Есть cisco 1841 и pix515e, между ними работает ipsec site-to-site, за pix лок.сеть 192.168.100.0, за 1841 лок. сеть 192.168.129.0. из 129 сети (за 1841) видна вся 100 нормально, а вот из 100 пингуется только интерфейс на циске, на котором висит vlan с 129 сетью и дальше ничего не проходит. 3 дня сижу, подскажите что можно сделать?. Я так понимаю что нет роутинга в между wan и vlan?как быть? Я начинающий цисковод, что то не так сделал наверно... Конфиги: 1841 Building configuration... Current configuration : 9452 bytes ! ! Last configuration change at 03:51:13 UTC Fri Apr 2 2010 by admin ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname AGRouter ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging enable secret 5 $1$pu8w$Iph4loP0V7LliCdnEgbOq. enable password *** ! aaa new-model ! ! aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authentication login ciscocp_vpn_xauth_ml_3 local aaa authentication login ciscocp_vpn_xauth_ml_4 local aaa authentication enable default enable aaa authorization network default if-authenticated aaa authorization network ciscocp_vpn_group_ml_1 local aaa authorization network ciscocp_vpn_group_ml_2 local aaa authorization network ciscocp_vpn_group_ml_3 local aaa authorization network ciscocp_vpn_group_ml_4 local aaa authorization network ciscocp_vpn_group_ml_5 local ! aaa session-id common ip cef table adjacency-prefix validate ip cef ! ip domain lookup source-interface Vlan1 ip domain name agcapital.ru ip name-server 192.168.129.9 ip name-server 192.168.129.3 ip multicast-routing ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! crypto pki server AGRouter database archive pem password 7 1056081009021E120D issuer-name O=**, OU=IT, CN=AGRouter, C=Ru, ST=Moscow, E=agcapital@agcapital.ru ! crypto pki trustpoint TP-self-signed-835868044 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-835868044 revocation-check none rsakeypair TP-self-signed-835868044 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint AGRouter revocation-check crl rsakeypair AGRouter ! crypto pki certificate chain TP-self-signed-835868044 certificate self-signed 01 ***** quit crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain AGRouter certificate ca 01 ******** quit username admin privilege 15 secret 5 $1$vD48$UfBrRy0oh.EBhQhYuUAEm. username kosnichev privilege 15 view root secret 5 $1$PDm0$TNoIe1fLOz0gHkTTULez7/ username sshuser privilege 15 view root secret 5 $1$ncLs$Vl3tlDgdwnlzmJYLGyBIV. username remote1 secret 5 $1$Tvsr$ouTkZOjcUvVrIrYWyOrr5/ username remote secret 5 $1$h2yO$yHBauZJSK.gGohZ.HftFL. ! crypto isakmp policy 1 authentication pre-share group 2 crypto isakmp key ***** address 82.204.243.146 ! crypto ipsec security-association lifetime kilobytes 100000 crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association idle-time 86400 ! crypto ipsec transform-set S-T-S_TRANSFORM esp-des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to82.204.243.146 set peer 82.204.243.146 set transform-set S-T-S_TRANSFORM match address 100 reverse-route ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/1 description $ETH-WAN$ ip address 213.79.90.11 255.255.255.248 ip mask-reply no ip unreachables ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/0/0 vlan-id dot1q 1 exit-vlan-config ! interface FastEthernet0/0/1 switchport access vlan 2 switchport trunk native vlan 2 shutdown ! interface FastEthernet0/0/2 switchport access vlan 3 ! interface FastEthernet0/0/3 switchport access vlan 4 ! interface Vlan1 ip address 192.168.129.102 255.255.255.0 ip mask-reply ip directed-broadcast ip nat inside ip nat allow-static-host ip virtual-reassembly ip route-cache flow ! interface Vlan2 ip address 10.77.1.2 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan3 ip address 10.77.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan4 ip address 192.168.130.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip default-gateway 213.79.90.9 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 213.79.90.9 ip route 192.168.100.0 255.255.255.0 82.204.243.146 ! ip flow-top-talkers top 1 sort-by bytes cache-timeout 30 ! ip http server ip http access-class 3 ip http secure-server ip nat inside source route-map SDM_RMAP_11 interface FastEthernet0/1 overload ! ip access-list standard vty_out remark vty outdound polisy remark CCP_ACL Category=1 permit any log ! access-list 3 permit 83.204.243.146 access-list 3 remark Auto generated by SDM Management Access feature access-list 3 remark CCP_ACL Category=1 access-list 3 permit 0.0.0.0 0.255.255.255 access-list 3 permit 192.168.0.0 0.0.255.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.129.0 0.0.0.255 access-list 100 permit ip 192.168.129.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 102 remark CCP_ACL Category=18 access-list 102 deny ip 192.168.129.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 102 permit ip 192.168.129.0 0.0.0.255 any snmp-server community 1 RO ! route-map SDM_RMAP_11 permit 1 match ip address 102 ! route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_2 permit 1 match ip address 102 ! route-map mol permit 10 ! control-plane ! line con 0 line aux 0 transport input all transport output all line vty 0 4 session-timeout 15 notify transport input telnet ssh transport output telnet ssh line vty 5 807 session-timeout 15 notify transport input telnet ssh transport output telnet ssh ! scheduler allocate 20000 1000 ntp clock-period 17178591 ntp update-calendar ntp server 83.229.210.18 source FastEthernet0/1 ntp server 62.117.76.142 source FastEthernet0/1 end _________ pix : Saved : PIX Version 8.0(4)32 ! hostname agpix domain-name agcapital.ru enable password /BbXQlNXkwDvseTM encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.129.102 AGRouter name 192.168.100.100 molserv.agmol.mos ! interface Ethernet0 nameif outside security-level 0 ip address 82.204.243.146 255.255.255.252 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ! ftp mode passive dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 83.242.139.10 name-server 83.242.140.10 name-server molserv.agmol.mos domain-name agcapital.ru same-security-traffic permit intra-interface access-list s-t-s_acl extended permit ip 192.168.100.0 255.255.255.0 192.168.129 .0 255.255.255.0 access-list s-t-s_acl extended permit ip 192.168.129.0 255.255.255.0 192.168.100 .0 255.255.255.0 access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.129.0 2 55.255.255.0 access-list nonat extended permit ip 192.168.129.0 255.255.255.0 192.168.100.0 2 55.255.255.0 access-list ACCESSNAT extended permit ip 192.168.100.0 255.255.255.0 any log pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp permit any echo outside icmp permit any echo-reply inside icmp permit any echo inside asdm image flash:/asdm-61557.bin asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.100.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 82.204.243.145 1 route outside 192.168.129.0 255.255.255.0 213.79.90.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication secure-http-client aaa authentication listener http inside port www http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.100.0 255.255.255.0 inside http 192.168.100.106 255.255.255.255 inside http 192.168.100.0 255.255.255.255 inside http 192.168.129.0 255.255.255.0 inside http 192.168.100.251 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set s-t-s esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 86400 crypto ipsec security-association lifetime kilobytes 100000 crypto map s-t-s_map 10 match address s-t-s_acl crypto map s-t-s_map 10 set peer 213.79.90.11 crypto map s-t-s_map 10 set transform-set s-t-s crypto map s-t-s_map 10 set reverse-route crypto map s-t-s_map interface outside crypto ca trustpoint agcapital.mos revocation-check crl crl configure crypto ca trustpoint AGRouter enrollment terminal subject-name cn=AGRouter,ou=IT,o=*,st=Moscow,c=R u serial-number password * id-usage ssl-ipsec code-signer crl configure crypto ca trustpoint virt2.agcapital.mos enrollment terminal crl configure crypto ca certificate map DefaultCertificateMap 1 crypto isakmp enable outside crypto isakmp enable inside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 15 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption des-sha1 null-sha1 ssl trust-point AGRouter inside ssl certificate-authentication interface inside port 443 username admin password c2NRrs0Ovu4Lznjx encrypted privilege 15 tunnel-group 213.79.90.11 type ipsec-l2l tunnel-group 213.79.90.11 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:d8d06522f1e51d28f819aaabebd93fd2 : end
|