r1sh
14-09-2012, 13:22
День добрый!
Есть cisco881w, вот конфиг:
ip source-route
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.12
dns-server 192.168.10.100 192.168.240.100
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO881W-GN-E-K9 sn FCZ1539C4KL
!
!
username admin privilege 15 secret 5 $1$0bQ6$U9uruvRdR3pMfP.X6YNaI0
username wifiap privilege 15 secret 5 $1$QGmD$xEzg.RJ/JSOhdzxBrkbnZ.
!
!
!
!
ip tcp synwait-time 5
ip ftp source-interface Vlan1
ip ftp username cisco
ip ftp password 7 08305B4B584B56
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 * address 89.*.*.*
crypto isakmp key 6 * address 38.*.*.*
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set sharepoint esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 89.*.*.*
set transform-set myset
match address 102
crypto map vpn 30 ipsec-isakmp
set peer 38.*.*.*
set transform-set sharepoint
match address 103
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 89.104.102.226 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
interface wlan-ap0
description Service module interface to manage the embedded AP
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.10.12 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool NEW 89.104.102.226 89.104.102.226 prefix-length 24
ip nat pool AD 192.168.10.100 192.168.10.100 netmask 255.255.255.0 type rotary
ip nat inside source list 100 pool NEW overload
ip nat inside source static tcp 192.168.10.4 1723 89.104.102.226 1723 extendable
ip nat inside source static tcp 192.168.10.4 3389 89.104.102.226 3389 extendable
ip nat inside source static tcp 192.168.10.11 8081 89.104.102.226 8081 extendable
ip nat inside destination list 110 pool AD
ip route 0.0.0.0 0.0.0.0 89.104.102.225
!
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 permit tcp any any range 3268 3269
access-list 110 permit tcp any any eq 389
access-list 110 permit udp any any eq 389
access-list 110 permit udp any any eq 636
access-list 110 permit tcp any any eq 636
no cdp run
!
!
!
!
route-map SHAREPOINT permit 20
match ip address 103
set interface FastEthernet4
!
route-map IPSEC-TRAF permit 10
match ip address 102
set interface FastEthernet4
За ним есть VPN сервер на Win2003 с ip 192.168.10.4, на циске, как видно, есть проброс порта 1723 на этот сервер.
Когда клиент подключается, он попадает в отдельную подсеть 192.168.25.0 , указанную в настройках VPN сервера.
При этом он может пинговать компьютеры сети 192.168.10.0 но по RDP, например, подключиться не получается.
Так же из подсети 192.168.10.0 не пингуются клиенты сети 192.168.25.0.
Как я понимаю, все упирается в настройку cisco потому что он шлюз по-умолчанию для клиентов сети 192.168.10.0 и он не знает куда посылать траффик сети 192.168.25.0.
Подскажите, создание VLan 2 в сети 192.168.25.0 поможет?)
Есть cisco881w, вот конфиг:
ip source-route
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.201 192.168.10.254
!
ip dhcp pool pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.12
dns-server 192.168.10.100 192.168.240.100
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO881W-GN-E-K9 sn FCZ1539C4KL
!
!
username admin privilege 15 secret 5 $1$0bQ6$U9uruvRdR3pMfP.X6YNaI0
username wifiap privilege 15 secret 5 $1$QGmD$xEzg.RJ/JSOhdzxBrkbnZ.
!
!
!
!
ip tcp synwait-time 5
ip ftp source-interface Vlan1
ip ftp username cisco
ip ftp password 7 08305B4B584B56
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 * address 89.*.*.*
crypto isakmp key 6 * address 38.*.*.*
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set sharepoint esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 89.*.*.*
set transform-set myset
match address 102
crypto map vpn 30 ipsec-isakmp
set peer 38.*.*.*
set transform-set sharepoint
match address 103
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 89.104.102.226 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
interface wlan-ap0
description Service module interface to manage the embedded AP
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.10.12 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool NEW 89.104.102.226 89.104.102.226 prefix-length 24
ip nat pool AD 192.168.10.100 192.168.10.100 netmask 255.255.255.0 type rotary
ip nat inside source list 100 pool NEW overload
ip nat inside source static tcp 192.168.10.4 1723 89.104.102.226 1723 extendable
ip nat inside source static tcp 192.168.10.4 3389 89.104.102.226 3389 extendable
ip nat inside source static tcp 192.168.10.11 8081 89.104.102.226 8081 extendable
ip nat inside destination list 110 pool AD
ip route 0.0.0.0 0.0.0.0 89.104.102.225
!
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.181.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 permit tcp any any range 3268 3269
access-list 110 permit tcp any any eq 389
access-list 110 permit udp any any eq 389
access-list 110 permit udp any any eq 636
access-list 110 permit tcp any any eq 636
no cdp run
!
!
!
!
route-map SHAREPOINT permit 20
match ip address 103
set interface FastEthernet4
!
route-map IPSEC-TRAF permit 10
match ip address 102
set interface FastEthernet4
За ним есть VPN сервер на Win2003 с ip 192.168.10.4, на циске, как видно, есть проброс порта 1723 на этот сервер.
Когда клиент подключается, он попадает в отдельную подсеть 192.168.25.0 , указанную в настройках VPN сервера.
При этом он может пинговать компьютеры сети 192.168.10.0 но по RDP, например, подключиться не получается.
Так же из подсети 192.168.10.0 не пингуются клиенты сети 192.168.25.0.
Как я понимаю, все упирается в настройку cisco потому что он шлюз по-умолчанию для клиентов сети 192.168.10.0 и он не знает куда посылать траффик сети 192.168.25.0.
Подскажите, создание VLan 2 в сети 192.168.25.0 поможет?)