The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"VPN по PPTP на Cisco 1841"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Изначальное сообщение [ Отслеживать ]

"VPN по PPTP на Cisco 1841"  +/
Сообщение от ksspb (ok) on 07-Ноя-10, 16:52 
VPN не проходит проверка пароля ошибка:734.
Делал по статье http://www.cisco.com/en/US/tech/tk827/tk369/technologies_con...
До поднятия FIREWALL and ACL средствами CCP проверка пароля работала
и VPN поднимался.
Конфиг:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$xxxxx//xxxxxxxx.
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW pptp
ip inspect name CCP_LOW echo
ip inspect name CCP_LOW isakmp
ip inspect name CCP_LOW ipsec-msft
ip inspect name CCP_LOW gdoi
ip inspect name CCP_LOW ssp
ip inspect name CCP_LOW telnet
ip inspect name CCP_LOW ssh
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.51.1 10.5.51.9
ip dhcp excluded-address 10.5.51.201 10.5.51.254
ip dhcp excluded-address 10.5.52.1 10.5.52.9
ip dhcp excluded-address 10.5.52.201 10.5.52.254
!
ip dhcp pool sdm-pool1
   network 10.5.51.0 255.255.255.0
   dns-server 10.5.51.1
   default-router 10.5.51.1
!
ip dhcp pool sdm-pool2
   network 10.5.52.0 255.255.255.0
   dns-server 10.5.52.1
   default-router 10.5.52.1
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 195.5.xxx.xxx
ip name-server 195.5.xxx.xxx
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
!
username admcisco privilege 15 secret 5 $1xxxxxxxxxxxxxxxxxxxxxxxxx
username vpnuser privilege 0 password 7 xxxxxxxxxx
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 21x.xxx.xxx.xxx 255.255.255.248
ip access-group 104 in
ip verify unicast reverse-path
no ip unreachables
ip inspect CCP_LOW in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
switchport access vlan 10
!
interface FastEthernet0/0/1
switchport access vlan 11
!
interface FastEthernet0/0/2
switchport access vlan 12
!
interface FastEthernet0/0/3
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
peer default ip address pool vpn
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Vlan10
description $FW_INSIDE$
ip address 10.5.50.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Vlan11
description $FW_INSIDE$
ip address 10.5.51.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Vlan12
description $FW_INSIDE$
ip address 10.5.52.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
ip local pool vpn 192.168.1.10 192.168.1.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 213.182.176.129
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool vpn 192.168.1.10 192.168.1.20 netmask 255.255.255.0
ip nat inside source list 2 interface FastEthernet0/1 overload
ip nat inside source list 3 interface FastEthernet0/1 overload
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.5.50.0 0.0.0.255
access-list 2 permit 10.5.51.0 0.0.0.255
access-list 2 permit 10.5.52.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny   ip 10.5.52.0 0.0.0.255 any
access-list 100 deny   ip 10.5.51.0 0.0.0.255 any
access-list 100 deny   ip 10.5.50.0 0.0.0.255 any
access-list 100 deny   ip 213.182.176.128 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny   ip 10.5.52.0 0.0.0.255 any
access-list 101 deny   ip 10.5.51.0 0.0.0.255 any
access-list 101 deny   ip 21x.xxx.xxx.xxx 0.0.0.7 any
access-list 101 deny   ip 192.168.2.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 deny   ip 10.5.52.0 0.0.0.255 any
access-list 102 deny   ip 10.5.50.0 0.0.0.255 any
access-list 102 deny   ip 21x.xxx.xxx.xxx 0.0.0.7 any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 deny   ip 10.5.51.0 0.0.0.255 any
access-list 103 deny   ip 10.5.50.0 0.0.0.255 any
access-list 103 deny   ip 21x.xxx.xxx.xxx 0.0.0.7 any
access-list 103 deny   ip 192.168.2.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 195.x.xxx.xxx eq domain host 21x.xxx.xxx.xxx
access-list 104 permit udp host 195.x.xxx.xxx eq domain host 21x.xxx.xxx.xxx
access-list 104 permit udp any host 21x.xxx.xxx.xxx eq non500-isakmp
access-list 104 permit udp any host 21x.xxx.xxx.xxx eq isakmp
access-list 104 permit ahp any host 21x.xxx.xxx.xxx
access-list 104 permit esp any host 21x.xxx.xxx.xxx
access-list 104 permit icmp any any
access-list 104 permit tcp any any
access-list 104 deny   ip 10.5.52.0 0.0.0.255 any
access-list 104 deny   ip 10.5.51.0 0.0.0.255 any
access-list 104 deny   ip 10.5.50.0 0.0.0.255 any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any
no cdp run
!
control-plane
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
end

Заранее спасибо :)

Высказать мнение | Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "VPN по PPTP на Cisco 1841"  +/
Сообщение от ksspb (ok) on 07-Ноя-10, 18:18 
Если отключить ACL 104 листы от интерфейса то VPN начинает работать.
Походу не хватает правил в ACL.
Высказать мнение | Ответить | Правка | ^ | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру