Привет всем!
Прошу помощи у гуру сетевых технологии
Построил IPsec VPN Site-to-Site между главным и удаленным офисом, сам туннель строится пинги идут. В центральном офисе web-сервачок, с удаленного офиса к web-серверу по протоколу http (tcp 80) не получается достучаться, не только 80-порт, но и 22 (ssh) так же не доступен. Вот конфиг центрального роутера
Web-сервер в VLAN104 (10.0.38.0/29)
IP-адрес Web-сервера в центральном офисе 10.0.38.2/29
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname CGW
boot-start-marker
boot-end-marker
aqm-register-fnf
no logging console
aaa new-model
aaa authentication login default local
aaa session-id common
no ip source-route
no ip bootp server
ip domain name domain.com
ip name-server 8.8.8.8
!
ip inspect name INSPECT_RULE dns
ip inspect name INSPECT_RULE icmp
ip inspect name INSPECT_RULE ntp
ip inspect name INSPECT_RULE tcp router-traffic
ip inspect name INSPECT_RULE udp router-traffic
ip inspect name INSPECT_RULE icmp router-traffic
ip inspect name INSPECT_RULE http
ip inspect name INSPECT_RULE https
ip inspect name INSPECT_RULE ftp
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
license udi pid C891F-K9 sn FCZ201990PM
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key KeY address 2.2.2.22
crypto ipsec transform-set set10 esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.22
set transform-set set10
match address VPN-TRAFFIC
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport trunk allowed vlan 1,100-107,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport trunk allowed vlan 1,100-107,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet2
no ip address
shutdown
!
interface GigabitEthernet3
switchport trunk allowed vlan 1,100-107,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet4
switchport access vlan 107
no ip address
!
interface GigabitEthernet5
switchport access vlan 104
no ip address
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
no ip address
shutdown
!
interface GigabitEthernet8
ip address 1.1.1.11 255.255.255.252
ip access-group OUTSIDE_ACL in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect INSPECT_OUT out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
crypto map CMAP
!
interface Vlan1
no ip address
ip virtual-reassembly in
!
interface Vlan100
ip address 10.0.33.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan101
ip address 10.0.34.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan102
ip address 10.0.32.1 255.255.255.0
ip helper-address 10.0.32.4
ip nat inside
ip virtual-reassembly in
!
interface Vlan103
ip address 10.0.35.1 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface Vlan104
ip address 10.0.38.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Vlan107
ip address 10.0.37.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ACL interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.10
!
ip access-list extended NAT_ACL
deny ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255
permit ip 10.0.37.0 0.0.0.7 any
permit ip 10.0.34.0 0.0.0.255 any
permit ip host 10.0.32.10 any
permit ip host 10.0.32.15 any
permit ip host 10.0.32.12 any
permit ip host 10.0.32.102 any
permit ip host 10.0.32.7 any
permit ip host 10.0.32.107 any
permit ip host 10.0.38.2 any
permit ip host 10.0.32.70 any
!
ip access-list extended OUTSIDE_ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit tcp any any eq 8801
permit tcp any any eq 5590
permit tcp any any eq 5599
permit tcp any any eq 5577
permit tcp any any eq 8781
permit tcp any any eq 8674
permit tcp any any eq 8563
permit tcp any any eq 5571
permit tcp any any eq 5572
permit tcp any any eq 5531
permit tcp any any eq 5573
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit tcp any any eq www
permit tcp any any eq 25333
permit tcp any any eq 25334
!
ip access-list extended VPN-TRAFFIC
permit ip 10.0.38.0 0.0.0.7 10.1.32.0 0.0.0.255
!
logging origin-id hostname
logging facility local6
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
end
а вот конфиг роутера удаленного офиса
Building configuration...
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
clock timezone KGS 6 0
!
no ip source-route
!
ip dhcp excluded-address 10.1.35.1 10.1.35.20
ip dhcp excluded-address 10.1.36.1 10.1.36.20
ip dhcp excluded-address 10.1.37.1 10.1.37.20
ip dhcp excluded-address 10.1.38.1 10.1.38.20
!
ip dhcp pool 10/1/35/0/24
network 10.1.35.0 255.255.255.0
default-router 10.1.35.1
dns-server 10.1.35.1
!
ip dhcp pool 10/1/36/0/24
network 10.1.36.0 255.255.255.0
default-router 10.1.36.1
dns-server 10.1.36.1
!
ip dhcp pool 10/1/37/0/24
network 10.1.37.0 255.255.255.0
default-router 10.1.37.1
dns-server 10.1.37.1
!
ip dhcp pool 10/1/38/0/24
network 10.1.38.0 255.255.255.0
default-router 10.1.38.1
dns-server 10.1.38.1
!
no ip bootp server
ip name-server 8.8.8.8
!
ip inspect name INSPECT_RULE dns
ip inspect name INSPECT_RULE icmp
ip inspect name INSPECT_RULE ntp
ip inspect name INSPECT_RULE tcp router-traffic
ip inspect name INSPECT_RULE udp router-traffic
ip inspect name INSPECT_RULE icmp router-traffic
ip inspect name INSPECT_RULE http
ip inspect name INSPECT_RULE https
ip inspect name INSPECT_RULE ftp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco1 address 1.1.1.11
!
crypto ipsec transform-set set10 esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.11
set transform-set set10
match address VPN-TRAFFIC
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport trunk allowed vlan 1,100-102,105-108,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet2
switchport trunk allowed vlan 1,100-102,105-108,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet3
switchport trunk allowed vlan 1,100-102,105-108,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet4
switchport trunk allowed vlan 1,100-102,105-108,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet5
switchport access vlan 101
no ip address
!
interface GigabitEthernet6
switchport access vlan 101
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description =OUTSIDE=
ip address 2.2.2.22 255.255.255.252
ip access-group OUTSIDE_ACL in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect INSPECT_RULE out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
crypto map CMAP
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
description =MGMT=
ip address 10.1.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan101
description =DMZ=
ip address 10.1.32.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan102
ip address 10.1.39.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
!
interface Vlan105
description =1FL_NORTH=
ip address 10.1.35.1 255.255.255.0
ip helper-address 10.1.35.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan106
description =2FL_NORTH=
ip address 10.1.36.1 255.255.255.0
ip helper-address 10.1.36.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan107
description =1FL_SOUTH=
ip address 10.1.37.1 255.255.255.0
ip helper-address 10.1.37.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan108
description =2FL_SOUTH=
ip address 10.1.38.1 255.255.255.0
ip helper-address 10.1.38.1
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ACL interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.21
!
ip access-list extended NAT_ACL
deny ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7
permit ip 10.1.32.0 0.0.0.255 any
permit ip 10.1.35.0 0.0.0.255 any
permit ip 10.1.36.0 0.0.0.255 any
permit ip 10.1.37.0 0.0.0.255 any
permit ip 10.1.38.0 0.0.0.255 any
!
ip access-list extended OUTSIDE_ACL
permit tcp any any eq 22
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit udp any any eq snmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
!
ip access-list extended VPN-TRAFFIC
permit ip 10.1.32.0 0.0.0.255 10.0.38.0 0.0.0.7
!
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
end
подскажите пожалуйста почему с DMZ удаленного офиса невозможно попасть на 80-порт web-сервера центрального офиса.
Заранее спасибо!
Вариант для распечатки
