Добрый день.Две циски 2811 и 871, проброшены туннли с резервированием через ip sla.
Возникла проблема с маршрутизацией в VPN туннеле.
С цисок пингуются и доступны все хосты в обоих внутренних сетях, с локальных машин в обоих сетях частично доступны хосты. В чем может быть проблема?
871
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
TexRouter#sh run
Building configuration...
Current configuration : 8705 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TexRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000
!
no aaa new-model
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-95283807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-95283807
revocation-check none
rsakeypair TP-self-signed-95283807
!
!
crypto pki certificate chain TP-self-signed-95283807
certificate self-signed 01
...
quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.15
ip dhcp excluded-address 192.168.1.90 192.168.1.255
!
ip dhcp pool DHCPSklad
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease 2
!
!
no ip bootp server
ip domain retry 5
ip domain timeout 5
ip domain name tex.olololo.ru
ip name-server xxx.xxx.128.10
ip name-server 212.44.130.6
ip name-server 195.94.226.1
ip name-server 195.94.224.3
ip inspect name insp100 smtp
ip inspect name insp100 pop3
ip inspect name insp100 tcp
ip inspect name insp100 udp
ip inspect name insp100 dns
ip inspect name insp100 icmp
ip inspect name insp100 ftp
ip inspect name insp100 tftp
ip inspect name insp100 ssh
ip inspect name insp100 pptp
ip inspect name insp100 gopher
ip inspect name insp101 tcp
ip inspect name insp101 udp
ip inspect name insp101 dns
ip inspect name insp101 esmtp
ip inspect name insp101 pop3 reset
ip inspect name insp101 icmp
ip inspect name insp101 pptp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
spanning-tree portfast bpduguard
spanning-tree uplinkfast
no spanning-tree vlan 1
username olololo privilege 15 secret 5 ololololololo
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ololololololo address zzz.zzz.zzz.60
!
!
crypto ipsec transform-set homeused esp-3des esp-sha-hmac
!
crypto map VPN_MAP 1 ipsec-isakmp
description Tunnel tozzz.zzz.zzz.60 (Krylatskoe 1)
set peer zzz.zzz.zzz.60
set transform-set homeused
match address 110
!
crypto map VPN_MAP_2 1 ipsec-isakmp
description Tunnel tozzz.zzz.zzz.60 (Krylatskoe 2)
set peer zzz.zzz.zzz.60
set transform-set homeused
match address 111
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
track 1 rtr 10 reachability
!
track 2 rtr 20 reachability
!
class-map match-any rtsp
match protocol rtsp
class-map match-any rtcp
match protocol rtcp
class-map match-any bittorrent
match protocol bittorrent
class-map match-any rtp
match protocol rtp
!
!
policy-map drop_p2p
class bittorrent
drop
class rtsp
drop
class rtp
drop
class rtcp
drop
!
!
!
!
interface Tunnel0
ip address 10.150.30.2 255.255.255.252
no ip unreachables
ip mtu 1444
ip tcp adjust-mss 1404
tunnel source FastEthernet4
tunnel destination zzz.zzz.zzz.60
crypto map VPN_MAP
!
interface Tunnel1
ip address 10.150.31.2 255.255.255.252
no ip unreachables
ip mtu 1444
ip tcp adjust-mss 1404
tunnel source Vlan1
tunnel destination zzz.zzz.zzz.60
crypto map VPN_MAP_2
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 100
!
interface FastEthernet2
switchport access vlan 100
!
interface FastEthernet3
switchport access vlan 100
!
interface FastEthernet4
description WAN from ISP WEST$FW_OUTSIDE$
ip address yyy.yyy.64.30 255.255.255.252
ip access-group 125 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect insp101 in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN_MAP
service-policy input drop_p2p
service-policy output drop_p2p
!
interface Vlan1
description WAN from ISP SOV$FW_OUTSIDE$
ip address xxx.xxx.131.118 255.255.255.252
ip access-group 125 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect insp100 in
ip virtual-reassembly
ip route-cache flow
crypto map VPN_MAP_2
service-policy input drop_p2p
service-policy output drop_p2p
!
interface Vlan100
description to SDC Sklad network$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
no ip forward-protocol nd
ip forward-protocol spanning-tree
ip route 192.168.74.0 255.255.254.0 Tunnel0 150 name VPN_from_WEST track 1
ip route 192.168.74.0 255.255.254.0 Tunnel1 100 name VPN_from_SOV track 2
ip route 0.0.0.0 0.0.0.0 xxx.xxx.131.117 15
ip route 0.0.0.0 0.0.0.0 yyy.yyy.64.29 100
ip route 0.0.0.0 0.0.0.0 Null0 255
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat translation tcp-timeout 120
ip nat inside source route-map ISP_SOV interface Vlan1 overload
ip nat inside source route-map ISP_WEST interface FastEthernet4 overload
!
ip sla 10
icmp-jitter 10.150.30.1 source-ip 10.150.30.2 num-packets 5
timeout 4000
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-jitter 10.150.31.1 source-ip 10.150.31.2 num-packets 5
timeout 4000
ip sla schedule 20 life forever start-time now
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 11 permit 192.168.74.0 0.0.1.255
access-list 11 permit zzz.zzz.zzz.48 0.0.0.15
access-list 11 permit 81.211.12.80 0.0.0.7
access-list 110 permit gre host yyy.yyy.64.30 host zzz.zzz.zzz.60
access-list 111 permit gre host xxx.xxx.131.118 host zzz.zzz.zzz.60
access-list 112 deny gre host yyy.yyy.64.30 host zzz.zzz.zzz.60
access-list 112 deny gre host xxx.xxx.131.118 host zzz.zzz.zzz.60
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 125 permit udp any host xxx.xxx.131.118 eq non500-isakmp
access-list 125 permit udp any host xxx.xxx.131.118 eq isakmp
access-list 125 permit esp any host xxx.xxx.131.118
access-list 125 permit ahp any host xxx.xxx.131.118
access-list 125 permit udp any host yyy.yyy.64.30 eq non500-isakmp
access-list 125 permit udp any host yyy.yyy.64.30 eq isakmp
access-list 125 permit esp any host yyy.yyy.64.30
access-list 125 permit ahp any host yyy.yyy.64.30
access-list 125 permit ip any any
!
!
!
route-map ISP_WEST permit 10
match ip address 1 112
match interface FastEthernet4
!
route-map ISP_SOV permit 10
match ip address 1 112
match interface Vlan1
!
!
control-plane
!
banner login ^C Authorized befor working. ^C
banner motd ^C Hello! ^C
banner prompt-timeout ^C Bye! ^C
!
line con 0
privilege level 15
logging synchronous
login local
no modem enable
transport output telnet
line aux 0
privilege level 15
transport output telnet
line vty 0 4
access-class 11 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
scheduler interval 500
event manager applet clear_nat
event track 1 state any
action 0.9 cli command "enable"
action 1.0 cli command "clear ip nat translation *"
action 2.0 cli command "clear ip nat translation forced"
!
end
2811
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(25a), RELEASE SOFTWARE (fc2)
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SDCRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging userinfo
logging buffered 52000 debugging
enable secret 5 ololololololololo
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth local
aaa authorization exec default local
aaa authorization network vpn_group local
aaa accounting send stop-record authentication failure
!
aaa session-id common
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
clock calendar-valid
!
ip nbar pdlm flash:bittorrent.pdlm
!
ip cef
!
!
no ip bootp server
ip domain name olololo.ru
ip name-server kkk.kkk.235.2
ip name-server kkk.kkk.232.3
ip name-server 212.44.130.6
ip name-server 195.68.135.5
ip inspect name insp100 pop3
ip inspect name insp100 tcp
ip inspect name insp100 udp
ip inspect name insp100 dns
ip inspect name insp100 icmp
ip inspect name insp100 tftp
ip inspect name insp100 ssh
ip inspect name insp100 pptp
ip inspect name insp100 gopher
ip inspect name insp100 ftp
ip inspect name insp101 tcp
ip inspect name insp101 udp
ip inspect name insp101 dns
ip inspect name insp101 pop3 reset
ip inspect name insp101 icmp
ip inspect name insp101 pptp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip sla monitor 10
type pathJitter dest-ipaddr kkk.kkk.235.49 source-ipaddr kkk.kkk.235.60 num-packets 5
timeout 4000
ip sla monitor schedule 10 life forever start-time now
ip sla monitor 20
type pathJitter dest-ipaddr 81.19.70.3 source-ipaddr mmm.mmm.12.82 num-packets 5
timeout 4000
ip sla monitor schedule 20 life forever start-time now
!
clns routing
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3280579469
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3280579469
revocation-check none
rsakeypair TP-self-signed-3280579469
!
!
crypto pki certificate chain TP-self-signed-3280579469
certificate self-signed 01
...
quit
username olololo privilege 15 secret 5 olololololololoolololololololo
username lolololol secret 5 olololololololoolololololololo
archive
log config
hidekeys
!
!
!
track 1 rtr 10 reachability
!
track 2 rtr 20 reachability
!
class-map match-any bittorrent
match protocol bittorrent
!
!
policy-map drop_p2p
class bittorrent
drop
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
...
crypto isakmp key olololololololo address ddd.ddd.64.30
crypto isakmp key olololololololo address eee.eee.131.118
!
crypto isakmp client configuration group vpn_group
key olololololololoolololololololoolololololololo
dns 192.168.74.34
domain olololo.ru
pool vpnpool
acl 100
include-local-lan
max-users 8
!
crypto isakmp client configuration group vpn_rdp_group
key olololololololoolololololololoolololololololo
dns 192.168.74.34
domain olololo.ru
pool vpnpool_rdp
acl 100
include-local-lan
max-users 50
crypto isakmp profile vpn-users-profile
match identity group vpn_group
client authentication list vpn_xauth
isakmp authorization list vpn_group
client configuration address respond
virtual-template 1
crypto isakmp profile rdp-users-profile
match identity group vpn_rdp_group
client authentication list vpn_xauth
isakmp authorization list vpn_group
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set homeused esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec1
set security-association idle-time 14400
set transform-set homeused
set isakmp-profile vpn-users-profile
!
crypto ipsec profile ipsec2
set security-association idle-time 14400
set transform-set homeused
set isakmp-profile rdp-users-profile
!
!
crypto dynamic-map dynmap 10
set isakmp-profile vpn-users-profile
reverse-route
crypto dynamic-map dynmap 20
set isakmp-profile rdp-users-profile
reverse-route
!
!
crypto map usermap 10 ipsec-isakmp dynamic dynmap
...
crypto map usermap 14 ipsec-isakmp
description Tunnel to ddd.ddd.64.30 (warehouse 1)
set peer ddd.ddd.64.30
set transform-set homeused
match address 104
crypto map usermap 15 ipsec-isakmp
description Tunnel to eee.eee.131.118 (warehouse 2)
set peer eee.eee.131.118
set transform-set homeused
match address 105
!
!
!
!
interface Loopback0
no ip address
!
...
!
interface Tunnel2
description to warehouse
ip address 10.150.30.1 255.255.255.252
no ip unreachables
ip mtu 1444
ip tcp adjust-mss 1404
tunnel source FastEthernet0/0
tunnel destination ddd.ddd.64.30
crypto map usermap
!
interface Tunnel3
description to warehouse
ip address 10.150.31.1 255.255.255.252
no ip unreachables
ip mtu 1444
ip tcp adjust-mss 1404
tunnel source FastEthernet0/0
tunnel destination eee.eee.131.118
crypto map usermap
!
...
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description WAN frpm ISP MTR$FW_OUTSIDE$$ETH-WAN$
ip address kkk.kkk.235.60 255.255.255.240
ip access-group 125 in
ip nat outside
ip inspect insp100 in
ip virtual-reassembly max-fragments 64 max-reassemblies 512
duplex auto
speed auto
no mop enabled
crypto map usermap
service-policy input drop_p2p
service-policy output drop_p2p
!
interface FastEthernet0/1
description WAN frpm ISP SOV$FW_OUTSIDE$$ETH-WAN$
ip address mmm.mmm.12.82 255.255.255.248
ip access-group 125 in
ip nat outside
ip inspect insp100 in
ip virtual-reassembly max-fragments 64 max-reassemblies 512
duplex auto
speed auto
no mop enabled
service-policy input drop_p2p
service-policy output drop_p2p
!
interface FastEthernet0/0/0
switchport access vlan 100
!
interface FastEthernet0/0/1
switchport access vlan 100
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
ip access-group 151 in
ip access-group 161 out
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec2
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface Vlan100
description to SDC network$FW_INSIDE$
ip address 192.168.74.1 255.255.254.0 secondary
ip address 192.168.74.10 255.255.254.0
ip nat inside
ip inspect insp101 in
no ip virtual-reassembly max-fragments 64 max-reassemblies 512
!
ip local policy route-map CISCO
ip local pool vpnpool 10.1.0.1 10.1.0.14
ip local pool vpnpool_rdp 10.10.1.1 10.10.1.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 kkk.kkk.235.49 50 name ISP_MTR track 1
ip route 0.0.0.0 0.0.0.0 mmm.mmm.12.81 100 name ISP_Sov track 2
ip route 81.19.70.3 255.255.255.255 mmm.mmm.12.81 name route_to_rambler_ru
ip route 192.168.0.0 255.255.255.0 10.150.0.2 permanent
ip route 192.168.1.0 255.255.255.0 10.150.30.2 permanent
ip route 192.168.1.0 255.255.255.0 10.150.31.2 permanent
ip route 192.168.5.0 255.255.255.0 10.150.20.2 permanent
ip route 192.168.76.0 255.255.255.0 10.150.10.2 permanent
ip route 213.180.204.8 255.255.255.255 kkk.kkk.235.49 name route_to_ya_ru
!
ip flow-top-talkers
top 30
sort-by bytes
match source address 0.0.0.0 0.0.0.0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation tcp-timeout 120
ip nat inside source route-map ISP_MTR interface FastEthernet0/0 overload
ip nat inside source route-map ISP_Sov interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.74.11 25 mmm.mmm.12.82 25 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 80 mmm.mmm.12.82 80 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 110 mmm.mmm.12.82 110 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 143 mmm.mmm.12.82 143 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 443 mmm.mmm.12.82 443 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 465 mmm.mmm.12.82 465 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 993 mmm.mmm.12.82 993 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 995 mmm.mmm.12.82 995 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.44 3389 mmm.mmm.12.82 3389 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.46 3389 mmm.mmm.12.82 3390 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.200 5500 mmm.mmm.12.82 5500 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.201 5500 mmm.mmm.12.82 5501 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.202 5500 mmm.mmm.12.82 5502 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.7 21 kkk.kkk.235.60 21 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 80 kkk.kkk.235.60 80 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 110 kkk.kkk.235.60 110 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 143 kkk.kkk.235.60 143 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 443 kkk.kkk.235.60 443 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 465 kkk.kkk.235.60 465 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 993 kkk.kkk.235.60 993 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.11 995 kkk.kkk.235.60 995 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.44 3389 kkk.kkk.235.60 3389 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.46 3389 kkk.kkk.235.60 3390 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.200 5500 kkk.kkk.235.60 5500 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.201 5500 kkk.kkk.235.60 5501 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.202 5500 kkk.kkk.235.60 5502 route-map Pforw extendable
ip nat inside source static tcp 192.168.74.7 21000 kkk.kkk.235.60 21000 route-map Pforw extendable
!
ip access-list extended P2P-MTR
deny ip host kkk.kkk.235.60 192.168.0.0 0.0.255.255
deny ip host kkk.kkk.235.60 host mmm.mmm.12.82
permit ip host kkk.kkk.235.60 any
ip access-list extended P2P-SOVINTEL
deny ip host mmm.mmm.12.82 192.168.0.0 0.0.255.255
deny ip host mmm.mmm.12.82 host kkk.kkk.235.60
permit ip host mmm.mmm.12.82 any
!
logging history debugging
logging source-interface Vlan100
logging 192.168.74.41
access-list 1 permit 192.168.74.0 0.0.1.255
access-list 100 permit ip 192.168.74.0 0.0.1.255 any
access-list 101 permit gre host kkk.kkk.235.60 host aaa.aaa.7.98
access-list 102 permit gre host kkk.kkk.235.60 host bbb.bbb.243.50
access-list 103 permit gre host kkk.kkk.235.60 host ccc.ccc.208.26
access-list 104 permit gre host kkk.kkk.235.60 host ddd.ddd.64.30
access-list 105 permit gre host kkk.kkk.235.60 host eee.eee.131.118
access-list 111 remark Port forwarding
access-list 111 permit tcp host 192.168.74.11 eq smtp any
access-list 111 permit tcp host 192.168.74.11 eq www any
access-list 111 permit tcp host 192.168.74.11 eq pop3 any
access-list 111 permit tcp host 192.168.74.11 eq 143 any
access-list 111 permit tcp host 192.168.74.11 eq 443 any
access-list 111 permit tcp host 192.168.74.11 eq 993 any
access-list 111 permit tcp host 192.168.74.11 eq 995 any
access-list 111 permit tcp host 192.168.74.44 eq 3389 any
access-list 111 permit tcp host 192.168.74.46 eq 3390 any
access-list 111 permit tcp host 192.168.74.200 eq 5500 any
access-list 111 permit tcp host 192.168.74.201 eq 5500 any
access-list 111 permit tcp host 192.168.74.202 eq 5500 any
access-list 111 permit tcp host 192.168.74.11 eq 465 any
access-list 111 permit tcp host 192.168.74.7 eq ftp any
access-list 111 permit tcp host 192.168.74.7 eq 21000 any
access-list 115 remark Disable NAT for port destination
access-list 115 deny gre host kkk.kkk.235.60 host aaa.aaa.7.98
access-list 115 deny gre host kkk.kkk.235.60 host bbb.bbb.243.50
access-list 115 deny tcp host 192.168.74.7 eq ftp any
access-list 115 deny tcp host 192.168.74.11 eq smtp any
access-list 115 deny tcp host 192.168.74.11 eq www any
access-list 115 deny tcp host 192.168.74.11 eq pop3 any
access-list 115 deny tcp host 192.168.74.11 eq 143 any
access-list 115 deny tcp host 192.168.74.11 eq 443 any
access-list 115 deny tcp host 192.168.74.11 eq 465 any
access-list 115 deny tcp host 192.168.74.11 eq 993 any
access-list 115 deny tcp host 192.168.74.11 eq 995 any
access-list 115 deny tcp host 192.168.74.44 eq 3389 any
access-list 115 deny tcp host 192.168.74.46 eq 3389 any
access-list 115 deny tcp host 192.168.74.200 eq 5500 any
access-list 115 deny tcp host 192.168.74.201 eq 5500 any
access-list 115 deny tcp host 192.168.74.202 eq 5500 any
access-list 115 deny tcp host 192.168.74.7 eq 21000 any
access-list 115 deny gre host kkk.kkk.235.60 host ccc.ccc.208.26
access-list 115 deny gre host kkk.kkk.235.60 host ddd.ddd.64.30
access-list 115 deny gre host kkk.kkk.235.60 host eee.eee.131.118
access-list 125 permit gre host aaa.aaa.7.98 host kkk.kkk.235.60
access-list 125 permit gre host bbb.bbb.243.50 host kkk.kkk.235.60
access-list 125 permit udp any host kkk.kkk.235.60 eq non500-isakmp
access-list 125 permit udp any host kkk.kkk.235.60 eq isakmp
access-list 125 permit esp any host kkk.kkk.235.60
access-list 125 permit ahp any host kkk.kkk.235.60
...
access-list 125 remark textil
access-list 125 permit tcp host eee.eee.131.118 host kkk.kkk.235.60 eq 3389
access-list 125 permit tcp host ddd.ddd.64.30 host kkk.kkk.235.60 eq 3389
access-list 125 permit tcp host eee.eee.131.118 host mmm.mmm.12.82 eq 3389
access-list 125 permit tcp host ddd.ddd.64.30 host mmm.mmm.12.82 eq 3389
...
access-list 125 deny tcp any host mmm.mmm.12.82 eq 1433
access-list 125 deny tcp any host mmm.mmm.12.82 eq 11433
access-list 125 deny tcp any host mmm.mmm.12.82 eq 3389
access-list 125 deny tcp any host mmm.mmm.12.82 eq 3390
access-list 125 deny tcp any host kkk.kkk.235.60 eq 3389
access-list 125 deny tcp any host kkk.kkk.235.60 eq 3390
access-list 125 permit ip any any
access-list 126 permit ip 192.168.74.0 0.0.0.255 any
access-list 126 deny ip any any
access-list 135 permit ip 192.168.74.0 0.0.1.255 any
access-list 135 permit ip 10.1.0.0 0.0.0.15 any
access-list 135 permit ip eee.eee.134.52 0.0.0.3 any
access-list 135 permit iprrr.rrr.196.32 0.0.0.7 any
access-list 135 permit ip ddd.ddd.64.28 0.0.0.3 any
access-list 135 deny ip any any
access-list 151 permit tcp 10.10.1.0 0.0.0.255 eq 3389 192.168.74.0 0.0.1.255
access-list 151 permit tcp 10.10.1.0 0.0.0.255 eq domain 192.168.74.0 0.0.1.255
access-list 151 permit udp 10.10.1.0 0.0.0.255 eq domain 192.168.74.0 0.0.1.255
access-list 151 permit tcp 10.10.1.0 0.0.0.255 192.168.74.0 0.0.1.255 eq domain
access-list 151 permit udp 10.10.1.0 0.0.0.255 192.168.74.0 0.0.1.255 eq domain
access-list 151 permit tcp 10.10.1.0 0.0.0.255 192.168.74.0 0.0.1.255 eq 3389
access-list 151 permit tcp 10.10.1.0 0.0.0.255 eq 443 host 192.168.74.11
access-list 151 permit tcp 10.10.1.0 0.0.0.255 host 192.168.74.11 eq 443
access-list 161 permit tcp 192.168.74.0 0.0.1.255 eq domain 10.10.1.0 0.0.0.255
access-list 161 permit udp 192.168.74.0 0.0.1.255 eq domain 10.10.1.0 0.0.0.255
access-list 161 permit tcp 192.168.74.0 0.0.1.255 eq 3389 10.10.1.0 0.0.0.255
access-list 161 permit tcp 192.168.74.0 0.0.1.255 10.10.1.0 0.0.0.255 eq domain
access-list 161 permit tcp 192.168.74.0 0.0.1.255 10.10.1.0 0.0.0.255 eq 3389
access-list 161 permit udp 192.168.74.0 0.0.1.255 10.10.1.0 0.0.0.255 eq domain
access-list 161 permit tcp host 192.168.74.11 eq 443 10.10.1.0 0.0.0.255
access-list 161 permit tcp host 192.168.74.11 10.10.1.0 0.0.0.255 eq 443
no cdp run
!
route-map CISCO permit 10
match ip address P2P-MTR
set interface FastEthernet0/0
!
route-map CISCO permit 20
match ip address P2P-SOVINTEL
set ip next-hop mmm.mmm.12.81
!
route-map Pforw permit 10
match ip address 111
!
route-map ISP_MTR permit 10
match ip address 1 115
match interface FastEthernet0/0
!
route-map ISP_Sov permit 10
match ip address 1 115
match interface FastEthernet0/1
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
banner login ^C Authorized befor working. ^C
banner motd ^C Hello! ^C
banner prompt-timeout ^C Bye! ^C
!
line con 0
privilege level 15
buffer-length 1536
logging synchronous
login authentication bugor
transport output telnet
line aux 0
privilege level 15
buffer-length 1536
transport output telnet
line vty 0 4
access-class 135 in
logging synchronous
transport input telnet ssh
line vty 5 15
access-class 135 in
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
!
event manager applet clear_nat
action 0.9 cli command "enable"
action 1.0 cli command "clear ip nat translation *"
action 2.0 cli command "clear ip nat translation forced"
!
end
Вариант для распечатки
