Доброго времени суток!
Уважаемые спецы помогите решить мою задачу
Главный офис:
Роутер CISCO ISR 4331/K9
Внутренний подсеть 10.0.120.0/24
Удаленный офис:
Роутер CISCO 891/K9
Внутренний подсеть 10.92.32.0/24
Настроил Site-to-Site VPN, сам VPN пашет, пакеты бегают, но, когда с филиального офиса пытаюсь открыть через web-браузер страничку (tcp\80) страничка не загружается. Что-то не правильность в настройках ZBF т.к если с интерфейсов главного роутера (ISR4331) снимаю членство zone-member все работает. Для теста в филиальном офисе поднял web-сервер, там все работает. В главном офисе ZBF, на филиальном роутере CBAC.
Прилагается конфиги двух роутеров.
Заранее спасибо!Main Office Router config:
--------------------------
Building configuration...
!
Current configuration : 14897 bytes
!
! No configuration change since last restart
!
version 15.5
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname MAIN-ROUTER
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
clock timezone KGT 6 0
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8
ip domain name domain.ru
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid ISR4331/K9
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
no cdp run
!
class-map type inspect match-any Outside-self_Services
match access-group name OSPF-2-self_ACL
match access-group name VPN-2-self_ACL
match access-group name MGMT-2-self_ACL
class-map type inspect match-any self-Outside_Services
match access-group name OSPF-From-self_ACL
match access-group name VPN-From-self_ACL
match access-group name MGMT-From-self_ACL
class-map type inspect match-any self-Services
match protocol ntp
class-map type inspect match-any Outside-Inside_Services
match access-group name MGMT-2-Inside_ACL
match access-group name VPN-Tunnels-Traffics_ACL
class-map type inspect match-any Users-Services
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
match protocol smtp
match protocol echo
match protocol ntp
match protocol snmp
match protocol imap
match protocol imaps
match protocol imap3
class-map type inspect match-any Inside-self_Services
match access-group name Inside-2-self_ACL
class-map type inspect match-any self-Inside_Services
match access-group name self-2-Inside_ACL
class-map type inspect match-any Inside-Outside_Services
match class-map Users-Services
match access-group name RDP-In-2-Out_ACL
!
policy-map type inspect Outside-self_Policy
class type inspect Outside-self_Services
pass
class type inspect self-Services
inspect
class class-default
drop
policy-map type inspect Inside-Outside_Policy
class type inspect Inside-Outside_Services
inspect
class class-default
policy-map type inspect self-Outside_Policy
class type inspect self-Outside_Services
pass
class type inspect self-Services
inspect
class class-default
drop
policy-map type inspect self-Inside_Policy
class type inspect self-Inside_Services
inspect
class class-default
drop
policy-map type inspect Inside-self_Policy
class type inspect Inside-self_Services
inspect
class class-default
drop
policy-map type inspect Outside-Inside_Policy
class type inspect Outside-Inside_Services
inspect
class class-default
drop
!
zone security Outside
zone security Inside
zone-pair security Inside-Outside source Inside destination Outside
service-policy type inspect Inside-Outside_Policy
zone-pair security Inside-self source Inside destination self
service-policy type inspect Inside-self_Policy
zone-pair security Outside-Inside source Outside destination Inside
service-policy type inspect Outside-Inside_Policy
zone-pair security Outside-self source Outside destination self
service-policy type inspect Outside-self_Policy
zone-pair security self-Inside source self destination Inside
service-policy type inspect self-Inside_Policy
zone-pair security self-Outside source self destination Outside
service-policy type inspect self-Outside_Policy
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key Ksdmskd8238@n$2oij&1n!d$hd@8dj33jSnd&2jd address 2.2.2.2
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CMAP 1 ipsec-isakmp
description =Tunnel to Adilet-Sot=
set peer 2.2.2.2
set transform-set set1
set pfs group2
match address VPN-TRAFFIC-BRANCH-OFFICE_ACL
!
interface GigabitEthernet0/0/0
description =OUTSIDE=
ip address 1.1.1.1 255.255.255.224
no ip redirects
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path
zone-member security Outside
negotiation auto
no cdp enable
crypto map CMAP
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description =INSIDE=
ip address 10.0.120.1 255.255.255.0
ip nat inside
zone-member security Inside
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
ip access-list standard VTY_ACL
permit 10.0.120.7
deny any
!
ip access-list extended Inside-2-self_ACL
permit ip any any
ip access-list extended MGMT-2-Inside_ACL
permit tcp any host 10.0.120.5 eq 3389
ip access-list extended MGMT-2-self_ACL
permit tcp any host 1.1.1.1 eq 22
ip access-list extended MGMT-From-self_ACL
permit tcp host 1.1.1.1 eq 22 any
ip access-list extended NAT_ACL
deny ip 10.0.120.0 0.0.0.255 10.92.32.0 0.0.0.255
permit ip 10.0.120.0 0.0.0.255 any
ip access-list extended OSPF-2-self_ACL
permit ospf any host 1.1.1.1
ip access-list extended OSPF-From-self_ACL
permit ospf host 1.1.1.1 any
ip access-list extended Outside-2-self_ACL
permit tcp any any eq 22
permit ospf any any
permit eigrp any any
permit tcp any any eq 3389
ip access-list extended RDP-In-2-Out_ACL
permit tcp host 10.0.120.7 any
ip access-list extended VPN-2-self_ACL
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit ahp any any
ip access-list extended VPN-From-self_ACL
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit ahp any any
ip access-list extended VPN-TRAFFIC-BRANCH-OFFICE_ACL
permit ip 10.0.120.0 0.0.0.255 10.92.32.0 0.0.0.255
ip access-list extended VPN-Tunnels-Traffics_ACL
permit ip 10.92.32.0 0.0.0.255 10.0.120.0 0.0.0.255
ip access-list extended self-2-Inside_ACL
permit ip any any
!
logging origin-id ip
logging facility local6
logging host 10.0.120.9
!
snmp-server community Shd#629Sh%7h@73SbS2sh$3 RO SNMP_ACL
snmp-server location MAIL-OFFICE
snmp-server contact ZEROCOOL
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class VTY_ACL in vrf-also
exec-timeout 120 0
privilege level 15
logging synchronous
history size 256
transport input ssh
transport output all
line vty 5 15
access-class VTY_ACL in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
!
ntp server 176.126.165.80 source GigabitEthernet0/0/0
ntp server 80.241.0.72 source GigabitEthernet0/0/0
!
end
----------------------------------------------------------
Branch Office Router config:
----------------------------------------------------------
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname BRANCH-OFFICE
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp default local
no ip source-route
!
no ip bootp server
ip domain name domain.ru
ip name-server 8.8.8.8
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip inspect name INSPECT_OUT ftp
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid C891F-K9
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key Ksdmskd8238@n$2oij&1n!d$hd@8dj33jSnd&2jd address 1.1.1.1
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CMAP 1 ipsec-isakmp
description =Tunnel to Main OFFICE=
set peer 1.1.1.1
set transform-set set1
set pfs group2
match address VPN-TRAFFIC-MAIN-OFFICE_ACL
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
shutdown
!
interface GigabitEthernet3
no ip address
shutdown
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
shutdown
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
no ip address
shutdown
!
interface GigabitEthernet8
description =OUTSIDE=
ip address 2.2.2.2 255.255.255.224
ip access-group OUT_2_IN_ACL in
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect INSPECT_OUT out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
crypto map CMAP
!
interface Vlan1
ip address 10.92.32.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NAT_ACL interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.3
!
ip access-list standard VTY_ACL
permit 10.92.32.7
deny any
!
ip access-list extended NAT_ACL
deny ip 10.92.32.0 0.0.0.255 10.0.120.0 0.0.0.255
permit ip 10.92.32.0 0.0.0.255 any
ip access-list extended OUT_2_IN_ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
ip access-list extended VPN-TRAFFIC-MAIN-OFFICE_ACL
permit ip 10.92.32.0 0.0.0.255 10.0.120.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
access-class VTY_ACL in vrf-also
exec-timeout 120 0
privilege level 15
logging synchronous
history size 256
transport input ssh
transport output all
line vty 5 15
access-class VTY_ACL in vrf-also
exec-timeout 120 0
logging synchronous
history size 256
transport input ssh
transport output all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 85.114.26.194
ntp server 198.55.111.50 minpoll 10
!
end
Вариант для распечатки
