Posle podklyucenie po Cisco VPN client net dostupa k domain resursam.ping DNS serveru otvet est
ping IP Address otvet est
net view \\fileserver
system error 53
Vnizu konfig
!
endshow run
R1# show running-config
Building configuration...
Current configuration : 5699 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-13a.bin
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$3iYL$xPV0Tk8w165m.J9IyZBqd/
enable password 7 060F1C20474319
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login vpnlogin local
aaa authorization network vpnauth local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
ip flow-cache timeout active 1
no ip bootp server
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server 192.168.0.2
login block-for 12 attempts 7 within 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 030D480A0D0231
username mejdun password 7 060F1C20474319
archive
log config
logging enable
!
!
!
class-map match-any worms
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
!
!
policy-map worm-requests
class worms
set ip dscp 1
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 3600
!
crypto isakmp client configuration group RVPN
key xxxxxxx
dns 192.168.0.2
wins 192.168.0.2
domain domain.local
pool vpnpool
acl 144
!
!
crypto ipsec transform-set settransform esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set settransform
reverse-route
!
!
crypto map vpnmap client authentication list vpnlogin
crypto map vpnmap isakmp authorization list vpnauth
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 10.0.2.21 255.255.255.0
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map vpnmap
service-policy input worm-requests
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip access-group 121 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip local pool vpnpool 192.168.1.1 192.168.1.100
ip route 0.0.0.0 0.0.0.0 10.0.2.1
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.0.27 9996
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.27 3389 10.0.2.21 3389 extendable
!
logging trap debugging
logging facility local2
logging source-interface FastEthernet0/1
logging 192.168.0.27
access-list 100 permit udp any any eq bootpc
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit tcp any host 10.0.2.21 eq telnet
access-list 111 deny ip any any
access-list 111 permit tcp any host 192.168.0.27 eq 3389
access-list 121 deny ip any any dscp 1
access-list 121 permit ip any any
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq non500-isakmp
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 50
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 50
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 51
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 51
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 47
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 47
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq isakmp
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 5000
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 10000
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 10000
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 500
access-list 122 permit tcp host 192.168.1.0 host 192.168.0.0 eq 5000
access-list 122 permit udp host 192.168.1.0 host 192.168.0.0 eq 10001
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq non500-isakmp
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 5000
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 51
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 50
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 10000
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 10001
access-list 122 permit udp host 192.168.0.0 host 192.168.1.0 eq 47
access-list 144 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map VPN-Client permit 10
match ip address 144
set interface Loopback0
!
!
!
tftp-server server
tftp-server en
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CUNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line vty 5 15
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end
R1#