The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS


Индекс форумов
Составление сообщения

Исходное сообщение
"VPN клиент за NAT"
Отправлено Dmitriy, 26-Мрт-07 16:18 
>IPSec NAT Transparency
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios...

Это все читал. Все так и сделано. Но все равно канал из-за НАТа встает, а пакеты
в канале неходят. Ткните носом в конфиге - что не так.

!This is the running config of the router: XXX.XXX.XXX.XXX
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXX
!
boot-start-marker
boot system flash
boot system flash c2801-advipservicesk9-mz.123-11.XL.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
enable secret 5 $1$EJZl$PWVMLbR5UOxO4HgXI2Pm91
enable password 7 011E09105419090320
!
username root privilege 15 view root secret 5 $1$b6I9$6RZUZbZ9Y.E63FCEkw2lT/
username vpnuser secret 5 $1$X1Gl$wJnXiRVTWDU92eeKfJwPt/
clock timezone Moscow 3
clock summer-time Moscow date Mar 30 2003 2:00 Oct 26 2003 3:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp path-mtu-discovery
!
!
no ip bootp server
ip domain name vmpcorp.ru
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
ip inspect name sdm_ins_in_100 http urlfilter
ip ips po max-events 100
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny mail.google.com
ip urlfilter exclusive-domain deny .gmail.ru
ip urlfilter exclusive-domain deny win.mail.ru
ip urlfilter exclusive-domain deny mail.yandex.ru
ip urlfilter exclusive-domain deny mail.rambler.ru
no ftp-server write-enable
!
voice-card 0
!
!
!
voice service voip
sip
  min-se  120
!
!
voice class codec 2
codec preference 1 g729r8
codec preference 2 g711alaw
codec preference 3 g711ulaw
codec preference 4 g723r53
codec preference 5 g723r63
codec preference 6 g723ar53
codec preference 7 g723ar63
codec preference 8 g729br8
!
!
!
voice class h323 1
  h245 caps mode restricted
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key motorola address 217.171.2.174 no-xauth
crypto isakmp key motorola address 212.57.117.82 no-xauth
crypto isakmp key motorola address 81.13.16.246 no-xauth
crypto isakmp key motorola address 212.14.166.166 no-xauth
crypto isakmp keepalive 20 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration address-pool local SDM_POOL_1
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group remote_vpn_users
key motorola
dns 192.168.10.5
pool SDM_POOL_1
acl 105
save-password
include-local-lan
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VMP_VPN esp-3des
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 65535
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map DL-VMP-VPN client authentication list sdm_vpn_xauth_ml_1
crypto map DL-VMP-VPN isakmp authorization list sdm_vpn_group_ml_1
crypto map DL-VMP-VPN client configuration address initiate
crypto map DL-VMP-VPN client configuration address respond
crypto map DL-VMP-VPN 9 ipsec-isakmp
description Market - KitajGorod
set peer XXX.XXX.XXX.XXX
set transform-set VMP_VPN
set pfs group2
match address 103
crypto map DL-VMP-VPN 10 ipsec-isakmp
description Racing - Aviamotornaja
set peer XXX.XXX.XXX.XXX
set transform-set VMP_VPN
set pfs group2
match address 101
crypto map DL-VMP-VPN 11 ipsec-isakmp
description Stosk
set peer XXX.XXX.XXX.XXX
set transform-set VMP_VPN
set pfs group2
match address 102
crypto map DL-VMP-VPN 12 ipsec-isakmp
description Arkhangelsk
set peer XXX.XXX.XXX.XXX
set transform-set VMP_VPN
set pfs group2
match address 106
crypto map DL-VMP-VPN 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
ip addressXXX.XXX.XXX.XXX
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed auto
full-duplex
no cdp enable
no mop enabled
crypto map DL-VMP-VPN
!
interface FastEthernet0/1
description $FW_OUTSIDE$$ETH-LAN$
ip address 192.168.10.6 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1350
duplex auto
speed auto
no cdp enable
no mop enabled
!
router eigrp 10
redistribute static metric 1000 1000 255 1 1500
network XXX.XXX.XXX.XXX
network 192.168.10.0
auto-summary
!
ip local pool SDM_POOL_1 192.168.5.1 192.168.5.10
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.7 3389 XXX.XXX.XXX.XXX 3389 route-map SDM_RMAP_5 extendable
!
ip access-list extended NAT_All
remark *
remark SDM_ACL Category=2
deny   icmp 192.168.10.0 0.0.0.255 192.168.52.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.52.0 0.0.0.255
deny   ip host 192.168.10.7 any
deny   icmp 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
deny   icmp 192.168.10.0 0.0.0.255 192.168.51.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.51.0 0.0.0.255
deny   icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
deny   icmp 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
remark NAT_network_to_all
permit ip 192.168.10.0 0.0.0.255 any
!
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.10
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.9
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.8
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.7
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.6
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.5
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.4
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.3
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.2
access-list 100 deny   ip host 192.168.10.7 host 192.168.5.1
access-list 100 permit ip host 192.168.10.7 any
access-list 101 remark Racing - Aviamotornaja
access-list 101 remark SDM_ACL Category=20
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 permit icmp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 deny   ip any any
access-list 102 remark Stock
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 102 permit icmp 192.168.10.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 102 deny   ip any any
access-list 103 remark Market - KitajGorod
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 103 permit icmp 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 103 deny   ip any any
access-list 105 remark VPN
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit icmp 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny   ip any any
access-list 106 remark Arkhangelsk
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 106 permit icmp 192.168.10.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 106 deny   ip any any
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address NAT_All
!
route-map SDM_RMAP_5 permit 1
match ip address 100
!
route-map SDM_RMAP_1 permit 1
match ip address NAT_All
!
route-map SDM_RMAP_2 permit 1
match ip address NAT_All
!
route-map SDM_RMAP_3 permit 1
match ip address NAT_All
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
supervisory disconnect dualtone mid-call
input gain 11
output attenuation -5
no comfort-noise
cptone KR
connection plar opx 1398
!
voice-port 0/0/1
supervisory disconnect dualtone mid-call
no battery-reversal
disc_pi_off
input gain 11
output attenuation -5
no comfort-noise
cptone KR
timeouts call-disconnect 1
timeouts wait-release 1
timing guard-out 500
connection plar opx 301
station-id number 301
!
voice-port 0/0/2
supervisory disconnect dualtone mid-call
input gain 11
output attenuation -5
no comfort-noise
cptone KR
connection plar opx 306
!
voice-port 0/0/3
supervisory disconnect dualtone mid-call
no battery-reversal
disc_pi_off
input gain 11
output attenuation -5
no comfort-noise
cptone KR
timeouts call-disconnect 1
timeouts wait-release 1
timing guard-out 500
connection plar opx 223
station-id number 223
!
!
!
!
dial-peer voice 1 voip
huntstop
destination-pattern 1398
voice-class codec 2
session target ipv4:XXX.XXX.XXX.XXX
ip qos dscp cs5 media
!
dial-peer voice 2 voip
huntstop
destination-pattern 301
voice-class codec 2
session protocol sipv2
session target ipv4:XXX.XXX.XXX.XXX
dtmf-relay rtp-nte
ip qos dscp cs5 media
no vad
!
dial-peer voice 10 pots
destination-pattern .T
port 0/0/0
!
dial-peer voice 11 pots
destination-pattern .T
port 0/0/1
!
dial-peer voice 3 voip
huntstop
destination-pattern 306
voice-class codec 2
session target ipv4:XXX.XXX.XXX.XXX
ip qos dscp cs5 media
!
dial-peer voice 12 pots
destination-pattern .T
port 0/0/2
!
dial-peer voice 4 voip
huntstop
destination-pattern 223
voice-class codec 2
session protocol sipv2
session target sip-server
dtmf-relay rtp-nte
ip qos dscp cs5 media
no vad
!
dial-peer voice 13 pots
destination-pattern .T
port 0/0/3
!
gateway
timer receive-rtp 1200
!
sip-ua
retry invite 10
retry response 5
retry cancel 5
timers trying 1000
timers connect 1000
timers disconnect 1000
sip-server ipv4:XXX.XXX.XXX.XXX
!
!
^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 110416111800040005
transport input telnet ssh
line vty 5 15
password 7 151F04180B38242829
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179894
ntp update-calendar
ntp server 194.149.67.130
ntp server 145.238.110.68
end


 

Ваше сообщение
Имя*:
EMail:
Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
  Введите код, изображенный на картинке: КОД
 
При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру