Стоит с внешним IP SRX100, к нему подключен cisco 3550. Идея в том, что есть подсетка 192.168.16.0/24, на циске стоит vlan16 который эту сетку раздает (адрес свчиа в нем 192.168.16.1), и через циску подключены компы. На srx тоже сделал такой vlan (там адрес самого srx 192.168.16.251), и соединил этот порт с циской. Настроил Remote VPN согласно оффициальному руководству, прописал доступ к всей подсетке 192.168.16.0/24. Подключаюсь по VPN - пишет что подключено, 192.168.16.251 пингуется, остальные объекты - нет, даже 192.168.16.1. Что я не так делаю? Прикладываю конфиги обоих устройств.SRX100: version 10.1R1.8;
system {
host-name gen-firewall;
root-authentication {
encrypted-password "xxx"; ## SECRET-DATA
}
name-server {
191.1.44.36;
}
login {
user ultrablox {
full-name "xxx";
uid 101;
class super-user;
authentication {
encrypted-password "xxxx"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
protocol-version [ v2 v1 ];
connection-limit 3;
}
web-management {
http {
interface [ fe-0/0/0.0 fe-0/0/7.0 ];
}
https {
system-generated-certificate;
interface [ fe-0/0/0.0 fe-0/0/7.0 ];
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
processes {
general-authentication-service {
traceoptions {
flag all;
}
}
}
}
interfaces {
interface-range interfaces-vlan17 {
member fe-0/0/3;
unit 0 {
family ethernet-switching {
vlan {
members vlan-17;
}
}
}
}
interface-range interfaces-vlan16 {
member fe-0/0/2;
unit 0 {
family ethernet-switching {
vlan {
members vlan-16;
}
}
}
}
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
fe-0/0/5 {
unit 0 {
family inet;
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
unit 0 {
family inet {
address <external_ip>;
}
}
}
lo0 {
unit 0 {
family inet {
address 127.0.0.1/32;
}
}
}
st0 {
unit 0 {
family inet;
}
}
vlan {
unit 0 {
family inet {
address 192.168.16.201/24;
}
}
unit 16 {
family inet {
address 192.168.16.251/24;
}
}
unit 17 {
family inet {
address 192.168.17.251/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 62.113.102.1;
route 192.168.16.0/24 next-hop 192.168.16.1;
route 192.168.17.0/24 next-hop 192.168.17.1;
}
}
security {
ike {
traceoptions {
flag all;
}
proposal phase1-prop {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 300;
}
policy ike-pol {
mode aggressive;
proposals phase1-prop;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
gateway dyn-gw-moscow {
ike-policy ike-pol;
dynamic hostname GEN_SWITCH;
external-interface fe-0/0/7.0;
xauth access-profile user-auth-profile;
}
}
ipsec {
vpn-monitor-options;
proposal phase2-prop {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
}
policy ipsec-pol {
perfect-forward-secrecy {
keys group2;
}
proposals phase2-prop;
}
vpn dynamic-vpn-moscow {
ike {
gateway dyn-gw-moscow;
ipsec-policy ipsec-pol;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/0.0;
vlan.0;
vlan.17;
vlan.16;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ssh;
https;
http;
}
}
interfaces {
fe-0/0/7.0;
}
}
}
policies {
from-zone untrust to-zone trust {
policy vpn-moscow {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dynamic-vpn-moscow;
}
}
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
dynamic-vpn {
access-profile user-auth-profile;
clients {
client1 {
remote-protected-resources {
192.168.16.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dynamic-vpn-moscow;
user {
home-user;
ultrablox;
}
}
gen-vpn {
remote-protected-resources {
192.168.16.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dynamic-vpn-moscow;
user {
u1;
u2;
}
}
}
}
}
access {
profile user-auth-profile {
client u2 {
firewall-user {
password "$9$9DWEp1heK8x-w1RrvWXws"; ## SECRET-DATA
}
}
client u1 {
firewall-user {
password "$9$zip.3n90BEreW36WxNV4oFn/t0BIRh"; ## SECRET-DATA
}
}
client home-user {
firewall-user {
password "$9$jtHP5z36AuOTQEcleW8"; ## SECRET-DATA
}
}
client ultrablox {
firewall-user {
password "$9$po8IuEyLxdVYo"; ## SECRET-DATA
}
}
}
profile radius-server {
authentication-order password;
}
firewall-authentication {
web-authentication {
default-profile radius-server;
}
}
}
applications {
application-set mgt-services {
application junos-ssh;
}
}
vlans {
vlan-16 {
vlan-id 16;
l3-interface vlan.16;
}
vlan-17 {
vlan-id 17;
l3-interface vlan.17;
}
} CISCO 3550:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GEN-SWITCH
!
!
username root password 0 123123
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
!
aaa session-id common
ip subnet-zero
ip routing
ip dhcp excluded-address 192.168.16.2
!
ip dhcp pool GEN-LAN
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.2 195.2.64.36
!
ip dhcp pool IPTS-LAN
network 192.168.17.0 255.255.255.0
default-router 192.168.17.1
dns-server 195.2.64.36
!
!
!
crypto pki trustpoint TP-self-signed-429606016
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-429606016
revocation-check none
rsakeypair TP-self-signed-429606016
!
!
crypto pki certificate chain TP-self-signed-429606016
certificate self-signed 01
123123123123...
quit
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface FastEthernet0/1
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/2
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/3
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/4
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/5
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/6
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/7
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/8
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/9
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/10
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/11
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/12
description GEN Network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/13
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/14
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/15
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/16
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/17
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/18
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/19
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/20
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/21
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/22
description GEN network
switchport access vlan 16
switchport mode access
!
interface FastEthernet0/23
description Link to Demo System
switchport access vlan 999
switchport mode access
duplex full
!
interface FastEthernet0/24
description Link to PIX
switchport access vlan 160
switchport mode access
speed 100
duplex full
!
interface GigabitEthernet0/1
description Link to GEN server
switchport access vlan 16
switchport mode dynamic auto
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan16
ip address 192.168.16.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
!
interface Vlan160
ip address 192.168.0.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
!
interface Vlan999
ip address 10.0.0.2 255.255.255.0
!
router rip
network 192.168.0.0
!
ip default-gateway 192.168.16.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.5
ip route 10.1.1.0 255.255.255.0 192.168.0.5
ip route 192.168.8.0 255.255.255.0 10.0.0.1
ip route 192.168.15.0 255.255.255.0 10.0.0.1
ip route 192.168.17.0 255.255.255.0 192.168.16.251
ip route 192.168.110.0 255.255.255.0 10.0.0.1
ip route 192.168.200.0 255.255.255.0 10.0.0.1
ip route 192.168.210.0 255.255.255.0 10.0.0.1
ip route 192.168.250.0 255.255.255.0 10.0.0.1
ip http server
ip http secure-server
!
!
access-list 101 permit ip any any
!
control-plane
!
!
line con 0
line vty 0 4
privilege level 15
password yura18x
transport input telnet
line vty 5 15
privilege level 15
transport input ssh
!
end
|
Вариант для распечатки
(??) on 12-Авг-10, 10:29 
