очень прошу прощения, но сам разобраться не смог.
есть CISCO 2811 необходимо через неё настроить публикацию FTP, RDP + настроить VPN.
Читая конфигу и разбираясь что куда я совсем запутался, так вот прошу у сведущих помощи. для начала почему не работает проброс FTP.
!
ip nat inside source static tcp 192.168.2.100 20 xx.xx.xx.x5 20 extendable
!
прописал/
Current configuration : 6120 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco_vpn
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-24.T3.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name xxxxxxxxxxxx
ip name-server xxxxxxxxxxx
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
ip inspect name INSPECT_OUT telnet
ip inspect name INSPECT_OUT pptp
ip inspect name INSPECT_OUT ftps
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
voice-card 0
!
!
!
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key testgroupvpn
dns 192.168.2.1
wins 192.168.2.1
domain xxxxxxxxxxx
pool ipsecpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address xx.xx.xx.x5 255.255.255.248
ip access-group FIREWALL in
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect INSPECT_OUT out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map clientmap
!
interface FastEthernet0/1
description $ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 192.168.2.60 255.255.255.0
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
no keepalive
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip access-group PPTP_TUNNEL_FIREWALL_IN in
peer default ip address pool pptppool
no keepalive
ppp encrypt mppe auto
ppp authentication chap ms-chap
!
ip local pool pptppool 192.168.10.1 192.168.10.50
ip local pool ipsecpool 192.168.10.51 192.168.10.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.x3
ip route 192.168.1.98 255.255.255.255 192.168.2.216
ip route 192.168.9.98 255.255.255.255 192.168.2.197
ip http server
ip http access-class 75
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.2.100 20 xx.xx.xx.x5 20 extendable
!
ip access-list extended FIREWALL
permit gre any any
permit tcp any any eq 22
permit tcp any any eq 1723
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit ip 192.0.0.0 0.255.255.255 any
permit ip 192.168.0.0 0.0.0.255 any
deny ip any any log
ip access-list extended PPTP_TUNNEL_FIREWALL_IN
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3000
permit tcp any any eq ftp
deny ip any any log
ip access-list extended PPTP_TUNNEL_FIREWALL_OUT
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 3000
permit tcp any any eq ftp
deny ip any any log
!
logging trap debugging
access-list 21 permit 192.168.2.100
access-list 108 permit ip 192.168.2.0 0.0.0.255 191.168.10.0 0.0.0.255
no cdp run
!
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
!
!
!
!
!
!
banner exec ^CCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end