>Я, наверное, тупой.... но без нормальной схемы сети и нормальной конфигурации оборудования
>(а не каких-то вырезок, которые непонятно где были сделаны) я, лично,
>вообще них не понял... Привет Вам, huk.
Да скорее я не прав, в том что выдал куски конфига.
вот собственно схема
|------------|---GigabitEthernet0/0 (туннели инет)
| |
| cisco 2821 |
----------------------| | выделенка
GigabitEthernet0/1 |------------|----interface FastEthernet0/3/0 <----> 172.26.98.1
моя сторона 172.26.98.2
10.0.0.155
конфиг
Current configuration : 5767 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
!
no aaa new-model
no network-clock-participate wic 2
!
!
ip cef
ip name-server 10.0.0.2
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 6 секретное слово address a.a.a.a
crypto isakmp key 6 секретное слово address b.b.b.b
!
!
crypto ipsec transform-set all esp-des esp-md5-hmac
mode transport
!
crypto map 113 113 ipsec-isakmp
set peer a.a.a.a
set transform-set all
match address 113
!
crypto map vpn 111 ipsec-isakmp
set peer b.b.b.b
set transform-set all
match address 112
!
!
interface Tunnel0
description Tunnel to
ip address 10.231.0.2 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel destination b.b.b.b
tunnel sequence-datagrams
tunnel path-mtu-discovery
crypto map vpn
!
interface Tunnel1
description Tunnel to
ip address 10.237.0.1 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel destination a.a.a.a
tunnel sequence-datagrams
tunnel path-mtu-discovery
crypto map 113
!
interface GigabitEthernet0/0
ip address c.c.c.c 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address d.d.d.d 255.255.255.0 secondary
ip address 10.0.0.155 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
description new
switchport access vlan 10
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description Link to new
ip address 172.26.98.2 255.255.255.240
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.1.0.0 255.255.0.0 10.0.0.3
ip route 10.2.0.0 255.255.0.0 10.0.0.3
ip route 10.3.0.0 255.255.0.0 10.0.0.3
ip route 10.5.0.0 255.255.0.0 10.0.0.3
ip route 10.7.0.0 255.255.0.0 10.0.0.3
ip route 10.31.0.0 255.255.0.0 10.0.0.3
ip route 172.16.0.0 255.255.192.0 10.0.0.1
!
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 180
ip nat pool new 172.26.98.3 172.26.98.14 netmask 255.255.255.240
ip nat inside source list 112 interface GigabitEthernet0/0 overload
ip nat inside source list 115 interface GigabitEthernet0/0 overload
ip nat inside source list 121 pool new
!
access-list 115 permit udp any any eq domain
access-list 115 permit udp any eq domain any
access-list 115 permit ip host 10.0.0.2 any
access-list 121 permit ip host 10.7.0.10 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.31.0.6 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.7.0.21 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.2.0.21 172.26.0.0 0.0.255.255
access-list 121 permit ip host 172.16.2.160 172.26.0.0 0.0.255.255
access-list 121 permit ip host 172.16.2.146 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.3.0.57 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.2.0.58 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.3.0.58 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.5.0.70 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.1.0.142 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.1.0.174 172.26.0.0 0.0.255.255
access-list 121 permit ip host 172.16.2.92 172.26.0.0 0.0.255.255
access-list 121 permit ip host 10.5.0.77 172.26.0.0 0.0.255.255
!
control-plane
!
gatekeeper
shutdown
!
transport input ssh
!
scheduler allocate 20000 1000
!
end
работа именно этого участка вызывает небольшое затруднение
----------------------| cisco | выделенка
GigabitEthernet0/1 |------------|----interface FastEthernet0/3/0 <----> 172.26.98.1
моя сторона 172.26.98.2
10.0.0.155
c cisco вижу всё, пингаю все тачки из акцесс листа, вижу 172.26.98.1 .
А из сети 10.x.0.0 затыкается на 10.0.0.155,
из сети 172.16.0.0 затыкается на 172.26.98.2
Ну и просьба, между делом, не бейте сильно.