Имеем офис А (172.17.2.0.24, 172.17.10.0/24), офис Б (10.0.0.24), офис С (10.5.0.0/24) связанных между собой Site-To-Site VPN.
Пользователи подключаясь по VPN в офис Б получают адрес из сети 10.3.1.0/24. Аутенфикация на радиусе. Для сетей 10.0.0.0/24, 10.3.1.0/24 настроен NAT для выхода в интернет.
Проблема в том, что подключаясь по VPN и получая адрес, скажем, 10.3.1.1, есть выход на сеть 10.0.0.0/24, но остальные сети 172.17.2.0.24, 172.17.10.0/24 и 10.5.0.0/24 недоступны.Конфиг cisco-2811 офиса Б: version 12.4
hostname Cisco-2811
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
!
aaa session-id common
!
resource policy
!
ip cef
!
ip domain name xxx
ip name-server 10.0.0.4
ip name-server 10.0.0.3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address y.y.y.y
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Office A
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 104
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to Office C
set peer y.y.y.y
set transform-set ESP-3DES-SHA1
match address 105
!
interface FastEthernet0/0
description Local net Office B
ip address 10.0.0.13 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Internet
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
peer default ip address pool vpn
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
ip local pool vpn 10.3.1.1 10.3.1.255
ip route 0.0.0.0 0.0.0.0 z.z.z.z
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 600
ip nat pool main z.z.z.z1 z.z.z.z1 netmask 255.255.255.0
ip nat pool vpn z.z.z.z2 z.z.z.z2 netmask 255.255.255.0
ip nat inside source route-map nonat pool main overload
ip nat inside source route-map nonat-vpn pool vpn overload
!
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 104 permit ip 10.0.0.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 172.17.10.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.0.255 172.17.10.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 120 deny ip 10.0.0.0 0.0.0.255 10.3.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
access-list 121 deny ip 10.3.1.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 121 deny ip 10.3.1.0 0.0.0.255 172.17.10.0 0.0.0.255
access-list 121 deny ip 10.3.1.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 121 deny ip 10.3.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 121 permit ip 10.3.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 120
!
route-map nonat-vpn permit 10
match ip address 121
!
radius-server configure-nas
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813
radius-server timeout 10
radius-server key xxx
!
end
|
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(ok) on 10-Окт-07, 18:56 
