
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 5 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175146
ntp server 192.168.10.254
end

заранее спасибо за помощь!!


Содержание

Сообщения в этом обсуждении
"Cisco 871 & Easy Vpn Server "
Отправлено Аноним , 04-Авг-11 21:42 
>[оверквотинг удален]
>  privilege level 15
>  transport input telnet ssh
> !
> scheduler max-task-time 5000
> scheduler allocate 4000 1000
> scheduler interval 500
> ntp clock-period 17175146
> ntp server 192.168.10.254
> end
> заранее спасибо за помощь!!

Professional Level от Cisco?


"Cisco 871 & Easy Vpn Server "
Отправлено 4x , 05-Авг-11 17:18 
>[оверквотинг удален]
> access-list 1 permit 192.168.10.49
> access-list 1 permit 192.168.1.9
> access-list 1 permit 192.168.1.7
> access-list 1 permit 192.168.1.6
> access-list 1 permit 192.168.10.24
> access-list 1 permit 192.168.10.30
> access-list 1 permit 192.168.10.254
> access-list 1 permit 192.168.10.252
> access-list 1 permit 192.168.10.140
> access-list 1 permit 192.168.10.154

Кажется, в НАТ улетает пакеты,  а не тебе. Примерно так надо (весь конфиг не смотрел):

ip nat inside source list 109 interface FastEthernet4 overload

access-list 109 deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 109 permit ip host 192.168.10.49 any
access-list 109 permit ip host 192.168.1.9 any
access-list 109 permit ip host 192.168.1.7 any
access-list 109 permit ip host 192.168.1.6 any
access-list 109 permit ip host 192.168.10.24 any
access-list 109 permit ip host 192.168.10.30 any
access-list 109 permit ip host 192.168.10.254 any
access-list 109 permit ip host 192.168.10.252 any
access-list 109 permit ip host 192.168.10.140 any
access-list 109 permit ip host 192.168.10.154 any


"Cisco 871 & Easy Vpn Server "
Отправлено engalichev , 05-Авг-11 22:46 
>[оверквотинг удален]
> access-list 109 permit ip host 192.168.10.49 any
> access-list 109 permit ip host 192.168.1.9 any
> access-list 109 permit ip host 192.168.1.7 any
> access-list 109 permit ip host 192.168.1.6 any
> access-list 109 permit ip host 192.168.10.24 any
> access-list 109 permit ip host 192.168.10.30 any
> access-list 109 permit ip host 192.168.10.254 any
> access-list 109 permit ip host 192.168.10.252 any
> access-list 109 permit ip host 192.168.10.140 any
> access-list 109 permit ip host 192.168.10.154 any

nat улетают +1