URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 28
[ Назад ]

Исходное сообщение
"маршрутизация пакетов внутри cisco"

Отправлено fomim , 03-Авг-12 15:18 
Проблема в следующем:
НА cisco 2811 поднял vpn pptp на интерфейсе virtual Template 1. Клиент подключается ему выделяется ip но внутренняя сеть недоступна.  Помогите кто чем сможет.

Current configuration : 10447 bytes
!
! Last configuration change at 14:46:56 MSK Fri Aug 3 2012 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname moscow-gw
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-19.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 12800 debugging
ogging buffered 12800 debugging
logging console critical
enable password 7 101C5149504745
!
aaa new-model
!
!
!
aaa session-id common
clock timezone MSK 3
clock calendar-valid
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name pbank.pk
ip name-server 192.168.1.222
ip inspect name Default tcp router-traffic
ip inspect name Default udp router-traffic
ip inspect name Default http
ip inspect name Default https
ip inspect name Default https
ip inspect name Default ftp
ip inspect name Default dns
ip inspect name Default ntp
ip inspect name Default ssh
ip inspect name Default smtp
ip inspect name Default pop3
ip inspect name Default imap
ip inspect name Default telnet
ip inspect name Default router
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.204.1 source-interface Tunnel0
timeout 2000
threshold 1500
tag GO-SOVINTEL
frequency 3
ip sla monitor schedule 1 life forever start-time now
vlan ifdescr detail
vpdn enable
vpdn-group test
Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
voice-card 0
no dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
redirect ip2ip
sip
  registrar server
voice class codec 1
codec preference 1 g711alaw
codec preference 2 g711ulaw
voice register pool  1
id ip 89.222.166.188 mask 255.255.255.255
max registrations 42
voice-class codec 1
voice register pool  2
id ip 80.252.140.67 mask 255.255.255.255
max registrations 42
voice-class codec 1
!
!
!
!
crypto pki trustpoint profit-gw
enrollment url http://profit-gw:80
revocation-check crl
!
!
crypto pki certificate chain profit-gw
certificate 02
..................................
archive
log config
  logging enable
  logging size 150
  notify syslog
  hidekeys
ip tcp synwait-time 10
ip ssh logging events
ip ssh version 2
!
track 1 rtr 1
delay down 10 up 10
!
!
crypto isakmp policy 2
encr aes
group 2
!
!
crypto ipsec transform-set DMVPN esp-aes
mode transport
!
crypto ipsec profile DMVPN
set transform-set DMVPN
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$
ip address 192.168.95.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect Default in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.1
description PK_SOVINTEL
encapsulation dot1Q 1 native
ip address 192.168.72.2 255.255.255.240
ip access-group INBOUND in
no ip unreachables
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1.2
no ip unreachables
shutdown
no cdp enable
interface FastEthernet0/1.3
description MOS-BEZLIMIT
encapsulation dot1Q 3
ip address x.x.x.x 255.255.255.248
ip access-group INBOUND in
ip access-group INBOUND in
no ip unreachables
ip nat outside
ip inspect Default out
ip virtual-reassembly
ip tcp adjust-mss 1400
no cdp enable
interface Virtual-Template1
ip address 192.168.96.1 255.255.255.0
peer default ip address pool vpnpool
ppp authentication pap
router eigrp 1
network 10.10.5.0 0.0.0.255
network 192.168.95.0
no auto-summary
ip local pool vpnpool 192.168.96.2 192.168.96.3
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 192.168.204.1 name GO track 1
ip route 0.0.0.0 0.0.0.0 85.94.39.145
ip route 192.168.17.0 255.255.255.0 192.168.72.1
ip route 192.168.250.0 255.255.255.0 192.168.95.4
ip route 192.168.250.0 255.255.255.0 192.168.95.4
ip dns server
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/1.3 overload
ip nat inside source static tcp 192.168.95.16 8202 interface FastEthernet0/1.3 8
202
ip nat inside source static tcp 192.168.95.5 25 interface FastEthernet0/1.3 25
ip nat inside source static tcp 192.168.95.4 9091 interface FastEthernet0/1.3 90
91
ip nat inside source static tcp 192.168.95.4 8443 interface FastEthernet0/1.3 84
43
ip access-list extended NAT
deny   ip 192.168.95.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.95.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
ip access-list extended UNBOUND
permit udp any host 85.94.39.150 eq 8202
permit tcp any host 85.94.39.150 eq 8202
permit tcp any host 85.94.39.150
logging trap debugging
logging origin-id hostname
logging facility local6
logging source-interface FastEthernet0/0
logging 192.168.1.212
access-list 10 remark -- hosts permitted to write snmp MIBs  on the router
access-list 10 permit 192.168.1.212
access-list 10 deny   any log
snmp-server community MskGehisp RW 10
snmp-server community snmp-read RO 10
snmp-server file-transfer access-group 10 protocol tftp
no cdp run
control-plane
line con 0
transport output ssh
line aux 0
transport output telnet
line vty 0 2
exec-timeout 30 0
privilege level 15
logging synchronous
transport input telnet ssh
transport output ssh
line vty 3 4
exec-timeout 30 0
logging synchronous
no exec
transport input telnet ssh
transport output ssh
scheduler allocate 20000 1000
ntp clock-period 17179752
ntp server 128.138.140.44
ntp server 212.200.82.148
ntp server 80.93.56.210
ntp server 129.6.15.28
ntp server 192.168.1.222

end


Содержание

Сообщения в этом обсуждении
"маршрутизация пакетов внутри cisco"
Отправлено McS555 , 06-Авг-12 11:17 
ip access-list extended NAT
5 deny   ip 192.168.95.0 0.0.0.255 192.168.96.0 0.0.0.255

попробуй добавить!


"маршрутизация пакетов внутри cisco"
Отправлено fomim , 06-Авг-12 11:47 
> ip access-list extended NAT
> 5 deny   ip 192.168.95.0 0.0.0.255 192.168.96.0 0.0.0.255
> попробуй добавить!

Не помогло.
А вообще в нат что то добавлять надо?


"маршрутизация пакетов внутри cisco"
Отправлено McS555 , 06-Авг-12 12:52 
>> ip access-list extended NAT
>> 5 deny   ip 192.168.95.0 0.0.0.255 192.168.96.0 0.0.0.255
>> попробуй добавить!
> Не помогло.
> А вообще в нат что то добавлять надо?

Ну... можешь для эксперимента убрать  inspect. Но с таким натом должно работать


"маршрутизация пакетов внутри cisco"
Отправлено fomim , 07-Авг-12 14:29 
Помогло добавление ip unnumbered FastEthernet0/0
Но теперь друга проблема при добавлении ACL хотя бы одного правила разрешающего все, клиент не может подключиться