forum.opennet.ru

Составление сообщения

Исходное сообщение

"VPN и IPSEC между двумя cisco роутерами"
Отправлено wellfitting, 06-Июн-07 12:36

>>
>>Всем добрый день.
>>У меня тоже вопрос по поводу этих debugов.
>>Не могу найти, в чем загвоздка при создании VPN. Посему пытаюсь это
>>выяснить. Но и при terminal monitor все равно ничего не выводится.
>>Не подскажете, в чем может быть дело?
>
>А подробней можешь описать проблему ?
>
>Что не получается ?
>
>VPN между чем и чем ?
>
>Какая конфигурация на клиенте и железках ?
>
>итд
VPN между двумя роутерами в разных офисах. Рутер А соединяется с Рутером В через интерфейс 195.194.252.156. Рутер В соединяется с Рутером А через интерфейс 212.18.50.185.
Рутер А имеет протую конфигурацию. Рутер В имеет много пользователей интернет и одного пользователя, которому нужен VPN.
VPN настраивал через SDM. Вроде бы все предельно ясно, однако административно VPN поднят, а на самом деле не работает.
Конфигурация следующая:
RuterA
Current configuration : 5782 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PTS
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret xxx
!
username well-fitting
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no aaa new-model
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.0.0.1 10.0.0.3
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.0.0 255.255.255.0
   dns-server 195.194.225.3 195.194.211.1
   default-router 10.0.0.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip name-server 195.194.225.3
ip name-server 195.194.211.1
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Vodovoz11 address 212.18.50.185
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to212.18.50.185
set peer 212.18.50.185
set transform-set ESP-3DES-SHA
match address 102
!
bridge irb
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 195.194.252.156 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
ssid protech
    authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 195.194.252.155
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 195.194.252.155 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq non500-isakmp
access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq isakmp
access-list 101 permit esp host 212.18.50.185 host 195.194.252.156
access-list 101 permit ahp host 212.18.50.185 host 195.194.252.156
access-list 101 permit udp host 195.194.211.1 eq domain host 195.194.252.156
access-list 101 permit udp host 195.194.225.3 eq domain host 195.194.252.156
access-list 101 deny   ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 195.94.252.158
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!

RouterB
Current configuration : 30351 bytes
!
! Last configuration change at 03:18:29 PCTime Wed Jun 6 2007 by macs
! NVRAM config last updated at 03:22:07 PCTime Wed Jun 6 2007 by macs
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Post
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging console critical
enable secret parol
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
!
!
ip inspect one-minute high 5000
ip inspect one-minute low 2500
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
no ip bootp server
ip name-server 212.18.321.101
ip name-server 212.18.321.66
ip name-server 212.18.54.66
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_LOW
  application http
!
!
crypto pki trustpoint TP-self-signed-3768110577
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3768110577
revocation-check none
rsakeypair TP-self-signed-3768110577
!
!
crypto pki certificate chain TP-self-signed-3768110577
certificate self-signed 01
  30820240 ... и так далее 299F0757
  quit
username well-fitting privilege 15 secret
!
!
class-map match-all voip
match ip dscp ef
здесь класс мэпы пользователей!
!
policy-map police
class pasha
   police 512000 96000 conform-action transmit  exceed-action drop
дальше тоже для пользователей, но они доступ в VPN не должны иметь
policy-map out
class voip
  priority 128
class class-default
  fair-queue
  random-detect
policy-map policeout
class kv107
   police 128000 24000 conform-action transmit  exceed-action drop
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Vodovoz11 address 195.194.252.156
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.194.252.156
set peer 195.194.252.156
set transform-set ESP-3DES-SHA
match address 102
qos pre-classify
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
service-policy input policeout
service-policy output police
!
interface FastEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 212.18.50.185 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
service-policy output out
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
description $FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 212.18.50.184
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool forall 212.18.50.181 212.18.50.182 netmask 255.255.255.248
ip nat inside source list alexandr95 pool forall overload
далее тоже самое для пользователей
ip nat inside source static 192.168.1.106 212.18.50.190
!
ip access-list extended alexandr95
permit ip host 192.168.1.56 any
permit ip any host 192.168.1.56
permit ip host 192.168.1.57 any
permit ip any host 192.168.1.57
дальше эксесс листы для пользователей!
!
access-list 101 remark SDM_ACL Category=17
access-list 101 permit udp any host 212.18.50.190
access-list 101 permit tcp any host 212.18.50.190
access-list 101 permit udp any host 212.18.50.182
access-list 101 permit tcp any host 212.18.50.182
access-list 101 permit udp any host 212.18.50.181
access-list 101 permit tcp any host 212.18.50.181
access-list 101 permit udp host 212.18.54.66 eq domain host 212.18.50.185
access-list 101 permit udp host 212.18.321.66 eq domain host 212.18.50.185
access-list 101 permit udp host 212.18.321.101 eq domain host 212.18.50.185
access-list 101 permit ahp host 195.194.252.156 host 212.18.50.185
access-list 101 permit esp host 195.194.252.156 host 212.18.50.185
access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq isakmp
access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq non500-isakmp
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 permit icmp any any
access-list 101 permit tcp any host 212.18.50.185 eq 443
access-list 101 permit tcp any host 212.18.50.185 eq 22
access-list 101 permit tcp any host 212.18.50.185 eq cmd
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 10.0.1.0 0.0.0.255 any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 10.0.1.0 0.0.0.255 any
access-list 104 deny   ip 212.18.50.183 0.0.0.7 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip host 192.168.1.1 10.0.1.0 0.0.0.255
access-list 104 permit ip host 192.168.1.2 10.0.1.0 0.0.0.255
access-list 104 deny   ip any 10.0.1.0 0.0.0.255
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip 212.18.50.183 0.0.0.7 any
access-list 105 deny   ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any host 192.168.1.1
access-list 105 permit ip any host 192.168.1.2
access-list 105 deny   ip any 192.168.1.0 0.0.0.255
access-list 105 permit ip any any
no cdp run
arp 192.168.1.105 0040.059a.7930 ARPA
! далее статическая таблица!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
control-plane
!
banner login ^C Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Исходное сообщение
"VPN и IPSEC между двумя cisco роутерами" Отправлено wellfitting, 06-Июн-07 12:36
>> >>Всем добрый день. >>У меня тоже вопрос по поводу этих debugов. >>Не могу найти, в чем загвоздка при создании VPN. Посему пытаюсь это >>выяснить. Но и при terminal monitor все равно ничего не выводится. >>Не подскажете, в чем может быть дело? > >А подробней можешь описать проблему ? > >Что не получается ? > >VPN между чем и чем ? > >Какая конфигурация на клиенте и железках ? > >итд VPN между двумя роутерами в разных офисах. Рутер А соединяется с Рутером В через интерфейс 195.194.252.156. Рутер В соединяется с Рутером А через интерфейс 212.18.50.185. Рутер А имеет протую конфигурацию. Рутер В имеет много пользователей интернет и одного пользователя, которому нужен VPN. VPN настраивал через SDM. Вроде бы все предельно ясно, однако административно VPN поднят, а на самом деле не работает. Конфигурация следующая: RuterA Current configuration : 5782 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname PTS ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret xxx ! username well-fitting clock timezone PCTime 3 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 no aaa new-model ip subnet-zero no ip source-route ip dhcp excluded-address 10.0.0.1 10.0.0.3 ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.255.0 dns-server 195.194.225.3 195.194.211.1 default-router 10.0.0.1 ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip name-server 195.194.225.3 ip name-server 195.194.211.1 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Vodovoz11 address 212.18.50.185 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to212.18.50.185 set peer 212.18.50.185 set transform-set ESP-3DES-SHA match address 102 ! bridge irb ! ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ ip address 195.194.252.156 255.255.255.252 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable crypto map SDM_CMAP_1 ! interface Dot11Radio0 no ip address ! ssid protech authentication open ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip classless ip route 0.0.0.0 0.0.0.0 195.194.252.155 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 100 remark auto-generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 195.194.252.155 0.0.0.3 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto-generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark IPSec Rule access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq non500-isakmp access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq isakmp access-list 101 permit esp host 212.18.50.185 host 195.194.252.156 access-list 101 permit ahp host 212.18.50.185 host 195.194.252.156 access-list 101 permit udp host 195.194.211.1 eq domain host 195.194.252.156 access-list 101 permit udp host 195.194.225.3 eq domain host 195.194.252.156 access-list 101 deny ip 10.0.0.0 0.0.0.255 any access-list 101 permit icmp any host 195.94.252.158 access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 103 permit ip 10.0.0.0 0.0.0.255 any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! RouterB Current configuration : 30351 bytes ! ! Last configuration change at 03:18:29 PCTime Wed Jun 6 2007 by macs ! NVRAM config last updated at 03:22:07 PCTime Wed Jun 6 2007 by macs ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Post ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 informational logging console critical enable secret parol ! no aaa new-model ! resource policy ! clock timezone PCTime 3 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ! ! ! ip inspect one-minute high 5000 ip inspect one-minute low 2500 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip tcp synwait-time 10 ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE no ip bootp server ip name-server 212.18.321.101 ip name-server 212.18.321.66 ip name-server 212.18.54.66 ip ssh time-out 60 ip ssh authentication-retries 2 ! appfw policy-name SDM_LOW application http ! ! crypto pki trustpoint TP-self-signed-3768110577 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3768110577 revocation-check none rsakeypair TP-self-signed-3768110577 ! ! crypto pki certificate chain TP-self-signed-3768110577 certificate self-signed 01 30820240 ... и так далее 299F0757 quit username well-fitting privilege 15 secret ! ! class-map match-all voip match ip dscp ef здесь класс мэпы пользователей! ! policy-map police class pasha police 512000 96000 conform-action transmit exceed-action drop дальше тоже для пользователей, но они доступ в VPN не должны иметь policy-map out class voip priority 128 class class-default fair-queue random-detect policy-map policeout class kv107 police 128000 24000 conform-action transmit exceed-action drop ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Vodovoz11 address 195.194.252.156 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to195.194.252.156 set peer 195.194.252.156 set transform-set ESP-3DES-SHA match address 102 qos pre-classify ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$ETH-LAN$$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip access-group 104 in no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled service-policy input policeout service-policy output police ! interface FastEthernet0/1 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$ ip address 212.18.50.185 255.255.255.248 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable no mop enabled crypto map SDM_CMAP_1 service-policy output out ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 description $FW_INSIDE$ ip address 10.0.1.1 255.255.255.0 ip access-group 105 in ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 212.18.50.184 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat pool forall 212.18.50.181 212.18.50.182 netmask 255.255.255.248 ip nat inside source list alexandr95 pool forall overload далее тоже самое для пользователей ip nat inside source static 192.168.1.106 212.18.50.190 ! ip access-list extended alexandr95 permit ip host 192.168.1.56 any permit ip any host 192.168.1.56 permit ip host 192.168.1.57 any permit ip any host 192.168.1.57 дальше эксесс листы для пользователей! ! access-list 101 remark SDM_ACL Category=17 access-list 101 permit udp any host 212.18.50.190 access-list 101 permit tcp any host 212.18.50.190 access-list 101 permit udp any host 212.18.50.182 access-list 101 permit tcp any host 212.18.50.182 access-list 101 permit udp any host 212.18.50.181 access-list 101 permit tcp any host 212.18.50.181 access-list 101 permit udp host 212.18.54.66 eq domain host 212.18.50.185 access-list 101 permit udp host 212.18.321.66 eq domain host 212.18.50.185 access-list 101 permit udp host 212.18.321.101 eq domain host 212.18.50.185 access-list 101 permit ahp host 195.194.252.156 host 212.18.50.185 access-list 101 permit esp host 195.194.252.156 host 212.18.50.185 access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq isakmp access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq non500-isakmp access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 101 permit icmp any any access-list 101 permit tcp any host 212.18.50.185 eq 443 access-list 101 permit tcp any host 212.18.50.185 eq 22 access-list 101 permit tcp any host 212.18.50.185 eq cmd access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 103 permit ip 10.0.1.0 0.0.0.255 any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 deny ip 10.0.1.0 0.0.0.255 any access-list 104 deny ip 212.18.50.183 0.0.0.7 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 permit ip host 192.168.1.1 10.0.1.0 0.0.0.255 access-list 104 permit ip host 192.168.1.2 10.0.1.0 0.0.0.255 access-list 104 deny ip any 10.0.1.0 0.0.0.255 access-list 104 permit ip any any access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 deny ip 212.18.50.183 0.0.0.7 any access-list 105 deny ip 192.168.1.0 0.0.0.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 permit ip any host 192.168.1.1 access-list 105 permit ip any host 192.168.1.2 access-list 105 deny ip any 192.168.1.0 0.0.0.255 access-list 105 permit ip any any no cdp run arp 192.168.1.105 0040.059a.7930 ARPA ! далее статическая таблица! ! ! route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! ! control-plane ! banner login ^C Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ^C ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 end

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

>>> 
>>>Всем добрый день.
>>>У меня тоже вопрос по поводу этих debugов.
>>>Не могу найти, в чем загвоздка при создании VPN. Посему пытаюсь это 
>>>выяснить. Но и при terminal monitor все равно ничего не выводится.
>>>Не подскажете, в чем может быть дело?
>> 
>>А подробней можешь описать проблему ?
>> 
>>Что не получается ?
>> 
>>VPN между чем и чем ?
>> 
>>Какая конфигурация на клиенте и железках ?
>> 
>>итд

> VPN между двумя роутерами в разных офисах. Рутер А соединяется с Рутером 
> В через интерфейс 195.194.252.156. Рутер В соединяется с Рутером А через 
> интерфейс 212.18.50.185.
> Рутер А имеет протую конфигурацию. Рутер В имеет много пользователей интернет и 
> одного пользователя, которому нужен VPN.
> VPN настраивал через SDM. Вроде бы все предельно ясно, однако административно VPN 
> поднят, а на самом деле не работает.

>  Конфигурация следующая: 
> RuterA 
> Current configuration : 5782 bytes 
> !
> version 12.3 
> no service pad 
> service tcp-keepalives-in 
> service tcp-keepalives-out 
> service timestamps debug datetime msec localtime show-timezone 
> service timestamps log datetime msec localtime show-timezone 
> service password-encryption 
> service sequence-numbers 
> !
> hostname PTS 
> !
> boot-start-marker 
> boot-end-marker 
> !
> logging buffered 51200 debugging 
> logging console critical 
> enable secret xxx 
> !
> username well-fitting

> clock timezone PCTime 3 
> clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 
 
> no aaa new-model 
> ip subnet-zero 
> no ip source-route 
> ip dhcp excluded-address 10.0.0.1 10.0.0.3 
> !
> ip dhcp pool sdm-pool1 
>    import all 
>    network 10.0.0.0 255.255.255.0 
>    dns-server 195.194.225.3 195.194.211.1 
>    default-router 10.0.0.1 
> !
> !
> ip cef 
> ip inspect name DEFAULT100 cuseeme 
> ip inspect name DEFAULT100 ftp 
> ip inspect name DEFAULT100 h323 
> ip inspect name DEFAULT100 icmp 
> ip inspect name DEFAULT100 rcmd 
> ip inspect name DEFAULT100 realaudio 
> ip inspect name DEFAULT100 rtsp 
> ip inspect name DEFAULT100 esmtp 
> ip inspect name DEFAULT100 sqlnet 
> ip inspect name DEFAULT100 streamworks 
> ip inspect name DEFAULT100 tftp 
> ip inspect name DEFAULT100 tcp 
> ip inspect name DEFAULT100 udp 
> ip inspect name DEFAULT100 vdolive 
> ip tcp synwait-time 10 
> no ip bootp server 
> ip name-server 195.194.225.3 
> ip name-server 195.194.211.1 
> ip ssh time-out 60 
> ip ssh authentication-retries 2 
> no ftp-server write-enable 
> !
> !
> !
> !
> !
> crypto isakmp policy 1 
> encr 3des 
> authentication pre-share 
> group 2 
> crypto isakmp key Vodovoz11 address 212.18.50.185 
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
> !
> crypto map SDM_CMAP_1 1 ipsec-isakmp 
> description Tunnel to212.18.50.185 
> set peer 212.18.50.185 
> set transform-set ESP-3DES-SHA 
> match address 102 
> !
> bridge irb 
> !
> !
> interface FastEthernet0 
> no ip address 
> no cdp enable 
> !
> interface FastEthernet1 
> no ip address 
> no cdp enable 
> !
> interface FastEthernet2 
> no ip address 
> no cdp enable 
> !
> interface FastEthernet3 
> no ip address 
> no cdp enable 
> !
> interface FastEthernet4 
> description $ES_WAN$$FW_OUTSIDE$ 
> ip address 195.194.252.156 255.255.255.252 
> ip access-group 101 in 
> ip verify unicast reverse-path 
> no ip redirects 
> no ip unreachables 
> no ip proxy-arp 
> ip inspect DEFAULT100 out 
> ip nat outside 
> ip virtual-reassembly 
> ip route-cache flow 
> duplex auto 
> speed auto 
> no cdp enable 
> crypto map SDM_CMAP_1 
> !
> interface Dot11Radio0 
> no ip address 
> !
> ssid protech 
>     authentication open 
> !
> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 
> 54.0 
> station-role root 
> no cdp enable 
> bridge-group 1 
> bridge-group 1 spanning-disabled 
> !
> interface Vlan1 
> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ 
> no ip address 
> bridge-group 1 
> !
> interface BVI1 
> description $ES_LAN$$FW_INSIDE$ 
> ip address 10.0.0.1 255.255.255.0 
> ip access-group 100 in 
> ip nat inside 
> ip virtual-reassembly 
> ip tcp adjust-mss 1452 
> !
> ip classless 
> ip route 0.0.0.0 0.0.0.0 195.194.252.155 
> !
> ip http server 
> ip http authentication local 
> ip http secure-server 
> ip http timeout-policy idle 5 life 86400 requests 10000 
> ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload 
> !
> logging trap debugging 
> access-list 1 remark INSIDE_IF=BVI1 
> access-list 1 remark SDM_ACL Category=2 
> access-list 1 permit 10.0.0.0 0.0.0.255 
> access-list 100 remark auto-generated by Cisco SDM Express firewall configuration 
> access-list 100 remark SDM_ACL Category=1 
> access-list 100 deny   ip 195.194.252.155 0.0.0.3 any 
> access-list 100 deny   ip host 255.255.255.255 any 
> access-list 100 deny   ip 127.0.0.0 0.255.255.255 any 
> access-list 100 permit ip any any 
> access-list 101 remark auto-generated by Cisco SDM Express firewall configuration 
> access-list 101 remark SDM_ACL Category=1 
> access-list 101 remark IPSec Rule 
> access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 
> access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq non500-isakmp 
> access-list 101 permit udp host 212.18.50.185 host 195.194.252.156 eq isakmp 
> access-list 101 permit esp host 212.18.50.185 host 195.194.252.156 
> access-list 101 permit ahp host 212.18.50.185 host 195.194.252.156 
> access-list 101 permit udp host 195.194.211.1 eq domain host 195.194.252.156 
> access-list 101 permit udp host 195.194.225.3 eq domain host 195.194.252.156 
> access-list 101 deny   ip 10.0.0.0 0.0.0.255 any 
> access-list 101 permit icmp any host 195.94.252.158 
> access-list 101 deny   ip 10.0.0.0 0.255.255.255 any 
> access-list 101 deny   ip 172.16.0.0 0.15.255.255 any 
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any 
> access-list 101 deny   ip 127.0.0.0 0.255.255.255 any 
> access-list 101 deny   ip host 255.255.255.255 any 
> access-list 101 deny   ip host 0.0.0.0 any 
> access-list 101 deny   ip any any 
> access-list 102 remark SDM_ACL Category=4 
> access-list 102 remark IPSec Rule 
> access-list 102 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 
> access-list 103 remark SDM_ACL Category=2 
> access-list 103 remark IPSec Rule 
> access-list 103 deny   ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 
> access-list 103 permit ip 10.0.0.0 0.0.0.255 any 
> no cdp run 
> route-map SDM_RMAP_1 permit 1 
> match ip address 103 
> !
> !
> control-plane 
> !
> bridge 1 protocol ieee 
> bridge 1 route ip 
> banner login ^CAuthorized access only!

> RouterB

> Current configuration : 30351 bytes 
> !
> ! Last configuration change at 03:18:29 PCTime Wed Jun 6 2007 by 
> macs 
> ! NVRAM config last updated at 03:22:07 PCTime Wed Jun 6 2007 
> by macs 
> !
> version 12.4 
> no service pad 
> service tcp-keepalives-in 
> service tcp-keepalives-out 
> service timestamps debug datetime msec localtime show-timezone 
> service timestamps log datetime msec localtime show-timezone 
> service password-encryption 
> service sequence-numbers 
> !
> hostname Post 
> !
> boot-start-marker 
> boot-end-marker 
> !
> security authentication failure rate 3 log 
> security passwords min-length 6 
> logging buffered 51200 informational 
> logging console critical 
> enable secret parol 
> !
> no aaa new-model 
> !
> resource policy 
> !
> clock timezone PCTime 3 
> clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 
 
> no ip source-route 
> ip cef 
> !
> !
> !
> !
> ip inspect one-minute high 5000 
> ip inspect one-minute low 2500 
> ip inspect name SDM_LOW cuseeme 
> ip inspect name SDM_LOW dns 
> ip inspect name SDM_LOW ftp 
> ip inspect name SDM_LOW h323 
> ip inspect name SDM_LOW https 
> ip inspect name SDM_LOW icmp 
> ip inspect name SDM_LOW imap 
> ip inspect name SDM_LOW pop3 
> ip inspect name SDM_LOW netshow 
> ip inspect name SDM_LOW rcmd 
> ip inspect name SDM_LOW realaudio 
> ip inspect name SDM_LOW rtsp 
> ip inspect name SDM_LOW esmtp 
> ip inspect name SDM_LOW sqlnet 
> ip inspect name SDM_LOW streamworks 
> ip inspect name SDM_LOW tftp 
> ip inspect name SDM_LOW tcp 
> ip inspect name SDM_LOW udp 
> ip inspect name SDM_LOW vdolive 
> ip tcp synwait-time 10 
> ip ips sdf location flash://128MB.sdf autosave 
> ip ips notify SDEE 
> no ip bootp server 
> ip name-server 212.18.321.101 
> ip name-server 212.18.321.66 
> ip name-server 212.18.54.66 
> ip ssh time-out 60 
> ip ssh authentication-retries 2 
> !
> appfw policy-name SDM_LOW 
>   application http 
> !
> !
> crypto pki trustpoint TP-self-signed-3768110577 
>  enrollment selfsigned 
>  subject-name cn=IOS-Self-Signed-Certificate-3768110577 
>  revocation-check none 
>  rsakeypair TP-self-signed-3768110577 
> !
> !
> crypto pki certificate chain TP-self-signed-3768110577 
>  certificate self-signed 01 
>   30820240 ... и так далее 299F0757 
>   quit 
> username well-fitting privilege 15 secret 
> !
> !
> class-map match-all voip 
>  match ip dscp ef 
> здесь класс мэпы пользователей!

> !
> policy-map police 
>  class pasha 
>    police 512000 96000 conform-action transmit  exceed-action drop 
> дальше тоже для пользователей, но они доступ в VPN не должны иметь

> policy-map out 
>  class voip 
>   priority 128 
>  class class-default 
>   fair-queue 
>   random-detect 
> policy-map policeout 
>  class kv107 
>    police 128000 24000 conform-action transmit  exceed-action drop 
> !
> !
> !
> crypto isakmp policy 1 
>  encr 3des 
>  authentication pre-share 
>  group 2 
> crypto isakmp key Vodovoz11 address 195.194.252.156 
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
> !
> crypto map SDM_CMAP_1 1 ipsec-isakmp 
>  description Tunnel to195.194.252.156 
>  set peer 195.194.252.156 
>  set transform-set ESP-3DES-SHA 
>  match address 102 
>  qos pre-classify 
> !
> !
> !
> !
> interface Null0 
>  no ip unreachables 
> !
> interface FastEthernet0/0 
>  description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$ETH-LAN$$FW_INSIDE$ 
>  ip address 192.168.1.1 255.255.255.0 
>  ip access-group 104 in 
>  no ip redirects 
>  no ip unreachables 
>  no ip proxy-arp 
>  ip nbar protocol-discovery 
>  ip nat inside 
>  ip virtual-reassembly 
>  ip route-cache flow 
>  duplex auto 
>  speed auto 
>  no cdp enable 
>  no mop enabled 
>  service-policy input policeout 
>  service-policy output police 
> !
> interface FastEthernet0/1 
>  description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$ 
>  ip address 212.18.50.185 255.255.255.248 
>  ip access-group 101 in 
>  ip verify unicast reverse-path 
>  no ip redirects 
>  no ip unreachables 
>  no ip proxy-arp 
>  ip nbar protocol-discovery 
>  ip inspect SDM_LOW out 
>  ip nat outside 
>  ip virtual-reassembly 
>  ip route-cache flow 
>  duplex auto 
>  speed auto 
>  no cdp enable 
>  no mop enabled 
>  crypto map SDM_CMAP_1 
>  service-policy output out 
> !
> interface FastEthernet0/0/0 
> !
> interface FastEthernet0/0/1 
> !
> interface FastEthernet0/0/2 
> !
> interface FastEthernet0/0/3 
> !
> interface Vlan1 
>  description $FW_INSIDE$ 
>  ip address 10.0.1.1 255.255.255.0 
>  ip access-group 105 in 
>  ip nat inside 
>  ip virtual-reassembly 
> !
> ip route 0.0.0.0 0.0.0.0 212.18.50.184 
> !
> !
> ip http server 
> ip http authentication local 
> ip http secure-server 
> ip http timeout-policy idle 600 life 86400 requests 10000 
> ip nat pool forall 212.18.50.181 212.18.50.182 netmask 255.255.255.248 
> ip nat inside source list alexandr95 pool forall overload 
> далее тоже самое для пользователей 
> ip nat inside source static 192.168.1.106 212.18.50.190 
> !
> ip access-list extended alexandr95 
>  permit ip host 192.168.1.56 any 
>  permit ip any host 192.168.1.56 
>  permit ip host 192.168.1.57 any 
>  permit ip any host 192.168.1.57 
> дальше эксесс листы для пользователей!
> !
> access-list 101 remark SDM_ACL Category=17 
> access-list 101 permit udp any host 212.18.50.190 
> access-list 101 permit tcp any host 212.18.50.190 
> access-list 101 permit udp any host 212.18.50.182 
> access-list 101 permit tcp any host 212.18.50.182 
> access-list 101 permit udp any host 212.18.50.181 
> access-list 101 permit tcp any host 212.18.50.181 
> access-list 101 permit udp host 212.18.54.66 eq domain host 212.18.50.185 
> access-list 101 permit udp host 212.18.321.66 eq domain host 212.18.50.185 
> access-list 101 permit udp host 212.18.321.101 eq domain host 212.18.50.185 
> access-list 101 permit ahp host 195.194.252.156 host 212.18.50.185 
> access-list 101 permit esp host 195.194.252.156 host 212.18.50.185 
> access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq isakmp 
> access-list 101 permit udp host 195.194.252.156 host 212.18.50.185 eq non500-isakmp 
> access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 
> access-list 101 permit icmp any any 
> access-list 101 permit tcp any host 212.18.50.185 eq 443 
> access-list 101 permit tcp any host 212.18.50.185 eq 22 
> access-list 101 permit tcp any host 212.18.50.185 eq cmd 
> access-list 101 deny   ip 10.0.0.0 0.255.255.255 any 
> access-list 101 deny   ip 172.16.0.0 0.15.255.255 any 
> access-list 101 deny   ip 192.168.0.0 0.0.255.255 any 
> access-list 101 deny   ip 127.0.0.0 0.255.255.255 any 
> access-list 101 deny   ip host 255.255.255.255 any 
> access-list 101 deny   ip host 0.0.0.0 any 
> access-list 101 deny   ip any any log 
> access-list 102 remark SDM_ACL Category=4 
> access-list 102 remark IPSec Rule 
> access-list 102 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 
> access-list 103 remark SDM_ACL Category=2 
> access-list 103 remark IPSec Rule 
> access-list 103 deny   ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 
> access-list 103 permit ip 10.0.1.0 0.0.0.255 any 
> access-list 104 remark auto generated by SDM firewall configuration 
> access-list 104 remark SDM_ACL Category=1 
> access-list 104 deny   ip 10.0.1.0 0.0.0.255 any 
> access-list 104 deny   ip 212.18.50.183 0.0.0.7 any 
> access-list 104 deny   ip host 255.255.255.255 any 
> access-list 104 deny   ip 127.0.0.0 0.255.255.255 any 
> access-list 104 permit ip host 192.168.1.1 10.0.1.0 0.0.0.255 
> access-list 104 permit ip host 192.168.1.2 10.0.1.0 0.0.0.255 
> access-list 104 deny   ip any 10.0.1.0 0.0.0.255 
> access-list 104 permit ip any any 
> access-list 105 remark auto generated by SDM firewall configuration 
> access-list 105 remark SDM_ACL Category=1 
> access-list 105 deny   ip 212.18.50.183 0.0.0.7 any 
> access-list 105 deny   ip 192.168.1.0 0.0.0.255 any 
> access-list 105 deny   ip host 255.255.255.255 any 
> access-list 105 deny   ip 127.0.0.0 0.255.255.255 any 
> access-list 105 permit ip any host 192.168.1.1 
> access-list 105 permit ip any host 192.168.1.2 
> access-list 105 deny   ip any 192.168.1.0 0.0.0.255 
> access-list 105 permit ip any any 
> no cdp run 
> arp 192.168.1.105 0040.059a.7930 ARPA 
> ! далее статическая таблица!
> !
> !
> route-map SDM_RMAP_1 permit 1 
>  match ip address 103 
> !
> !
> !
> control-plane 
> !
> banner login ^C Authorized access only!
>  Disconnect IMMEDIATELY if you are not an authorized user!
> ^C 
> !
> line con 0 
>  login local 
>  transport output telnet 
> line aux 0 
>  login local 
>  transport output telnet 
> line vty 0 4 
>  privilege level 15 
>  login local 
>  transport input telnet ssh 
> line vty 5 15 
>  privilege level 15 
>  login local 
>  transport input telnet ssh 
> !
> scheduler allocate 20000 1000 
> end

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру