Cisco ipsec vpn site-to-site, zero_cool, 28-Дек-17, 13:28 [смотреть все]Привет всем! Прошу помощи у гуру сетевых технологии Построил IPsec VPN Site-to-Site между главным и удаленным офисом, сам туннель строится пинги идут. В центральном офисе web-сервачок, с удаленного офиса к web-серверу по протоколу http (tcp 80) не получается достучаться, не только 80-порт, но и 22 (ssh) так же не доступен. Вот конфиг центрального роутера Web-сервер в VLAN104 (10.0.38.0/29) IP-адрес Web-сервера в центральном офисе 10.0.38.2/29 version 15.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone service password-encryption hostname CGW boot-start-marker boot-end-marker aqm-register-fnf no logging console aaa new-model aaa authentication login default local aaa session-id common no ip source-route no ip bootp server ip domain name domain.com ip name-server 8.8.8.8 ! ip inspect name INSPECT_RULE dns ip inspect name INSPECT_RULE icmp ip inspect name INSPECT_RULE ntp ip inspect name INSPECT_RULE tcp router-traffic ip inspect name INSPECT_RULE udp router-traffic ip inspect name INSPECT_RULE icmp router-traffic ip inspect name INSPECT_RULE http ip inspect name INSPECT_RULE https ip inspect name INSPECT_RULE ftp ! ip cef no ipv6 cef multilink bundle-name authenticated license udi pid C891F-K9 sn FCZ201990PM ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh logging events ip ssh version 2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key KeY address 2.2.2.22 crypto ipsec transform-set set10 esp-3des esp-md5-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 2.2.2.22 set transform-set set10 match address VPN-TRAFFIC ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 switchport trunk allowed vlan 1,100-107,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet1 switchport trunk allowed vlan 1,100-107,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet2 no ip address shutdown ! interface GigabitEthernet3 switchport trunk allowed vlan 1,100-107,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet4 switchport access vlan 107 no ip address ! interface GigabitEthernet5 switchport access vlan 104 no ip address ! interface GigabitEthernet6 no ip address shutdown ! interface GigabitEthernet7 no ip address shutdown ! interface GigabitEthernet8 ip address 1.1.1.11 255.255.255.252 ip access-group OUTSIDE_ACL in no ip redirects no ip proxy-arp ip nat outside ip inspect INSPECT_OUT out ip virtual-reassembly in ip verify unicast reverse-path duplex auto speed auto no cdp enable crypto map CMAP ! interface Vlan1 no ip address ip virtual-reassembly in ! interface Vlan100 ip address 10.0.33.1 255.255.255.0 ip virtual-reassembly in ! interface Vlan101 ip address 10.0.34.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan102 ip address 10.0.32.1 255.255.255.0 ip helper-address 10.0.32.4 ip nat inside ip virtual-reassembly in ! interface Vlan103 ip address 10.0.35.1 255.255.255.192 ip nat inside ip virtual-reassembly in ! interface Vlan104 ip address 10.0.38.1 255.255.255.248 ip nat inside ip virtual-reassembly in ! interface Vlan107 ip address 10.0.37.1 255.255.255.248 ip nat inside ip virtual-reassembly in ! interface Async3 no ip address encapsulation slip ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip dns server ip nat inside source list NAT_ACL interface GigabitEthernet8 overload ip route 0.0.0.0 0.0.0.0 1.1.1.10 ! ip access-list extended NAT_ACL deny ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255 permit ip 10.0.37.0 0.0.0.7 any permit ip 10.0.34.0 0.0.0.255 any permit ip host 10.0.32.10 any permit ip host 10.0.32.15 any permit ip host 10.0.32.12 any permit ip host 10.0.32.102 any permit ip host 10.0.32.7 any permit ip host 10.0.32.107 any permit ip host 10.0.38.2 any permit ip host 10.0.32.70 any ! ip access-list extended OUTSIDE_ACL permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit tcp any any eq 8801 permit tcp any any eq 5590 permit tcp any any eq 5599 permit tcp any any eq 5577 permit tcp any any eq 8781 permit tcp any any eq 8674 permit tcp any any eq 8563 permit tcp any any eq 5571 permit tcp any any eq 5572 permit tcp any any eq 5531 permit tcp any any eq 5573 permit esp any any permit udp any any eq non500-isakmp permit udp any any eq isakmp permit tcp any any eq www permit tcp any any eq 25333 permit tcp any any eq 25334 ! ip access-list extended VPN-TRAFFIC permit ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255 ! logging origin-id hostname logging facility local6 ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default end а вот конфиг роутера удаленного офиса Building configuration... version 15.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ROUTER ! boot-start-marker boot-end-marker ! aqm-register-fnf ! no logging console ! aaa new-model ! aaa authentication login default local ! aaa session-id common clock timezone KGS 6 0 ! no ip source-route ! ip dhcp excluded-address 10.1.35.1 10.1.35.20 ip dhcp excluded-address 10.1.36.1 10.1.36.20 ip dhcp excluded-address 10.1.37.1 10.1.37.20 ip dhcp excluded-address 10.1.38.1 10.1.38.20 ! ip dhcp pool 10/1/35/0/24 network 10.1.35.0 255.255.255.0 default-router 10.1.35.1 dns-server 10.1.35.1 ! ip dhcp pool 10/1/36/0/24 network 10.1.36.0 255.255.255.0 default-router 10.1.36.1 dns-server 10.1.36.1 ! ip dhcp pool 10/1/37/0/24 network 10.1.37.0 255.255.255.0 default-router 10.1.37.1 dns-server 10.1.37.1 ! ip dhcp pool 10/1/38/0/24 network 10.1.38.0 255.255.255.0 default-router 10.1.38.1 dns-server 10.1.38.1 ! no ip bootp server ip name-server 8.8.8.8 ! ip inspect name INSPECT_RULE dns ip inspect name INSPECT_RULE icmp ip inspect name INSPECT_RULE ntp ip inspect name INSPECT_RULE tcp router-traffic ip inspect name INSPECT_RULE udp router-traffic ip inspect name INSPECT_RULE icmp router-traffic ip inspect name INSPECT_RULE http ip inspect name INSPECT_RULE https ip inspect name INSPECT_RULE ftp ip cef no ipv6 cef ! multilink bundle-name authenticated ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh logging events ip ssh version 2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp key cisco1 address 1.1.1.11 ! crypto ipsec transform-set set10 esp-3des esp-md5-hmac mode tunnel ! crypto map CMAP 10 ipsec-isakmp set peer 1.1.1.11 set transform-set set10 match address VPN-TRAFFIC ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 switchport trunk allowed vlan 1,100-102,105-108,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet2 switchport trunk allowed vlan 1,100-102,105-108,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet3 switchport trunk allowed vlan 1,100-102,105-108,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet4 switchport trunk allowed vlan 1,100-102,105-108,1002-1005 switchport mode trunk no ip address ! interface GigabitEthernet5 switchport access vlan 101 no ip address ! interface GigabitEthernet6 switchport access vlan 101 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 description =OUTSIDE= ip address 2.2.2.22 255.255.255.252 ip access-group OUTSIDE_ACL in no ip redirects no ip proxy-arp ip nat outside ip inspect INSPECT_RULE out ip virtual-reassembly in ip verify unicast reverse-path duplex auto speed auto no cdp enable crypto map CMAP ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly in ! interface Vlan100 description =MGMT= ip address 10.1.33.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan101 description =DMZ= ip address 10.1.32.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan102 ip address 10.1.39.1 255.255.255.248 ip nat inside ip virtual-reassembly in ! interface Vlan105 description =1FL_NORTH= ip address 10.1.35.1 255.255.255.0 ip helper-address 10.1.35.1 ip nat inside ip virtual-reassembly in ! interface Vlan106 description =2FL_NORTH= ip address 10.1.36.1 255.255.255.0 ip helper-address 10.1.36.1 ip nat inside ip virtual-reassembly in ! interface Vlan107 description =1FL_SOUTH= ip address 10.1.37.1 255.255.255.0 ip helper-address 10.1.37.1 ip nat inside ip virtual-reassembly in ! interface Vlan108 description =2FL_SOUTH= ip address 10.1.38.1 255.255.255.0 ip helper-address 10.1.38.1 ip nat inside ip virtual-reassembly in ! interface Async3 no ip address encapsulation slip ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip dns server ip nat inside source list NAT_ACL interface GigabitEthernet8 overload ip route 0.0.0.0 0.0.0.0 2.2.2.21 ! ip access-list extended NAT_ACL deny ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 permit ip 10.1.32.0 0.0.0.255 any permit ip 10.1.35.0 0.0.0.255 any permit ip 10.1.36.0 0.0.0.255 any permit ip 10.1.37.0 0.0.0.255 any permit ip 10.1.38.0 0.0.0.255 any ! ip access-list extended OUTSIDE_ACL permit tcp any any eq 22 permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit udp any any eq snmp permit esp any any permit udp any any eq non500-isakmp permit udp any any eq isakmp ! ip access-list extended VPN-TRAFFIC permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 ! no cdp run ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! end подскажите пожалуйста почему с DMZ удаленного офиса невозможно попасть на 80-порт web-сервера центрального офиса. Заранее спасибо!
|
- Cisco ipsec vpn site-to-site, k.d., 13:48 , 28-Дек-17 (1)
>[оверквотинг удален] > mgcp behavior comedia-role none > mgcp behavior comedia-check-media-src disable > mgcp behavior comedia-sdp-force disable > ! > mgcp profile default > ! > end > подскажите пожалуйста почему с DMZ удаленного офиса невозможно попасть на 80-порт web-сервера > центрального офиса. > Заранее спасибо!пинги идут откуда куда? src_ip? dst_ip? как минимум у вас 10.0.38.0/29 не в VPNе: 1. ! ip access-list extended VPN-TRAFFIC permit ip 10.0.34.0 0.0.0.255 10.3.33.0 0.0.0.255 ! 2. ! ip access-list extended VPN-TRAFFIC permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 !
- Cisco ipsec vpn site-to-site, zero_cool, 13:55 , 28-Дек-17 (2)
>[оверквотинг удален] > 1. > ! > ip access-list extended VPN-TRAFFIC > permit ip 10.0.34.0 0.0.0.255 10.3.33.0 0.0.0.255 > ! > 2. > ! > ip access-list extended VPN-TRAFFIC > permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 > !Пардон, исправил. ping src_ip: 10.1.32.1 dst_ip: 10.0.38.2 IP-Адрес Web-сервера в центральном офисе 10.0.38.2/29
- Cisco ipsec vpn site-to-site, k.d., 14:02 , 28-Дек-17 (3)
>[оверквотинг удален] >> permit ip 10.0.34.0 0.0.0.255 10.3.33.0 0.0.0.255 >> ! >> 2. >> ! >> ip access-list extended VPN-TRAFFIC >> permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 >> ! > Пардон, исправил. > ping src_ip: 10.1.32.1 dst_ip: 10.0.38.2 > IP-Адрес Web-сервера в центральном офисе 10.0.38.2/29 ACL на пеерах должны быть зеркальным на центральном надо: ip access-list extended VPN-TRAFFIC permit ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255 ip route 10.1.32.0 255.255.255.0 2.2.2.22 а на другом: ip access-list extended VPN-TRAFFIC permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 ip route 10.0.38.0 255.255.255.248 1.1.1.11 как то так, думаю.
- Cisco ipsec vpn site-to-site, zero_cool, 14:29 , 28-Дек-17 (4)
>[оверквотинг удален] > ACL на пеерах должны быть зеркальным > на центральном надо: > ip access-list extended VPN-TRAFFIC > permit ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255 > ip route 10.1.32.0 255.255.255.0 2.2.2.22 > а на другом: > ip access-list extended VPN-TRAFFIC > permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7 > ip route 10.0.38.0 255.255.255.248 1.1.1.11 > как то так, думаю.Спс! пробовал и такой вариант, результат отрицательный. просканил web-сервер на 80-порт вот результ: Nmap scan report for 10.3.33.2 Host is up (0.0030s latency). PORT STATE SERVICE 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds STATE=filtered не как не пойму где фильтруется
- Cisco ipsec vpn site-to-site, k.d., 14:41 , 28-Дек-17 (5)
>[оверквотинг удален] > Спс! > пробовал и такой вариант, результат отрицательный. > просканил web-сервер на 80-порт > вот результ: > Nmap scan report for 10.3.33.2 > Host is up (0.0030s latency). > PORT STATE SERVICE > 80/tcp filtered http > Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds > STATE=filtered не как не пойму где фильтруется а у вас на сервере нету фиревалла? можно на время отключить фиревалл на роутерах?
- Cisco ipsec vpn site-to-site, k.d., 14:45 , 28-Дек-17 (6)
>[оверквотинг удален] >> просканил web-сервер на 80-порт >> вот результ: >> Nmap scan report for 10.3.33.2 >> Host is up (0.0030s latency). >> PORT STATE SERVICE >> 80/tcp filtered http >> Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds >> STATE=filtered не как не пойму где фильтруется > а у вас на сервере нету фиревалла? можно на время отключить фиревалл > на роутерах?да, а почему " Nmap scan report for 10.3.33.2" а не 10.0.38.2?
- Cisco ipsec vpn site-to-site, zero_cool, 14:50 , 28-Дек-17 (7)
>[оверквотинг удален] >>> вот результ: >>> Nmap scan report for 10.3.33.2 >>> Host is up (0.0030s latency). >>> PORT STATE SERVICE >>> 80/tcp filtered http >>> Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds >>> STATE=filtered не как не пойму где фильтруется >> а у вас на сервере нету фиревалла? можно на время отключить фиревалл >> на роутерах? > да, а почему " Nmap scan report for 10.3.33.2" а не 10.0.38.2? не тот репорт скинул. но, результ тот же...
- Cisco ipsec vpn site-to-site, zero_cool, 14:51 , 28-Дек-17 (8)
>[оверквотинг удален] >>>> Host is up (0.0030s latency). >>>> PORT STATE SERVICE >>>> 80/tcp filtered http >>>> Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds >>>> STATE=filtered не как не пойму где фильтруется >>> а у вас на сервере нету фиревалла? можно на время отключить фиревалл >>> на роутерах? >> да, а почему " Nmap scan report for 10.3.33.2" а не 10.0.38.2? > не тот репорт скинул. > но, результ тот же...Может быть CBAC (Firewall) блочит? ip inspect name INSPECT_RULE dns ip inspect name INSPECT_RULE icmp ip inspect name INSPECT_RULE ntp ip inspect name INSPECT_RULE tcp router-traffic ip inspect name INSPECT_RULE udp router-traffic ip inspect name INSPECT_RULE icmp router-traffic ip inspect name INSPECT_RULE http ip inspect name INSPECT_RULE https ip inspect name INSPECT_RULE ftp
- Cisco ipsec vpn site-to-site, k.d., 14:53 , 28-Дек-17 (9)
>[оверквотинг удален] > Может быть CBAC (Firewall) блочит? > ip inspect name INSPECT_RULE dns > ip inspect name INSPECT_RULE icmp > ip inspect name INSPECT_RULE ntp > ip inspect name INSPECT_RULE tcp router-traffic > ip inspect name INSPECT_RULE udp router-traffic > ip inspect name INSPECT_RULE icmp router-traffic > ip inspect name INSPECT_RULE http > ip inspect name INSPECT_RULE https > ip inspect name INSPECT_RULE ftp ip inspect name INSPECT_RULE tcp router-traffic - вроде ОК попробуйте так: ip inspect name INSPECT_RULE tcp
- Cisco ipsec vpn site-to-site, zero_cool, 15:11 , 28-Дек-17 (10)
>[оверквотинг удален] >> ip inspect name INSPECT_RULE ntp >> ip inspect name INSPECT_RULE tcp router-traffic >> ip inspect name INSPECT_RULE udp router-traffic >> ip inspect name INSPECT_RULE icmp router-traffic >> ip inspect name INSPECT_RULE http >> ip inspect name INSPECT_RULE https >> ip inspect name INSPECT_RULE ftp > ip inspect name INSPECT_RULE tcp router-traffic - вроде ОК > попробуйте так: > ip inspect name INSPECT_RULE tcp не получилось! На WEB-сервере поменял стандартный порт http 80\tcp на 8089 и все получилось. как быть! куда копать?!
- Cisco ipsec vpn site-to-site, k.d., 15:17 , 28-Дек-17 (11)
>[оверквотинг удален] >>> ip inspect name INSPECT_RULE icmp router-traffic >>> ip inspect name INSPECT_RULE http >>> ip inspect name INSPECT_RULE https >>> ip inspect name INSPECT_RULE ftp >> ip inspect name INSPECT_RULE tcp router-traffic - вроде ОК >> попробуйте так: >> ip inspect name INSPECT_RULE tcp > не получилось! > На WEB-сервере поменял стандартный порт http 80\tcp на 8089 и все получилось. > как быть! куда копать?!а если уберать ip inspect name INSPECT_RULE http ip inspect name INSPECT_RULE https и оставить только ip inspect name INSPECT_RULE tcp ?
- Cisco ipsec vpn site-to-site, zero_cool, 15:26 , 28-Дек-17 (12)
>[оверквотинг удален] >>> попробуйте так: >>> ip inspect name INSPECT_RULE tcp >> не получилось! >> На WEB-сервере поменял стандартный порт http 80\tcp на 8089 и все получилось. >> как быть! куда копать?! > а если уберать > ip inspect name INSPECT_RULE http > ip inspect name INSPECT_RULE https > и оставить только > ip inspect name INSPECT_RULE tcp ?не получилось!
- Cisco ipsec vpn site-to-site, k.d., 15:30 , 28-Дек-17 (13)
>[оверквотинг удален] >>>> ip inspect name INSPECT_RULE tcp >>> не получилось! >>> На WEB-сервере поменял стандартный порт http 80\tcp на 8089 и все получилось. >>> как быть! куда копать?! >> а если уберать >> ip inspect name INSPECT_RULE http >> ip inspect name INSPECT_RULE https >> и оставить только >> ip inspect name INSPECT_RULE tcp ? > не получилось!na pervom routere u vas rule: INSPECT_RULE a pod interfaceom INSPECT_OUT, eto tozhe opechatka?
- Cisco ipsec vpn site-to-site, zero_cool, 15:36 , 28-Дек-17 (14)
>[оверквотинг удален] >>>> На WEB-сервере поменял стандартный порт http 80\tcp на 8089 и все получилось. >>>> как быть! куда копать?! >>> а если уберать >>> ip inspect name INSPECT_RULE http >>> ip inspect name INSPECT_RULE https >>> и оставить только >>> ip inspect name INSPECT_RULE tcp ? >> не получилось! > na pervom routere u vas rule: INSPECT_RULE a pod interfaceom > INSPECT_OUT, eto tozhe opechatka?да, опечатка
|