"VPN по PPTP на Cisco 1841" | +/– |
 |
Сообщение от ksspb (ok) on 07-Ноя-10, 16:52 |
VPN не проходит проверка пароля ошибка:734. Делал по статье http://www.cisco.com/en/US/tech/tk827/tk369/technologies_con... До поднятия FIREWALL and ACL средствами CCP проверка пароля работала и VPN поднимался. Конфиг: version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname cisco1841 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 $1$xxxxx//xxxxxxxx. ! aaa new-model ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local ! aaa session-id common clock timezone PCTime 3 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ip inspect name CCP_LOW cuseeme ip inspect name CCP_LOW dns ip inspect name CCP_LOW ftp ip inspect name CCP_LOW h323 ip inspect name CCP_LOW sip ip inspect name CCP_LOW https ip inspect name CCP_LOW icmp ip inspect name CCP_LOW imap ip inspect name CCP_LOW pop3 ip inspect name CCP_LOW rcmd ip inspect name CCP_LOW realaudio ip inspect name CCP_LOW rtsp ip inspect name CCP_LOW esmtp ip inspect name CCP_LOW sqlnet ip inspect name CCP_LOW streamworks ip inspect name CCP_LOW tftp ip inspect name CCP_LOW tcp ip inspect name CCP_LOW udp ip inspect name CCP_LOW vdolive ip inspect name CCP_LOW pptp ip inspect name CCP_LOW echo ip inspect name CCP_LOW isakmp ip inspect name CCP_LOW ipsec-msft ip inspect name CCP_LOW gdoi ip inspect name CCP_LOW ssp ip inspect name CCP_LOW telnet ip inspect name CCP_LOW ssh ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 no ip dhcp use vrf connected ip dhcp excluded-address 10.5.51.1 10.5.51.9 ip dhcp excluded-address 10.5.51.201 10.5.51.254 ip dhcp excluded-address 10.5.52.1 10.5.52.9 ip dhcp excluded-address 10.5.52.201 10.5.52.254 ! ip dhcp pool sdm-pool1 network 10.5.51.0 255.255.255.0 dns-server 10.5.51.1 default-router 10.5.51.1 ! ip dhcp pool sdm-pool2 network 10.5.52.0 255.255.255.0 dns-server 10.5.52.1 default-router 10.5.52.1 ! no ip bootp server ip domain name yourdomain.com ip name-server 195.5.xxx.xxx ip name-server 195.5.xxx.xxx vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! username admcisco privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxxxxxx username vpnuser privilege 0 password 7 xxxxxxxxxx ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! interface FastEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$ ip address 192.168.2.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address 21x.xxx.xxx.xxx 255.255.255.248 ip access-group 104 in ip verify unicast reverse-path no ip unreachables ip inspect CCP_LOW in ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! interface FastEthernet0/0/0 switchport access vlan 10 ! interface FastEthernet0/0/1 switchport access vlan 11 ! interface FastEthernet0/0/2 switchport access vlan 12 ! interface FastEthernet0/0/3 ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface Virtual-Template1 ip unnumbered FastEthernet0/1 no ip redirects no ip unreachables no ip proxy-arp peer default ip address pool vpn no keepalive ppp encrypt mppe auto ppp authentication ms-chap ms-chap-v2 ! interface Vlan1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow ! interface Vlan10 description $FW_INSIDE$ ip address 10.5.50.1 255.255.255.0 ip access-group 101 in ip nat inside ip virtual-reassembly ! interface Vlan11 description $FW_INSIDE$ ip address 10.5.51.1 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ! interface Vlan12 description $FW_INSIDE$ ip address 10.5.52.1 255.255.255.0 ip access-group 103 in ip nat inside ip virtual-reassembly ! ip local pool vpn 192.168.1.10 192.168.1.20 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 213.182.176.129 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat pool vpn 192.168.1.10 192.168.1.20 netmask 255.255.255.0 ip nat inside source list 2 interface FastEthernet0/1 overload ip nat inside source list 3 interface FastEthernet0/1 overload ip dns server ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 2 remark SDM_ACL Category=2 access-list 2 permit 10.5.50.0 0.0.0.255 access-list 2 permit 10.5.51.0 0.0.0.255 access-list 2 permit 10.5.52.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 192.168.2.0 0.0.0.255 access-list 100 remark auto generated by CCP firewall configuration access-list 100 remark CCP_ACL Category=1 access-list 100 deny ip 10.5.52.0 0.0.0.255 any access-list 100 deny ip 10.5.51.0 0.0.0.255 any access-list 100 deny ip 10.5.50.0 0.0.0.255 any access-list 100 deny ip 213.182.176.128 0.0.0.7 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by CCP firewall configuration access-list 101 remark CCP_ACL Category=1 access-list 101 deny ip 10.5.52.0 0.0.0.255 any access-list 101 deny ip 10.5.51.0 0.0.0.255 any access-list 101 deny ip 21x.xxx.xxx.xxx 0.0.0.7 any access-list 101 deny ip 192.168.2.0 0.0.0.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip any any access-list 102 remark auto generated by CCP firewall configuration access-list 102 remark CCP_ACL Category=1 access-list 102 deny ip 10.5.52.0 0.0.0.255 any access-list 102 deny ip 10.5.50.0 0.0.0.255 any access-list 102 deny ip 21x.xxx.xxx.xxx 0.0.0.7 any access-list 102 deny ip 192.168.2.0 0.0.0.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip any any access-list 103 remark auto generated by CCP firewall configuration access-list 103 remark CCP_ACL Category=1 access-list 103 deny ip 10.5.51.0 0.0.0.255 any access-list 103 deny ip 10.5.50.0 0.0.0.255 any access-list 103 deny ip 21x.xxx.xxx.xxx 0.0.0.7 any access-list 103 deny ip 192.168.2.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark auto generated by CCP firewall configuration access-list 104 remark CCP_ACL Category=1 access-list 104 permit udp host 195.x.xxx.xxx eq domain host 21x.xxx.xxx.xxx access-list 104 permit udp host 195.x.xxx.xxx eq domain host 21x.xxx.xxx.xxx access-list 104 permit udp any host 21x.xxx.xxx.xxx eq non500-isakmp access-list 104 permit udp any host 21x.xxx.xxx.xxx eq isakmp access-list 104 permit ahp any host 21x.xxx.xxx.xxx access-list 104 permit esp any host 21x.xxx.xxx.xxx access-list 104 permit icmp any any access-list 104 permit tcp any any access-list 104 deny ip 10.5.52.0 0.0.0.255 any access-list 104 deny ip 10.5.51.0 0.0.0.255 any access-list 104 deny ip 10.5.50.0 0.0.0.255 any access-list 104 deny ip 192.168.2.0 0.0.0.255 any access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any no cdp run ! control-plane ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! scheduler allocate 4000 1000 endЗаранее спасибо :)
|
Высказать мнение | Ответить | Правка | Cообщить модератору |