forum.opennet.ru - "Помогите с Cisco VPN Server на 1841" (3)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"Помогите с Cisco VPN Server на 1841"

Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"Помогите с Cisco VPN Server на 1841"
Сообщение от m_root (ok) on 12-Дек-08, 12:55
Изучив всё что есть в гугле и т.п. не нашол решения своей проблеме. Прошу помочь с настройкой Cisco 1841 ios - c1841-advsecurityk9-mz.124-9.T.bin мне необходимо поднять на ней VPN Server для удалённого доступа пользователей в корп сеть по средством Cisco VPN Client... На данном этапе получалось лиш установить VPN соединение при этом с клиентской машины не было видно(не проходил пинг) не маршрутизатора и чего либо др. Хотелось бы увидеть рабочий конфиг.
Высказать мнение \| Ответить \| Правка \| Cообщить модератору

Оглавление

Помогите с Cisco VPN Server на 1841, LonelyCat, 14:02 , 12-Дек-08, (1)

LonelyCat, m_root, 14:49 , 12-Дек-08, (2)
LonelyCat , m_root, 16:37 , 12-Дек-08, (3)

Сообщения по теме [Сортировка по времени | RSS]

1. "Помогите с Cisco VPN Server на 1841"

Сообщение от LonelyCat (ok) on 12-Дек-08, 14:02

>Изучив всё что есть в гугле и т.п. не нашол решения своей
>проблеме.
>Прошу помочь с настройкой Cisco 1841 ios - c1841-advsecurityk9-mz.124-9.T.bin мне необходимо поднять
>на ней VPN Server для удалённого доступа пользователей в корп сеть
>по средством Cisco VPN Client... На данном этапе получалось лиш установить
>VPN соединение при этом с клиентской машины не было видно(не проходил
>пинг) не маршрутизатора и чего либо др. Хотелось бы увидеть рабочий
>конфиг.
aaa new-model
!
!
aaa authentication login ezvpn local
aaa authorization network ezvpn local
!
!
!
crypto isakmp policy 500
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local pool_ezvpn
!
!
crypto isakmp client configuration group ezvpn
key ciscocisco
dns <dns ip address>
pool pool_ezvpn
acl acl_ezvpn_split
save-password
split-dns example.com
netmask 255.255.255.128
!
crypto ipsec transform-set ts_ezvpn esp-aes esp-sha-hmac
!
!
crypto dynamic-map dm_map 1
description --Mobile remote access
set transform-set ts_ezvpn
reverse-route
!
!
crypto map cm_EZVPN client authentication list ezvpn
crypto map cm_EZVPN isakmp authorization list ezvpn
crypto map cm_EZVPN client configuration address respond
crypto map cm_EZVPN 500 ipsec-isakmp dynamic dm_map
!
int fa0/0
crypto map cm_EZVPN
!
ip local pool pool_ezvpn 192.168.1.10 192.168.1.254
!
!
ip access-list extended acl_ezvpn_split
remark -- permit all localnet
permit ip <local ip net> any
permit ip 192.168.0.0 0.0.255.255 any
не забудь наделать пользователей через username и тд

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "LonelyCat"

Сообщение от m_root (ok) on 12-Дек-08, 14:49

Спасиб огромное

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. "LonelyCat "

Сообщение от m_root (ok) on 12-Дек-08, 16:37

Чот не фурычит ваш конфиг явно не хватает чегото... блин и прочесть про конкретно мою задачу не где... Может ещё кто чем подсобит?
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw1.XXXXX.ru
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret *************************
enable password ************************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ezvpn local
aaa authorization exec local_author local
aaa authorization network ezvpn local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 11
no ip source-route
ip cef table adjacency-prefix validate
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name XXXXXXX.ru
ip name-server 192.168.0.154
ip name-server 192.168.0.254
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
username ************ privilege 15 secret ***************
!
!
!
!
crypto isakmp policy 500
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local pool_ezvpn
!
crypto isakmp client configuration group ezvpn
key my_keys
dns 192.168.0.154
pool pool_ezvpn
acl acl_ezvpn_split
save-password
split-dns XXXXXX.ru
netmask 255.255.255.0
!
!
crypto ipsec transform-set ts_ezvpn esp-aes esp-sha-hmac
!
crypto dynamic-map dm_map 1
description --Mobile remote access
set transform-set ts_ezvpn
reverse-route
!
!
crypto map cm_EZVPN client authentication list ezvpn
crypto map cm_EZVPN isakmp authorization list ezvpn
crypto map cm_EZVPN client configuration address respond
crypto map cm_EZVPN 500 ipsec-isakmp dynamic dm_map
!
!
!
!
interface Tunnel1
ip address 10.0.0.6 255.255.255.252
ip accounting precedence input
ip accounting precedence output
ip mtu 1459
ip nat inside
ip rip send version 2
ip rip receive version 2
ip virtual-reassembly
ip route-cache flow
ip policy route-map WAN
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination X.X.X.X
!
interface Tunnel2
description FSB
ip address 10.0.2.1 255.255.255.252
ip mtu 1459
ip nat inside
ip rip send version 2
ip rip receive version 2
ip virtual-reassembly
ip route-cache flow
ip policy route-map WAN
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination X.X.X.X
!
interface Tunnel3
description Sakhalin II
bandwidth 2000
ip address 10.0.3.1 255.255.255.252
ip accounting precedence input
ip accounting precedence output
ip mtu 1459
ip rip send version 2
ip rip receive version 2
ip virtual-reassembly
keepalive 10 3
tunnel source FastEthernet0/1
tunnel destination X.X.X.X
!
interface Null0
no ip unreachables
!
!
interface FastEthernet0/0
description LAN
ip address 192.168.222.1 255.255.255.0 secondary
ip address 192.168.0.244 255.255.255.0
ip access-group 155 in
ip access-group 155 out
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map WAN
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description WAN
ip address X.X.X.X 255.255.255.248
ip access-group 111 in
ip nat outside
ip nat enable
ip rip send version 2
ip rip receive version 2
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map clientmap
!
router rip
version 2
redistribute static
passive-interface FastEthernet0/0
passive-interface Tunnel1
passive-interface Tunnel2
network 10.0.0.0
network 192.168.0.0
neighbor 10.0.0.5
neighbor 10.0.2.2
distribute-list RIP-in in Tunnel2
!
ip local pool pool_ezvpn 192.168.111.10 192.168.111.254
ip route 0.0.0.0 0.0.0.0 Х.Х.Х.Х
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 192.168.0.254
ip route 192.168.2.0 255.255.255.0 192.168.0.154
ip route 192.168.3.0 255.255.255.0 192.168.0.254
ip route 192.168.4.0 255.255.255.0 192.168.0.254
ip route 192.168.5.0 255.255.255.0 10.0.2.2
ip route 192.168.6.0 255.255.255.0 192.168.0.254
ip route 192.168.7.0 255.255.255.0 192.168.0.254
ip route 192.168.8.0 255.255.255.0 192.168.0.254
ip route 192.168.10.0 255.255.255.0 192.168.0.254
ip route 192.168.12.0 255.255.255.0 192.168.0.254
ip route 192.168.14.0 255.255.255.0 192.168.0.254
ip route 192.168.50.0 255.255.255.0 192.168.0.254
ip route 192.168.101.0 255.255.255.0 10.0.0.5
ip route 192.168.222.0 255.255.255.0 FastEthernet0/0
!
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface FastEthernet0/1 overload
ip nat inside source list PROXY interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.200 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.0.154 110 interface FastEthernet0/1 110
!
ip access-list standard RIP-in
remark *** Iskluchenie ne nugnih marshrutov s pogrebka na lenina ***
deny   X.148.194.0 0.0.0.255
deny   89.0.0.0 0.255.255.255
permit any
remark
remark ***////////////////////////////***
remark
!
ip access-list extended NAT
permit icmp any any
permit ip host 192.168.0.154 any
permit udp any any
permit tcp any any neq www
permit icmp 192.168.101.0 0.0.0.255 any
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.111.0 0.0.0.255 any
ip access-list extended PROXY-redirect
permit tcp 192.168.0.0 0.0.0.255 any eq www
deny   ip host 192.168.0.154 any
permit tcp 192.168.101.0 0.0.0.255 any eq www
ip access-list extended acl_ezvpn_split
remark -- permit all localnet
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
!
logging trap debugging
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 33 deny   Х.148.194.0 0.0.0.255
access-list 33 deny   89.0.0.0 0.0.0.255
access-list 33 permit any
access-list 101 permit ip any any precedence critical
access-list 104 permit ip any any
access-list 155 permit ip any any
access-list 155 permit tcp any any
access-list 155 permit udp any any
no cdp run
!
!
route-map WAN permit 10
match ip address PROXY-redirect
set ip next-hop 192.168.0.154
!
!
!
control-plane
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 102 in
timeout login response 20
password ******************************
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
transport output telnet
line vty 5 15
access-class 103 in
timeout login response 20
password **************************************
authorization exec local_author
logging synchronous
login authentication local_authen
transport input telnet ssh
transport output telnet
!
scheduler allocate 20000 1000
end

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема

Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Помогите с Cisco VPN Server на 1841"
Сообщение от LonelyCat (ok) on 12-Дек-08, 14:02
>Изучив всё что есть в гугле и т.п. не нашол решения своей >проблеме. >Прошу помочь с настройкой Cisco 1841 ios - c1841-advsecurityk9-mz.124-9.T.bin мне необходимо поднять >на ней VPN Server для удалённого доступа пользователей в корп сеть >по средством Cisco VPN Client... На данном этапе получалось лиш установить >VPN соединение при этом с клиентской машины не было видно(не проходил >пинг) не маршрутизатора и чего либо др. Хотелось бы увидеть рабочий >конфиг. aaa new-model ! ! aaa authentication login ezvpn local aaa authorization network ezvpn local ! ! ! crypto isakmp policy 500 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local pool_ezvpn ! ! crypto isakmp client configuration group ezvpn key ciscocisco dns <dns ip address> pool pool_ezvpn acl acl_ezvpn_split save-password split-dns example.com netmask 255.255.255.128 ! crypto ipsec transform-set ts_ezvpn esp-aes esp-sha-hmac ! ! crypto dynamic-map dm_map 1 description --Mobile remote access set transform-set ts_ezvpn reverse-route ! ! crypto map cm_EZVPN client authentication list ezvpn crypto map cm_EZVPN isakmp authorization list ezvpn crypto map cm_EZVPN client configuration address respond crypto map cm_EZVPN 500 ipsec-isakmp dynamic dm_map ! int fa0/0 crypto map cm_EZVPN ! ip local pool pool_ezvpn 192.168.1.10 192.168.1.254 ! ! ip access-list extended acl_ezvpn_split remark -- permit all localnet permit ip <local ip net> any permit ip 192.168.0.0 0.0.255.255 any не забудь наделать пользователей через username и тд
Высказать мнение \| Ответить \| Правка \| Наверх \| Cообщить модератору


	2. "LonelyCat"
	Сообщение от m_root (ok) on 12-Дек-08, 14:49
	Спасиб огромное
	Высказать мнение \| Ответить \| Правка \| Наверх \| Cообщить модератору


	3. "LonelyCat "
	Сообщение от m_root (ok) on 12-Дек-08, 16:37
	Чот не фурычит ваш конфиг явно не хватает чегото... блин и прочесть про конкретно мою задачу не где... Может ещё кто чем подсобит? version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname gw1.XXXXX.ru ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret *********************** enable password ******************** ! aaa new-model ! ! aaa authentication login local_authen local aaa authentication login ezvpn local aaa authorization exec local_author local aaa authorization network ezvpn local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! clock timezone PCTime 11 no ip source-route ip cef table adjacency-prefix validate ip cef ! ! ! ! ip tcp synwait-time 10 no ip bootp server ip domain name XXXXXXX.ru ip name-server 192.168.0.154 ip name-server 192.168.0.254 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint tti revocation-check crl rsakeypair tti ! ! username ******** privilege 15 secret *********** ! ! ! ! crypto isakmp policy 500 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local pool_ezvpn ! crypto isakmp client configuration group ezvpn key my_keys dns 192.168.0.154 pool pool_ezvpn acl acl_ezvpn_split save-password split-dns XXXXXX.ru netmask 255.255.255.0 ! ! crypto ipsec transform-set ts_ezvpn esp-aes esp-sha-hmac ! crypto dynamic-map dm_map 1 description --Mobile remote access set transform-set ts_ezvpn reverse-route ! ! crypto map cm_EZVPN client authentication list ezvpn crypto map cm_EZVPN isakmp authorization list ezvpn crypto map cm_EZVPN client configuration address respond crypto map cm_EZVPN 500 ipsec-isakmp dynamic dm_map ! ! ! ! interface Tunnel1 ip address 10.0.0.6 255.255.255.252 ip accounting precedence input ip accounting precedence output ip mtu 1459 ip nat inside ip rip send version 2 ip rip receive version 2 ip virtual-reassembly ip route-cache flow ip policy route-map WAN keepalive 10 3 tunnel source FastEthernet0/1 tunnel destination X.X.X.X ! interface Tunnel2 description FSB ip address 10.0.2.1 255.255.255.252 ip mtu 1459 ip nat inside ip rip send version 2 ip rip receive version 2 ip virtual-reassembly ip route-cache flow ip policy route-map WAN keepalive 10 3 tunnel source FastEthernet0/1 tunnel destination X.X.X.X ! interface Tunnel3 description Sakhalin II bandwidth 2000 ip address 10.0.3.1 255.255.255.252 ip accounting precedence input ip accounting precedence output ip mtu 1459 ip rip send version 2 ip rip receive version 2 ip virtual-reassembly keepalive 10 3 tunnel source FastEthernet0/1 tunnel destination X.X.X.X ! interface Null0 no ip unreachables ! ! interface FastEthernet0/0 description LAN ip address 192.168.222.1 255.255.255.0 secondary ip address 192.168.0.244 255.255.255.0 ip access-group 155 in ip access-group 155 out ip nat inside ip virtual-reassembly ip route-cache flow ip policy route-map WAN duplex auto speed auto no mop enabled ! interface FastEthernet0/1 description WAN ip address X.X.X.X 255.255.255.248 ip access-group 111 in ip nat outside ip nat enable ip rip send version 2 ip rip receive version 2 ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map clientmap ! router rip version 2 redistribute static passive-interface FastEthernet0/0 passive-interface Tunnel1 passive-interface Tunnel2 network 10.0.0.0 network 192.168.0.0 neighbor 10.0.0.5 neighbor 10.0.2.2 distribute-list RIP-in in Tunnel2 ! ip local pool pool_ezvpn 192.168.111.10 192.168.111.254 ip route 0.0.0.0 0.0.0.0 Х.Х.Х.Х ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 ip route 192.168.1.0 255.255.255.0 192.168.0.254 ip route 192.168.2.0 255.255.255.0 192.168.0.154 ip route 192.168.3.0 255.255.255.0 192.168.0.254 ip route 192.168.4.0 255.255.255.0 192.168.0.254 ip route 192.168.5.0 255.255.255.0 10.0.2.2 ip route 192.168.6.0 255.255.255.0 192.168.0.254 ip route 192.168.7.0 255.255.255.0 192.168.0.254 ip route 192.168.8.0 255.255.255.0 192.168.0.254 ip route 192.168.10.0 255.255.255.0 192.168.0.254 ip route 192.168.12.0 255.255.255.0 192.168.0.254 ip route 192.168.14.0 255.255.255.0 192.168.0.254 ip route 192.168.50.0 255.255.255.0 192.168.0.254 ip route 192.168.101.0 255.255.255.0 10.0.0.5 ip route 192.168.222.0 255.255.255.0 FastEthernet0/0 ! ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list NAT interface FastEthernet0/1 overload ip nat inside source list PROXY interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.0.200 25 interface FastEthernet0/1 25 ip nat inside source static tcp 192.168.0.154 110 interface FastEthernet0/1 110 ! ip access-list standard RIP-in remark * Iskluchenie ne nugnih marshrutov s pogrebka na lenina * deny X.148.194.0 0.0.0.255 deny 89.0.0.0 0.255.255.255 permit any remark remark //////////////////////////// remark ! ip access-list extended NAT permit icmp any any permit ip host 192.168.0.154 any permit udp any any permit tcp any any neq www permit icmp 192.168.101.0 0.0.0.255 any permit ip 192.168.101.0 0.0.0.255 any permit ip 192.168.5.0 0.0.0.255 any permit ip 192.168.111.0 0.0.0.255 any ip access-list extended PROXY-redirect permit tcp 192.168.0.0 0.0.0.255 any eq www deny ip host 192.168.0.154 any permit tcp 192.168.101.0 0.0.0.255 any eq www ip access-list extended acl_ezvpn_split remark -- permit all localnet permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.255.255.255 any ! logging trap debugging access-list 1 permit 192.168.0.0 0.0.0.255 access-list 33 deny Х.148.194.0 0.0.0.255 access-list 33 deny 89.0.0.0 0.0.0.255 access-list 33 permit any access-list 101 permit ip any any precedence critical access-list 104 permit ip any any access-list 155 permit ip any any access-list 155 permit tcp any any access-list 155 permit udp any any no cdp run ! ! route-map WAN permit 10 match ip address PROXY-redirect set ip next-hop 192.168.0.154 ! ! ! control-plane ! ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 102 in timeout login response 20 password ************************** authorization exec local_author logging synchronous login authentication local_authen transport input telnet ssh transport output telnet line vty 5 15 access-class 103 in timeout login response 20 password ************************************ authorization exec local_author logging synchronous login authentication local_authen transport input telnet ssh transport output telnet ! scheduler allocate 20000 1000 end
	Высказать мнение \| Ответить \| Правка \| Наверх \| Cообщить модератору

Архив \| Удалить	Индекс форумов \| Темы \| Пред. тема \| След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 \| 2 \| 3 \| 4 \| 5 ] [Рекомендовать для помещения в FAQ]