The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"cisco 1841 не открываются сайты "
Вариант для распечатки  
Пред. тема | След. тема 
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение [ Отслеживать ]

"cisco 1841 не открываются сайты "  +/
Сообщение от se000 email(ok) on 16-Авг-09, 21:15 
Очень прошу вашей помощи, уже намучался сильно
с этим конфигом.
он не совсем читабельный(много ненужного как мне кажется), за что извеняюсь. таким он мне достался, после решения проблемы обязательно начну наводить в нем порядок.
знаний у меня в цисках не очень много, но сталкивался и настраивал небольшие и несложные конфиги. вобщем на вот этом конфиге я споткнулся.
дано: 2 сетки от провайдера
fa 0/0 ip address 212.xxx.xxx.54 255.255.255.252
fa 0/1 ip address 212.xxx.xxx.18 255.255.255.252
цель : первый 212.xxx.xxx.54 для сети vlan1(192.168.42.0/24) в качестве интернета(nat наружу и внутрь) и ipsec vpn site-to-site с регионами.
воторой 212.xxx.xxx.18 для сети vlan3(192.168.127.0/28) в качетстве интернета(NAT наружу и внутрь)
две сети vlan1 и vlan3 не должны мешать друг другу, и вообще как либо между собой взаимодействовать.

проблема: очень медленно, а то и вовсе не открываются сайты, при этом не все сайты. закономерность не выявил , те сайты что не открываются отлично пингуются.

после того как выполнил no ip cef , стали чуть чуть поживее открываться страницы. игрался с mtu и adjust-mss на результат не влияет.
отключение ip access-group 104 in на fa0/0 дает 100% результат - страницы открываются как надо и всё летает. тоже самое и для ip access-group 105 in на fa 0/1 - подскажите как тут быть.
вот полный конфиг, белые айпи заклеил иксами.
sh run
Building configuration...

Current configuration : 21520 bytes
!
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
!
hostname R_2
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $7xBHDxc/dti9H41
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone Almaty 6
no ip source-route
no ip cef
!
!
!
!
no ip bootp server
ip domain name firma.kz
ip name-server 212.xxx.xxx.xxx
ip name-server 212.xxx.xxx.xx
ip name-server 192.168.42.4
ip name-server 192.168.42.6
ip name-server 212.xxx.xxx.xx
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW pptp
ip inspect name SDM_LOW l2tp
ip inspect name SDM_LOW bgp
ip inspect name SDM_LOW ldap
ip inspect name SDM_LOW netbios-ns
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW kerberos
ip inspect name SDM_LOW radius
ip inspect name SDM_LOW echo
ip inspect name SDM_LOW discard
ip inspect name SDM_LOW socks
ip inspect name SDM_LOW clp
ip inspect name SDM_LOW cisco-net-mgmt
ip inspect name SDM_LOW cisco-sys
ip inspect name SDM_LOW cisco-tna
ip inspect name SDM_LOW cisco-fna
ip inspect name SDM_LOW cisco-tdp
ip inspect name SDM_LOW cisco-svcs
ip inspect name SDM_LOW stun
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW microsoft-ds
ip inspect name SDM_LOW netbios-ssn
ip inspect name SDM_LOW ftps
ip inspect name SDM_LOW sqlserv
ip inspect name SDM_LOW shell
ip inspect name SDM_LOW ssh
ip inspect name SDM_LOW n2h2server
ip inspect name SDM_LOW who
ip inspect name SDM_LOW nntp
ip inspect name SDM_LOW netstat
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name SDM_LOW ms-sql
ip inspect name SDM_LOW ms-sql-m
ip inspect name SDM_LOW sshell
ip inspect name SDM_LOW sqlsrv
ip inspect name SDM_LOW time
ip inspect name SDM_LOW ldaps
ip inspect name SDM_LOW ldap-admin
ip inspect name SDM_LOW msexch-routing
ip inspect name SDM_LOW snmp
ip inspect name SDM_LOW dbase
ip inspect name SDM_LOW mysql
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW cifs
ip inspect name SDM_LOW snmptrap
!
!
crypto pki trustpoint TP-self-signed-2156707769
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2156707769
revocation-check none
rsakeypair TP-self-signed-2156707769
!
!
crypto pki certificate chain TP-self-signed-2156707769
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313536 37303737 3639301E 170D3039 30363032 31303230
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353637
30373736 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B79E 283AC484 4BF5C32D 11A8BF20 1ACDA902 37F43852 A9829B63 BD5E7C5C
955FBEC5 97A38E97 D894B389 E538C7F2 5310A0A9 A5B7F35E 5FA57550 F610868E
081CFF2F D7391284 91ACC9EB 927C6A7A E0934A9B 332C4494 A30F338C 324CEF37
6A3299DD 06870F62 3C96A091 4B7C747F 77D4168A F0ADC0FB 76F97093 121330CE
7FFB0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
551D1104 0E300C82 0A525F32 2E616567 2E6B7A30 1F060355 1D230418 30168014
6ED51591 64DF6B29 BB2D6C01 67AB91D3 7C6D5B45 301D0603 551D0E04 1604146E
D5159164 DF6B29BB 2D6C0167 AB91D37C 6D5B4530 0D06092A 864886F7 0D010104
05000381 81007626 F55C769E 42839E1D 699FAF27 D76AE5D1 934978E6 9ACD27F9
6D026069 28592612 C0270263 47564FF0 BCB11E37 B44163C7 75348BFC FB4A448B
15F4653B FB9A25DF 0162F96D 91C02B69 7BB94C7F B8212189 AA81D865 679F67A8
B99FCB4E 2D77C9E4 2C1CD275 31F454F3 137478D6 ED7C74AA 9584F581 FC60DB1B
F59D1AC7 F629
quit
username admin privilege 15 secret 5 $1SRVSePMqLLw.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 111111111 address 89.xxx.xxx.xxx no-xauth
crypto isakmp key 111111111 address 88.xxx.xxx.xxx no-xauth
crypto isakmp key 111111111 address 95.xxx.xxx.xxx no-xauth
crypto isakmp key 111111111 address 92.xxx.xxx.xxx no-xauth
crypto isakmp key 111111111 address 89.xxx.213.xxx no-xauth
!
!
crypto ipsec transform-set ESP_3DES/MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map IPsec_branch 3 ipsec-isakmp
set peer 88.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set ESP_3DES/MD5
set pfs group2
match address branch1_ipsec
crypto map IPsec_branch 6 ipsec-isakmp
set peer 89.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set ESP_3DES/MD5
set pfs group2
match address branch2_ipsec
crypto map IPsec_branch 12 ipsec-isakmp
set peer 92.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set ESP_3DES/MD5
set pfs group2
match address branch7_ipsec
crypto map IPsec_branch 14 ipsec-isakmp
set peer 89.xxx.213.xxx
set security-association lifetime seconds 28800
set transform-set ESP_3DES/MD5
set pfs group2
match address branch8_ipsec
crypto map IPsec_branch 18 ipsec-isakmp
set peer 95.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set ESP_3DES/MD5
set pfs group2
match address branch18_ipsec
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
ip address 212.xxx.xxx.54 255.255.255.252
ip access-group 104 in
ip access-group 107 out
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map IPsec_branch
!
interface FastEthernet0/1
ip address 212.xxx.xxx.18 255.255.255.252
ip access-group 105 in
ip access-group 109 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0

!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
switchport access vlan 3
!
interface Vlan1
ip address 192.168.42.11 255.255.255.0
ip access-group 100 in
ip access-group 110 out
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
!
interface Vlan3
ip address 192.168.127.2 255.255.255.128
ip access-group 106 in
ip access-group 111 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
!
router rip
network 192.168.42.0
network 192.168.127.0
network 212.xxx.xxx.0
network 212.xxx.xxx.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.17
ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.53
ip route 192.168.43.0 255.255.255.0 192.168.42.8
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface FastEthernet0/1 overload
!
ip access-list extended branch8_ipsec
permit ip 192.168.42.0 0.0.0.255 192.168.14.0 0.0.0.255
ip access-list extended branch1_ipsec
permit ip 192.168.42.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended branch2_ipsec
permit ip 192.168.42.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended branch7_ipsec
permit ip 192.168.42.0 0.0.0.255 192.168.12.0 0.0.0.255
ip access-list extended branch18_ipsec
permit ip 192.168.42.0 0.0.0.255 192.168.18.0 0.0.0.255
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.42.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.127.0 0.0.0.127
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.42.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.42.6 eq domain any
access-list 100 permit udp host 192.168.42.4 eq domain any
access-list 100 remark Auto generated by SDM for NTP (123) 192.168.42.6
access-list 100 permit udp host 192.168.42.6 eq ntp host 192.168.42.11 eq ntp
access-list 100 deny ip 192.168.127.0 0.0.0.255 any
access-list 100 deny ip 212.xxx.xxx.16 0.0.0.3 any
access-list 100 deny ip 212.xxx.xxx.52 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp 192.168.42.0 0.0.0.255 host 192.168.42.11 eq telnet
access-list 100 permit tcp 192.168.42.0 0.0.0.255 host 192.168.42.11 eq 22
access-list 100 permit tcp 192.168.43.0 0.0.0.255 host 192.168.42.11 eq 22
access-list 100 permit tcp 192.168.42.0 0.0.0.255 host 192.168.42.11 eq www
access-list 100 permit tcp 192.168.42.0 0.0.0.255 host 192.168.42.11 eq 443
access-list 100 permit tcp 192.168.42.0 0.0.0.255 host 192.168.42.11 eq cmd
access-list 100 deny tcp any host 192.168.42.11 eq telnet
access-list 100 deny tcp any host 192.168.42.11 eq 22
access-list 100 deny tcp any host 192.168.42.11 eq www
access-list 100 deny tcp any host 192.168.42.11 eq 443
access-list 100 deny tcp any host 192.168.42.11 eq cmd
access-list 100 deny udp any host 192.168.42.11 eq snmp
access-list 100 permit tcp host 212.xxx.xxx.54 eq 9100 192.168.42.0 0.0.0.255
access-list 100 permit udp host 212.xxx.xxx.54 eq 9100 192.168.42.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 remark remote VPN server
access-list 100 permit tcp any eq 1723 host 212.xxx.xxx.54 eq 1723
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.42.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.42.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 104 permit ip 192.168.42.0 0.0.0.255 any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 89.xxx.213.xxx host 212.xxx.xxx.54 eq non500-isakmp
access-list 104 permit udp host 89.xxx.213.xxx host 212.xxx.xxx.54 eq isakmp
access-list 104 permit esp host 89.xxx.213.xxx host 212.xxx.xxx.54
access-list 104 permit ahp host 89.xxx.213.xxx host 212.xxx.xxx.54
access-list 104 permit udp host 212.xxx.xxx.xxx eq domain any
access-list 104 permit udp host 212.xxx.xxx.xxx eq domain any
access-list 104 permit udp host 88.xxx.xxx.xxx eq domain any
access-list 104 permit udp host 212.xxx.xxx.xxx eq domain host 212.xxx.xxx.54
access-list 104 permit udp host 212.xxx.xxx.xxx eq domain host 212.xxx.xxx.54
access-list 104 permit udp host 92.xxx.xxx.xxx host 212.xxx.xxx.54 eq non500-isakmp
access-list 104 permit udp host 92.xxx.xxx.xxx host 212.xxx.xxx.54 eq isakmp
access-list 104 permit esp host 92.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit ahp host 92.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit ip 192.168.42.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 permit udp host 89.xxx.xxx.xxx host 212.xxx.xxx.54 eq non500-isakmp
access-list 104 permit udp host 89.xxx.xxx.xxx host 212.xxx.xxx.54 eq isakmp
access-list 104 permit esp host 89.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit ahp host 89.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit ahp host 95.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit esp host 95.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit udp host 95.xxx.xxx.xxx host 212.xxx.xxx.54 eq isakmp
access-list 104 permit udp host 95.xxx.xxx.xxx host 212.xxx.xxx.54 eq non500-isakmp
access-list 104 permit ahp host 88.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit esp host 88.xxx.xxx.xxx host 212.xxx.xxx.54
access-list 104 permit udp host 88.xxx.xxx.xxx host 212.xxx.xxx.54 eq isakmp
access-list 104 permit udp host 88.xxx.xxx.xxx host 212.xxx.xxx.54 eq non500-isakmp
access-list 104 deny ip 192.168.127.0 0.0.0.255 any
access-list 104 deny ip 212.xxx.xxx.16 0.0.0.3 any
access-list 104 permit icmp any host 212.xxx.xxx.54 echo-reply
access-list 104 permit icmp any host 212.xxx.xxx.54 time-exceeded
access-list 104 permit icmp any host 212.xxx.xxx.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit tcp host 192.168.3.100 eq 9100 192.168.42.0 0.0.0.255
access-list 104 permit udp host 192.168.3.100 eq 9100 192.168.42.0 0.0.0.255
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host 212.xxx.xxx.xxx eq domain any
access-list 105 permit udp host 212.xxx.xxx.xxx eq domain any
access-list 105 permit udp host 212.xx.xxx.xxx eq domain host 212.xxx.xxx.18
access-list 105 permit udp host 212.xxx.xxx.xxx eq domain host 212.xxx.xxx.18
access-list 105 deny ip 192.168.42.0 0.0.0.255 any
access-list 105 deny ip 212.xxx.xxx.xxx 0.0.0.3 any
access-list 105 permit icmp any host 212.xxx.xxx.18 echo-reply
access-list 105 permit icmp any host 212.xxx.xxx.18 time-exceeded
access-list 105 permit icmp any host 212.xxx.xxx.18 unreachable
access-list 105 permit ip any host 224.0.0.9
access-list 105 permit udp any any eq rip
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 permit ahp any host 212.xxx.xxx.18
access-list 105 permit esp any host 212.xxx.xxx.18
access-list 105 permit udp any host 212.xxx.xxx.18 eq isakmp
access-list 105 permit udp any host 212.xxx.xxx.18 eq non500-isakmp
access-list 105 deny ip any any log
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 deny ip 192.168.42.0 0.0.0.255 any
access-list 106 deny ip 212.xxx.xxx.52 0.0.0.3 any
access-list 106 permit ip 212.xxx.xxx.xxx 0.0.0.3 any
access-list 106 permit icmp any host 192.168.127.2 echo-reply
access-list 106 permit icmp any host 192.168.127.2 time-exceeded
access-list 106 permit icmp any host 192.168.127.2 unreachable
access-list 106 permit udp any any eq rip
access-list 106 permit ip any host 224.0.0.9
access-list 106 deny ip 10.0.0.0 0.255.255.255 any
access-list 106 deny ip 172.16.0.0 0.15.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip host 0.0.0.0 any
access-list 106 permit ahp host 212.xxx.xxx.18 any
access-list 106 permit esp host 212.xxx.xxx.18 any
access-list 106 permit udp host 212.xxx.xxx.18 any eq isakmp
access-list 106 permit udp host 212.xxx.xxx.18 any eq non500-isakmp
access-list 106 permit tcp 192.168.127.0 0.0.0.127 eq 9100 any eq 9100
access-list 106 permit ip any any
access-list 107 remark SDM_ACL Category=1
access-list 107 deny ip any host 192.168.127.2
access-list 107 deny ip any host 212.xxx.xxx.18
access-list 107 permit tcp 192.168.42.0 0.0.0.255 eq 9100 host 192.168.3.100
access-list 107 permit udp 192.168.42.0 0.0.0.255 eq 9100 host 192.168.3.100
access-list 107 permit ip any any
access-list 108 remark SDM_ACL Category=2
access-list 108 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 108 remark IPSec Rule
access-list 108 deny ip 192.168.42.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 108 deny ip 192.168.42.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 108 deny ip 192.168.12.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 108 deny ip 192.168.42.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 deny ip 192.168.3.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 108 deny ip 192.168.42.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 deny ip 192.168.6.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 108 deny ip 192.168.42.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 108 deny ip 192.168.18.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 108 permit ip 192.168.42.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=1
access-list 109 deny ip any host 192.168.42.11
access-list 109 deny ip any host 212.xxx.xxx.54
access-list 109 permit ahp any 192.168.127.0 0.0.0.127
access-list 109 permit esp any 192.168.127.0 0.0.0.127
access-list 109 permit udp any 192.168.127.0 0.0.0.127 eq isakmp
access-list 109 permit udp any 192.168.127.0 0.0.0.127 eq non500-isakmp
access-list 109 permit ip any any
access-list 110 remark SDM_ACL Category=1
access-list 110 deny ip any 192.168.127.0 0.0.0.255
access-list 110 deny ip any host 212.xxx.xxx.18
access-list 110 permit ip any any
access-list 111 remark SDM_ACL Category=1
access-list 111 deny ip any 192.168.42.0 0.0.0.255
access-list 111 deny ip any host 212.xxx.xxx.54
access-list 111 permit ahp any host 212.xxx.xxx.18
access-list 111 permit esp any host 212.xxx.xxx.18
access-list 111 permit udp any host 212.xxx.xxx.18 eq isakmp
access-list 111 permit udp any host 212.xxx.xxx.18 eq non500-isakmp
access-list 111 permit tcp any eq 9100 192.168.127.0 0.0.0.127 eq 9100
access-list 111 permit ip any any
access-list 112 remark SDM_ACL Category=2
access-list 112 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 112 deny ip 192.168.42.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 112 deny ip 192.168.12.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 112 deny ip 192.168.42.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 112 deny ip 192.168.3.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 112 deny ip 192.168.42.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 112 deny ip 192.168.6.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 112 deny ip 192.168.42.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 112 deny ip 192.168.18.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 deny ip 192.168.42.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 112 permit ip 192.168.127.0 0.0.0.127 any
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 113 permit ip 212.xxx.xxx.52 0.0.0.3 192.168.14.0 0.0.0.255
no cdp run
!
route-map SDM_RMAP_4 permit 1
match ip address 112
!
route-map SDM_RMAP_1 permit 1
match ip address 108
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
route-map SDM_RMAP_3 permit 1
match ip address 108
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
transport input telnet ssh
line vty 5 15
access-class 102 in
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.168.42.6 source FastEthernet0/0 prefer
end

Высказать мнение | Ответить | Правка | Cообщить модератору

 Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "cisco 1841 не открываются сайты "  +/
Сообщение от Николай (??) on 18-Авг-09, 16:49 
вроде и хочется помочь но мусора дофига легче написать заново чем править то что есть
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "cisco 1841 не открываются сайты "  +/
Сообщение от Николай (??) on 18-Авг-09, 16:56 
>вроде и хочется помочь но мусора дофига легче написать заново чем править
>то что есть

есть 2 внутренних вланах вешай ip nat inside дальше рисуй аксесс лист для влана 1 и 3.
Далее создай 2 роут мапы

1. route-map VLAN1-map
   match addr VLAN1-acl
   match int 212.xxx.xxx.54 - его физ интерфейс

2. route-map VLAN3-map
   match addr VLAN3-acl
   match int 212.xxx.xxx.18 - его физ интерфейс

далее
ip nat inside source route-map VLAN1-map int (инт для IP 212.xxx.xxx.54) overload
ip nat inside source route-map VLAN3-map int (инт для IP 212.xxx.xxx.18) overload

Поставь также запертные ацл на вланы что бы они не общались между собой

Сделай это потом с ВПН продолжим :)

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. "cisco 1841 не открываются сайты "  +/
Сообщение от se000 email(ok) on 19-Авг-09, 19:24 
в вот эти ACL должны что запрещать разрешать? ну всмысле на vlan-ах уже висят acl in и acl out

> match addr VLAN3-acl
> match addr VLAN1-acl

что в них писать ?

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру