URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 23632
[ Назад ]

Исходное сообщение
"L2TP over IPSEC нет пинга между сетями"

Отправлено alexey63rus , 16-Мрт-12 11:50 
Здравствуйте, я новичок в CISCO.
случилась ситуация:
есть пул: L2TP-Pool 192.168.0.1-192.168.0.10 mask 255.255.255.0
новому клиенту присваивается например: ip 192.168.0.1 255.255.255.255 - не знаю почему все 255!!!!!!!!!!!

и локальный пул : ip address 192.168.1.1 netmask 255.255.255.0

адреса клиентам выдаются, но, с циски я их могу пинговать и они циску то же,
а вот из локальной сети я их не вижу и они локальную сеть офиса

PIX Version 8.0(4)32  
!
hostname PIX0
domain-name sat.local
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 55.112.60.102 255.255.255.252  
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0  
!
ftp mode passive
clock timezone AZST 4
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 22.213.0.12
name-server 22.213.2.1
domain-name sat.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service bank tcp
port-object eq 9443
port-object eq 8000
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain  
service-object tcp eq 8000  
service-object tcp eq 9443  
service-object tcp eq www  
service-object tcp eq https  
service-object tcp eq pop3  
service-object tcp eq smtp  
service-object tcp eq ftp  
service-object icmp  
access-list DefaultRAGroup_splitTunnelAcl standard permit any  
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any  
access-list inside_nat0_outbound extended permit ip any any  
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging facility 23
mtu outside 1500
mtu inside 1500
ip local pool L2TP-Pool 192.168.0.1-192.168.0.10 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 55.112.60.101 netmask 255.255.255.252
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0 dns
access-group inside_access_in_1 in interface inside
route outside 0.0.0.0 0.0.0.0 85.112.60.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
dynamic-access-policy-record DfltAccessPolicy
network-acl inside_nat0_outbound
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac  
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac  
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set AES-192-SHA ESP-3DES-SHA ESP-DES-SHA TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection scanning-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 22.117.76.141 source outside
ntp server 22.117.76.130 source outside prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec l2tp-ipsec  
split-tunnel-policy tunnelall
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
username users password /yvpt6OhMFdf4lx6zg== nt-encrypted privilege 1
username users attributes
vpn-tunnel-protocol l2tp-ipsec  
username usersm password /yvpt6OhMFdf4lx6zg== nt-encrypted privilege 1
username usersm attributes
vpn-tunnel-protocol l2tp-ipsec  
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map  
!
service-policy global_policy global
prompt hostname context  
: end


в логах вот что:

3 Mar 15 2012 12:12:04 305005 192.168.1.3 No translation group found for icmp src outside:192.168.0.1 dst inside:192.168.1.3 (type 8, code 0)

%ASA-3-305005: No translation group found for protocol src  
interface_name:source_address/source_port dst interface_name:  
dest_address/dest_port  
A packet does not match any of the outbound nat command rules. If NAT is not configured for the specified source and destination systems, this message will be generated frequently.

This message indicates a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the NAT 0 ACL.

Содержание

Сообщения в этом обсуждении
"L2TP over IPSEC нет пинга между сетями"
Отправлено Aleks305 , 16-Мрт-12 12:52 
>[оверквотинг удален]
> dest_address/dest_port
> A packet does not match any of the outbound nat command rules.
> If NAT is not configured for the specified source and destination
> systems, this message will be generated frequently.
> This message indicates a configuration error. If dynamic NAT is desired for
> the source host, ensure that the nat command matches the source
> IP address. If static NAT is desired for the source host,
> ensure that the local IP address of the static command matches.
> If no NAT is desired for the source host, check the
> ACL bound to the NAT 0 ACL.

sysopt connection permit-vpn?