Добрый день. С оборудованием Cisco столкнулся впервые. Подскажите пожалуйста. Пытаюсь создать туннель site to site между маршрутизаторами Cisco 881 и Zyxel Zywall 5. Туннель настроил, оба маршрутизатора пишут что связь установлена, но локальные сети не видят друг друга. Уверен, что где то в настройках Cisco напортачил. Может подскажите где ошибка:
Building configuration...Current configuration : 6719 bytes
!
! Last configuration change at 13:45:13 Moscow Fri Jan 18 2013 by denis
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 WIt8jvB9k8OmgaoqfrYwU//PXImqYGmcAxH9SvUrP.Q
!
no aaa new-model
!
memory-size iomem 10
clock timezone Moscow 3 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3162754647
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3162754647
revocation-check none
rsakeypair TP-self-signed-3162754647
!
!
crypto pki certificate chain TP-self-signed-3162754647
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
ip source-route
!
!
!
ip dhcp excluded-address 192.168.5.1 192.168.5.10
ip dhcp ping packets 4
!
ip dhcp pool LAN
import all
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
dns-server 192.168.5.1
!
!
ip cef
ip domain name domain.metiz.ru
ip name-server 84.47.177.77
ip name-server 85.91.99.99
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-PCI-K9 sn
license boot module c880-data level advipservices
!
!
username denis privilege 15 view root secret 4 WIt8jvB9k8OmgaoqfrYwU//PXImqYGmcAxH9SvUrP.Q
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address 195.47.X.X
crypto isakmp fragmentation
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.47.X.X
set peer 195.47.X.X
set transform-set ESP-3DES-SHA
match address 101
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address 84.47.X.X 255.255.255.248
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.5.1 255.255.255.0
ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat pool LAN 192.168.5.200 192.168.5.200 netmask 255.255.255.0
ip nat pool 100 192.168.5.200 192.168.5.200 netmask 255.255.255.0
ip nat pool test 192.168.5.200 192.168.5.200 netmask 255.255.255.0
ip nat source list 1 interface FastEthernet4 overload
ip nat source list 100 interface FastEthernet4 overload
ip nat source static tcp 192.168.5.5 3389 interface FastEthernet4 7717
ip nat source list 102 pool test overload
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.5.5 3389 interface FastEthernet4 7717
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 84.47.169.65
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 23 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit tcp host 84.47.X.X eq 7717 any eq 7717
access-list 100 permit udp host 84.47.177.77 eq domain any
access-list 100 permit udp host 85.91.99.99 eq domain any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit tcp any eq 7717 host 84.47.X.X eq 7717
access-list 105 remark CCP_ACL Category=16
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 150 remark CCP_ACL Category=16
access-list 150 permit udp any host 84.47.X.X eq isakmp
access-list 150 permit udp any host 84.47.X.X eq non500-isakmp
access-list 150 permit esp any host 84.47.X.X
access-list 150 permit gre any host 84.47.X.X
access-list 150 permit tcp any host 84.47.X.X eq 22
no cdp run
!
!
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
banner exec ^C
% Password expiration warning.-----------------------------------------------------------------------
^C
banner login ^Cmetiz.pro^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input ssh
!
end
>[оверквотинг удален]
> line con 0
> login local
> line aux 0
> line vty 0 4
> access-class 23 in
> privilege level 15
> login local
> transport input ssh
> !
> endУ вас в нате много продублировано по нескольку раз. Оставьте следующие строки:
ip nat source static tcp 192.168.5.5 3389 interface FastEthernet4 7717
ip nat source list 100 interface FastEthernet4 overload
!Исключите из ната шифрованный трафик:
no access-list 100
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 anyЭти строки не совсем понятны для чего:
access-list 100 permit tcp host 84.47.X.X eq 7717 any eq 7717
access-list 100 permit udp host 84.47.177.77 eq domain any
access-list 100 permit udp host 85.91.99.99 eq domain any
>[оверквотинг удален]
> !
> Исключите из ната шифрованный трафик:
> no access-list 100
> access-list 100 remark CCP_ACL Category=2
> access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 100 permit ip 192.168.5.0 0.0.0.255 any
> Эти строки не совсем понятны для чего:
> access-list 100 permit tcp host 84.47.X.X eq 7717 any eq 7717
> access-list 100 permit udp host 84.47.177.77 eq domain any
> access-list 100 permit udp host 85.91.99.99 eq domain anyопять в точку. спасибо :)