Новые ответы

VPN на cisco 1721 не пингуется LAN,

dpvvdt, 23-Май-10, 21:56 [смотреть все]

Добрый день, уважаемые коллеги.
Столкнулся с проблемой и прошу вашей помощи.
Имеется cisco 1721 с ADSL WIC через который подключена к провайдеру Domolink
в 4-портовый Ethernet WIC включены локальные устройства. Имеется задача получить доступ к локальным ресурсам извне (в частности с iphone). Произведены настройки, VPN поднимается, адрес получаем, но не пингуются ни интерфейсы cisco ни LAN. Помогите найти решение.
Конфиг прилагается:

!
! Last configuration change at 16:28:35 MSK Sun May 23 2010 by dpvvdt
! NVRAM config last updated at 16:28:43 MSK Sun May 23 2010 by dpvvdt
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname home
!
boot-start-marker
boot-end-marker
!
logging buffered 32768 informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
no ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.77 192.168.0.254
!
ip dhcp pool localnet
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 213.140.228.252 64.102.255.44
!
!
no ip bootp server
ip domain name home
ip name-server 213.140.228.252
ip name-server 64.102.255.44
ip multicast-routing
ip inspect name Inspect icmp
ip inspect name Inspect tcp
ip inspect name Inspect udp
ip inspect name Inspect dns
ip inspect name Inspect ssh
ip inspect name Inspect ntp
ip inspect name Inspect http
ip inspect name Inspect https
ip inspect name Inspect smtp
ip inspect name Inspect pop3
ip ddns update method DynDNS
HTTP
  add http://******:******@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://******:******@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
!
multilink bundle-name authenticated
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ****** privilege 15 secret 5 ******************************
username ****** privilege 0 secret 5 ******************************
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local vpnpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group iphone
key ***************
pool vpnpool
dns 213.140.228.252
acl 110
!
!
crypto ipsec transform-set iphonetrans esp-3des esp-sha-hmac
!
crypto dynamic-map iphonedynmap 10
set transform-set iphonetrans
reverse-route
!
!
crypto map VPN client authentication list default
crypto map VPN isakmp authorization list default
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic iphonedynmap
!
archive
log config
  hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface ATM0.2 point-to-point
pvc 0/91
  encapsulation aal5snap
!
!
interface FastEthernet0
no ip address
shutdown
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip pim dense-mode
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1400
!
interface Dialer1
mtu 1492
ip ddns update hostname ********************
ip ddns update DynDNS
ip address negotiated
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim dense-mode
ip nat outside
ip inspect Inspect in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname **********
ppp chap password 7 ******************
ppp pap sent-username ********** password 7 ******************
crypto map VPN
!
ip local pool vpnpool 172.16.1.1 172.16.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 deny   any
access-list 100 deny   tcp any any eq 22 log
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny   ip any any log
access-list 110 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login

!
line con 0
speed 115200
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 17180102
ntp server 194.149.67.130
ntp server 193.233.9.7
end
Заранее спасибо.

Ответить | Сообщить модератору

VPN на cisco 1721 не пингуется LAN, Дмитрий, 10:03 , 24-Май-10 (1)
У вас VPN пакеты скорее всего в НАТ уходят.
ip nat inside source list 1 interface Dialer1 overload
Других причин пока не вижу. Настройте для НАТа route-map вместо ACL.
На форуме примеров тыщщща! )
Ответить | Сообщить модератору

VPN на cisco 1721 не пингуется LAN, dpvvdt, 23:00 , 24-Май-10 (2)
настроил route-map - в дебаге ната вижу что пакеты для ВПН туда больше не ходят но при этом
симптомы те же ничего не пингуется.

!
! Last configuration change at 21:10:23 MSK Mon May 24 2010 by dpvvdt
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname home
!
boot-start-marker
boot-end-marker
!
logging buffered 32768 informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
no ip subnet-zero
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.77 192.168.0.254
!
ip dhcp pool localnet
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 213.140.228.252 64.102.255.44
!
!
no ip bootp server
ip domain name home
ip name-server 213.140.228.252
ip name-server 64.102.255.44
ip multicast-routing
ip inspect name Inspect icmp
ip inspect name Inspect tcp
ip inspect name Inspect udp
ip inspect name Inspect dns
ip inspect name Inspect ssh
ip inspect name Inspect ntp
ip inspect name Inspect http
ip inspect name Inspect https
ip inspect name Inspect smtp
ip inspect name Inspect pop3
ip ddns update method DynDNS
HTTP
  add http://******:******@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://******:******@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
!
multilink bundle-name authenticated
vpdn enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username ****** privilege 15 secret 5 ******************************
username ****** privilege 0 secret 5 ******************************!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local vpnpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group iphone
key ***************
dns 213.140.228.252
pool vpnpool
acl 110
include-local-lan
!
!
crypto ipsec transform-set iphonetrans esp-3des esp-sha-hmac
!
crypto dynamic-map iphonedynmap 10
set transform-set iphonetrans
reverse-route
!
!
crypto map VPN client authentication list default
crypto map VPN isakmp authorization list default
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic iphonedynmap
!
archive
log config
  hidekeys
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/35
  pppoe-client dial-pool-number 1
!
!
interface ATM0.2 point-to-point
pvc 0/91
  encapsulation aal5snap
!
!
interface FastEthernet0
no ip address
shutdown
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
!
interface Dialer1
mtu 1492
ip ddns update hostname ********************
ip ddns update DynDNS
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim dense-mode
ip nat outside
ip inspect Inspect in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname **********
ppp chap password 7 ******************
ppp pap sent-username ********** password 7 ******************
crypto map VPN
!
ip local pool vpnpool 172.16.1.1 172.16.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 1 permit ip 192.168.0.0 0.0.0.255 any
access-list 1 deny any
access-list 100 deny   tcp any any eq 22 log
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny   ip any any log
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 122 deny   ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonat permit 10
match ip address 122
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login

!
line con 0
speed 115200
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp clock-period 17180273
ntp server 194.149.67.130
ntp server 193.233.9.7
end

Ответить | Сообщить модератору