Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek dla www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

Cisco 1812 problem z konfiguracją VPNa

22 Gru 2007 13:58 2495 4
  • Poziom 16  
    Witam!!!
    Mam nastepujacy problem z konfiguracja vpn. Niby wszystko dziala, od strony WAN za pomoca cisco client lacze sie z ruterem, polaczenie zostaje nawiazane lecz za chiny nie moge przegladac sieci lokalnej za ruterem. Moge pingowac tylko sam ruter oraz wejsc przez vpn na jego konfiguracje ale niestety nie moge wejsc w siec.....ruter konfiguruje przez SDM
  • VIP Zasłużony dla elektroda
    Podaj konfigurację routera (sh run).
  • Poziom 16  
    Oto konfiguracja

    Code:

    !This is the running config of the router: 192.168.0.245
    !----------------------------------------------------------------------------
    !version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$ja3W$q9JjJwChjUTZ7I1FD2s2T1
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authentication login sdm_vpn_xauth_ml_3 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa authorization network sdm_vpn_group_ml_3 local
    aaa authorization network sdm_vpn_group_ml_4 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone PCTime 1
    no ip source-route
    !
    !
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1 192.168.0.189
    ip dhcp excluded-address 192.168.0.196 192.168.0.254
    !
    ip dhcp pool SCM
       import all
       network 192.168.0.0 255.255.255.0
       dns-server 192.168.0.1
       default-router 192.168.0.1
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name scm
    ip name-server 194.204.159.1
    ip name-server 194.204.159.34
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip inspect log drop-pkt
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip inspect name dmzinspect tcp
    ip inspect name dmzinspect udp
    ip inspect name SDM_HIGH appfw SDM_HIGH
    ip inspect name SDM_HIGH icmp
    ip inspect name SDM_HIGH dns
    ip inspect name SDM_HIGH esmtp
    ip inspect name SDM_HIGH https
    ip inspect name SDM_HIGH imap reset
    ip inspect name SDM_HIGH pop3 reset
    ip inspect name SDM_HIGH tcp
    ip inspect name SDM_HIGH udp
    !
    appfw policy-name SDM_HIGH
      application im aol
        service default action reset alarm
        service text-chat action reset alarm
        server deny name login.oscar.aol.com
        server deny name toc.oscar.aol.com
        server deny name oam-d09a.blue.aol.com
        audit-trail on
      application im msn
        service default action reset alarm
        service text-chat action reset alarm
        server deny name messenger.hotmail.com
        server deny name gateway.messenger.hotmail.com
        server deny name webmessenger.msn.com
        audit-trail on
      application http
        strict-http action reset alarm
        port-misuse im action reset alarm
        port-misuse p2p action reset alarm
        port-misuse tunneling action reset alarm
      application im yahoo
        service default action reset alarm
        service text-chat action reset alarm
        server deny name scs.msg.yahoo.com
        server deny name scsa.msg.yahoo.com
        server deny name scsb.msg.yahoo.com
        server deny name scsc.msg.yahoo.com
        server deny name scsd.msg.yahoo.com
        server deny name cs16.msg.dcn.yahoo.com
        server deny name cs19.msg.dcn.yahoo.com
        server deny name cs42.msg.dcn.yahoo.com
        server deny name cs53.msg.dcn.yahoo.com
        server deny name cs54.msg.dcn.yahoo.com
        server deny name ads1.vip.scd.yahoo.com
        server deny name radio1.launch.vip.dal.yahoo.com
        server deny name in1.msg.vip.re2.yahoo.com
        server deny name data1.my.vip.sc5.yahoo.com
        server deny name address1.pim.vip.mud.yahoo.com
        server deny name edit.messenger.yahoo.com
        server deny name messenger.yahoo.com
        server deny name http.pager.yahoo.com
        server deny name privacy.yahoo.com
        server deny name csa.yahoo.com
        server deny name csb.yahoo.com
        server deny name csc.yahoo.com
        audit-trail on
    !
    !
    crypto pki trustpoint TP-self-signed-1415355285
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1415355285
     revocation-check none
     rsakeypair TP-self-signed-1415355285
    !
    !
    username admin privilege 15 secret 5 $1$rsUB$O3LQxFfO81bgySJezs0dk.
    username scmvpn secret 5 $1$ihg5$Dl1fyXlrfceXEpFbYzfCH.
    !
    !
    class-map match-any sdm_p2p_kazaa
     match protocol fasttrack
     match protocol kazaa2
    class-map match-any sdm_p2p_edonkey
     match protocol edonkey
    class-map match-any sdm_p2p_gnutella
     match protocol gnutella
    class-map match-any sdm_p2p_bittorrent
     match protocol bittorrent
    !
    !
    policy-map sdmappfwp2p_SDM_HIGH
     class sdm_p2p_edonkey
       drop
     class sdm_p2p_gnutella
       drop
     class sdm_p2p_kazaa
       drop
     class sdm_p2p_bittorrent
       drop
    !
    !
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp policy 2
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp client configuration group vpn
     key scmvpn2008
     pool SDM_POOL_1
     max-users 3
     netmask 255.255.255.0
    crypto isakmp profile sdm-ike-profile-1
       match identity group vpn
       client authentication list sdm_vpn_xauth_ml_3
       isakmp authorization list sdm_vpn_group_ml_4
       client configuration address respond
       virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    !
    crypto ipsec profile SDM_Profile1
     set transform-set ESP-3DES-SHA3
     set isakmp-profile sdm-ike-profile-1
    !
    !
    !
    !
    !
    interface FastEthernet0
     description $FW_OUTSIDE$$ETH-WAN$
     ip address 83.17.185.163 255.255.255.248
     ip access-group 107 in
     ip verify unicast reverse-path
     ip mask-reply
     no ip unreachables
     ip directed-broadcast
     ip nbar protocol-discovery
     ip nat outside
     ip inspect SDM_LOW out
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    interface FastEthernet1
     description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
     ip address 10.0.0.1 255.0.0.0
     ip verify unicast reverse-path
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip route-cache flow
     duplex auto
     speed auto
    !
    interface BRI0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     encapsulation hdlc
     ip route-cache flow
     shutdown
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Virtual-Template1 type tunnel
     description $FW_INSIDE$
     ip unnumbered FastEthernet0
     ip access-group 101 in
     ip access-group 101 out
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile SDM_Profile1
    !
    interface Vlan1
     description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_OUTSIDE$
     ip address 192.168.0.245 255.255.255.0
     ip access-group 103 in
     ip verify unicast reverse-path
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip nat inside
     ip virtual-reassembly
     ip route-cache flow
     ip tcp adjust-mss 1452
     service-policy input sdmappfwp2p_SDM_HIGH
     service-policy output sdmappfwp2p_SDM_HIGH
    !
    ip local pool SDM_POOL_1 192.168.0.246 192.168.0.248
    ip local pool SDM_POOL_2 172.19.1.1 172.19.1.10
    ip default-gateway 83.17.185.161
    ip route 0.0.0.0 0.0.0.0 83.17.185.161
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat pool 1 192.168.0.0 192.168.255.255 netmask 255.255.0.0
    ip nat inside source list 100 interface FastEthernet0 overload
    !
    ip access-list extended sdm_virtual-template1_in
     remark SDM_ACL Category=1
     deny   ip 127.0.0.0 0.255.255.255 any
     permit ip any any
    !
    logging trap debugging
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.0.0.0 0.255.255.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=2
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip any any
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit udp host 192.168.0.1 eq domain host 192.168.0.240
    access-list 102 permit icmp any host 192.168.0.240 echo-reply
    access-list 102 permit icmp any host 192.168.0.240 time-exceeded
    access-list 102 permit icmp any host 192.168.0.240 unreachable
    access-list 102 permit ospf any any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit icmp any host 192.168.0.245 echo-reply
    access-list 103 permit icmp any host 192.168.0.245 time-exceeded
    access-list 103 permit icmp any host 192.168.0.245 unreachable
    access-list 103 permit ip any any
    access-list 104 remark auto generated by SDM firewall configuration
    access-list 104 remark SDM_ACL Category=1
    access-list 104 permit udp any host 83.17.185.162 eq non500-isakmp
    access-list 104 permit udp any host 83.17.185.162 eq isakmp
    access-list 104 permit esp any host 83.17.185.162
    access-list 104 permit ahp any host 83.17.185.162
    access-list 104 permit tcp any host 83.17.185.162 eq 445
    access-list 104 permit tcp any host 83.17.185.162 eq 222
    access-list 104 permit tcp any host 83.17.185.163 eq www
    access-list 104 deny   ip 192.168.0.0 0.0.0.255 any
    access-list 104 permit icmp any host 83.17.185.162 echo-reply
    access-list 104 permit ip any host 10.0.0.101
    access-list 104 permit icmp any host 83.17.185.162 time-exceeded
    access-list 104 permit icmp any host 83.17.185.162 unreachable
    access-list 104 permit tcp any host 83.17.185.163 eq 443
    access-list 104 permit tcp any host 83.17.185.163 eq 22
    access-list 104 permit tcp any host 83.17.185.163 eq cmd
    access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 104 deny   ip host 255.255.255.255 any
    access-list 104 deny   ip host 0.0.0.0 any
    access-list 104 deny   ip any any log
    access-list 105 remark auto generated by SDM firewall configuration
    access-list 105 remark SDM_ACL Category=1
    access-list 105 deny   ip any any log
    access-list 106 remark auto generated by SDM firewall configuration
    access-list 106 remark SDM_ACL Category=1
    access-list 106 permit udp host 194.204.159.34 eq domain any
    access-list 106 permit udp host 194.204.159.1 eq domain any
    access-list 106 permit tcp any host 83.17.185.163 eq 445
    access-list 106 permit tcp any host 83.17.185.163 eq 222
    access-list 106 permit udp any host 83.17.185.163 eq non500-isakmp
    access-list 106 permit udp any host 83.17.185.163 eq isakmp
    access-list 106 permit esp any host 83.17.185.163
    access-list 106 permit ahp any host 83.17.185.163
    access-list 106 deny   ip 192.168.0.0 0.0.0.255 any
    access-list 106 permit icmp any host 83.17.185.163 echo-reply
    access-list 106 permit icmp any host 83.17.185.163 time-exceeded
    access-list 106 permit icmp any host 83.17.185.163 unreachable
    access-list 106 permit tcp any host 83.17.185.163 eq 443
    access-list 106 permit tcp any host 83.17.185.163 eq 22
    access-list 106 permit tcp any host 83.17.185.163 eq cmd
    access-list 106 permit tcp any host 83.17.185.163 eq www
    access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 106 deny   ip host 255.255.255.255 any
    access-list 106 deny   ip host 0.0.0.0 any
    access-list 106 deny   ip any any log
    access-list 107 remark auto generated by SDM firewall configuration
    access-list 107 remark SDM_ACL Category=1
    access-list 107 permit udp host 194.204.159.34 eq domain host 83.17.185.163
    access-list 107 permit udp host 194.204.159.1 eq domain host 83.17.185.163
    access-list 107 permit udp any host 83.17.185.163 eq non500-isakmp
    access-list 107 permit udp any host 83.17.185.163 eq isakmp
    access-list 107 permit esp any host 83.17.185.163
    access-list 107 permit ahp any host 83.17.185.163
    access-list 107 permit icmp any host 83.17.185.163 echo-reply
    access-list 107 permit icmp any host 83.17.185.163 time-exceeded
    access-list 107 permit icmp any host 83.17.185.163 unreachable
    access-list 107 permit tcp any host 83.17.185.163 eq 443
    access-list 107 permit tcp any host 83.17.185.163 eq 22
    access-list 107 permit tcp any host 83.17.185.163 eq cmd
    access-list 107 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 107 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 107 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 107 deny   ip host 255.255.255.255 any
    access-list 107 deny   ip host 0.0.0.0 any
    access-list 107 deny   ip any any log
    no cdp run
    !
    !
    !
    !
    !
    !
    control-plane
    !
    banner login ^CSpecjalistyczne Centrum Medyczne
    w Polanicy Zdroj
    ^C
    !
    line con 0
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     transport input telnet ssh
    line vty 5 15
     transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    !
    webvpn context Default_context
     ssl authenticate verify all
     !
     no inservice
    !
    end


  • Moderator Samochody
    ...oczywiście wiesz, że komputer z którego nawiązujesz połączenie musi mieć publiczne IP, lub być za NATem z aktywną opcją VPN Pass-Through. W tym drugim przypadku, prywatne IP komputera łączącego się musi należeć do innej sieci niż LAN za routerem-serwerem VPN.
  • Poziom 16  
    i tak jest :|