Добрый день! Понимаю что уже избитая тема но прошу помощи. Ситуация такая: Клиент с виндовсной машины конектица посредством впн клиента к маршрутизатору Cisco 1812. Туннель поднимается.. но в локалку не пущает. Причем как-то странно. Т.е. из некого количества хостов в локалке я пингую только один, например 192.168.1.2.. остальные не доступны. Если я разрываю туннель и подключаюсь снова, то опять могу пинговать только один хост, но уже другой, например 192.168.1.5. Я не сталкивался с такой ситуацией.. есть какие соображения.
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T5
, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport &nbs...
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 30-Apr-08 12:09 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YH12, RELEASE SOFTWARE (fc1)
Вот конфиг маршрутизатора:
Current configuration : 4821 bytes
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname cisco-mcmain
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login mcmain-client local
aaa authorization network mcmain-client local
!
!
aaa session-id common
clock timezone MSK 2
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2906423707
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2906423707
revocation-check none
rsakeypair TP-self-signed-2906423707
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 83.xxx.xxx.10
ip name-server 83.xxx.xxx.10
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username shura privilege 15 secret 5 $1$2vX9$C0bnxN0TsFKjAkVlRsdvc1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20 10
crypto isakmp xauth timeout 20
!
crypto isakmp client configuration group mcmain-group
key mcmain
dns 192.168.1.3 192.168.1.5
domain mcmain
pool mcmain-client-pool
!
!
crypto ipsec transform-set mcmaintrans esp-3des esp-sha-hmac
!
!
crypto dynamic-map mcmainmap 1
set transform-set mcmaintrans
reverse-route
!
!
crypto map mcmain isakmp authorization list mcmain-client
crypto map mcmain client configuration address respond
crypto map mcmain 65535 ipsec-isakmp dynamic mcmainmap
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
description WAN
ip address 82.xxx.xxx.58 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip mroute-cache
duplex auto
speed auto
crypto map mcmain
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description Local Network$ES_LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip tcp adjust-mss 1452
no ip mroute-cache
!
ip local pool mcmain-client-pool 172.16.10.220 172.16.10.225
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.xxx.xxx.57
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.1.2 22 82.xxx.xxx.58 22 extendable
ip nat inside source static tcp 192.168.1.3 3389 82.xxx.xxx.58 13389 extendable
ip nat inside source static tcp 192.168.1.4 3389 82.xxx.xxx.58 14389 extendable
!
access-list 1 remark inside vlan 1
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
end
sh crypto ipsec sa
interface: FastEthernet1
Crypto map tag: mcmain, local addr 82.xxx.xxx.58
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.220/255.255.255.255/0/0)
current_peer 195.xxx.xxx.2 port 4175
PERMIT, flags={}
#pkts encaps: 118, #pkts encrypt: 118, #pkts digest: 118
#pkts decaps: 137, #pkts decrypt: 137, #pkts verify: 137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 2
local crypto endpt.: 82.xxx.xxx.58, remote crypto endpt.: 195.xxx.xxx.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1
current outbound spi: 0x783FD0B5(2017448117)
inbound esp sas:
spi: 0xFC90E1FF(4237353471)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 265, flow_id: Motorola SEC 2.0:265, crypto map: mcmain
sa timing: remaining key lifetime (k/sec): (4557107/2981)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x783FD0B5(2017448117)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 266, flow_id: Motorola SEC 2.0:266, crypto map: mcmain
sa timing: remaining key lifetime (k/sec): (4557110/2981)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
И мне кажется что роутинг какой-то странный:
Gateway of last resort is 82.xxx.xxx.57 to network 0.0.0.0
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.10.220 [1/0] via 195.xxx.xxx.2
82.0.0.0/30 is subnetted, 1 subnets
C 82.xxx.xxx.56 is directly connected, FastEthernet1
C 192.168.1.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 82.xxx.xxx.57
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(??) on 15-Дек-08, 12:50 
