[ marxer @ 20.09.2007. 14:23 ] @
|
| Pozdrav svima
Imam problem sa povezivanjem više lokacija u IPSec VPN (Hub&Spoke varijanta). Kao hub radi Cisco 2811 koji ima na WAN portu dodeljenu mrežu /29 (šest statičkih adresa), dok su spoke Cisco 877 sa statičkom adresom koju ISP dodeljuje preko DHCP-a (?). Svi ruteri normalno pristupaju Internetu. Konfiguracija za VPN izgleda otprilike ovako:
Code:
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key Lokacija1 address A.B.C.D
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 192.168.163.0 0.0.0.255 192.168.168.0 0.0.0.255
exit
crypto map SDM_CMAP_1 4 ipsec-isakmp
set transform-set ESP-3DES-SHA
set peer A.B.C.D
match address SDM_2
exit
Konfiguracija sa druge strane je analogno promenjena (ACL, set peer i crypto isakmp key Lokacija1 address E.F.D.H)
Svi uređaji su povezani na Internet preko istog ISP-a
Problem - tunel is down. Test iz SDM ne nalazi nikakav problem u samoj konfiguraciji. Da li ISP treba da omogući VPN, tj da li blokira port ili protokol?
BTW, crypto map komanda se nalazi na Dialer interfejsu, ne na ATM0 interfejsu
Neka ideja? |
[ gandalf @ 20.09.2007. 20:13 ] @
pa bilo bi lepo kada bi uradio nesto tipa
# debug crypto isakmp
# debug crypto ipsec
pa onda izgenerisi neki traffic sa 192.168.163.0 na 192.168.168.0 pa da vidimo sta output kaze.
P.S po acl listi ne bi rekao da ce ti matchovati icmp pakete tako da generisi neki application protok
[Ovu poruku je menjao gandalf dana 20.09.2007. u 21:23 GMT+1]
[ marxer @ 20.09.2007. 20:32 ] @
Nema output-a. "Tunnel staus: down". Jedino iz SDM-a sam to i video. Dakle, nema putanje do druge mreže. To i jeste problem
[ gandalf @ 20.09.2007. 20:40 ] @
imas li ip connectivity do ipsec peer-a ?? Ako imas onda kada posaljes traffic koji matchuje access-listu ruter ce pokusati da uspostavi ipsec tunnel. Komande koje sam ti gore napisao unesi u consoli i gledaj sta dobijas na outputu .. da li ruter uopste pokusava da uspostavi ipsec tunnel!
ako se konekujes preko telneta unesi i terminal monitor
[ marxer @ 20.09.2007. 20:49 ] @
Ja mogu da se konektujem na udaljenu lokaciju pomoću remote desktop-a. I to je sve. Tunela nema kao da ne postoji udaljena IP adresa. Da li crypto map komanda treba da ide na ATM ili Dialer? I da li smeta to što statička adresa sa jedne strane nije upisana u ruter, već je dodeljena preko DHCP-a (uvek ista, naravno, ipak je statička)
[ gandalf @ 20.09.2007. 20:57 ] @
probaj na oba ali ne na jedan pa drugi nego je stavi na ATM subinterface i u Dialer interface
[ marxer @ 20.09.2007. 21:12 ] @
Nije pomoglo. Nema tunela. Kakva je verovatnoća da Eunet pravi problem?
[ markom @ 20.09.2007. 21:12 ] @
Jel' ti ne bi bio problem da ovde okačiš "show run" sa oba rutera? (izbaci passworde i IP adrese)
Takođe, da li sa rutera 1 možeš da pinguješ ruter 2?
Inače, ako koristiš PPPoE, onda treba na Dialer interfejs da ide, pošto je on taj koji "učestvuje u IP saobraćaju", a ne ATM.
[ marxer @ 20.09.2007. 21:27 ] @
Spoke:
Code:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone Prague 1
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 194.247.192.33 194.247.192.1
lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 194.247.192.33
ip name-server 194.247.192.1
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-3605020521
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3605020521
revocation-check none
rsakeypair TP-self-signed-3605020521
!
!
crypto pki certificate chain TP-self-signed-3605020521
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363035 30323035 3231301E 170D3037 30383138 31383236
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36303530
32303532 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F6C6 DC4E5780 C7DD77C7 67BA216A B220FAE2 A4040BBA D5574820 C1AC8356
A1F37BF3 8774BB5C AEF036D8 484579F2 F28A214E 55C66B4C 5837F1F7 301F870C
0828F33A 06D673A8 3D9F0F85 4AFB8A7D 7807FB3C E0CA2260 C87DE765 94501F48
DF0A4022 B12B3332 DE51A341 A84AFA1B 0B25E0B0 2BF16E6E FB43675A 0740CCF2
42F10203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13414453 4C2E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 143CB26F 0DE7330F 080098D1 901F95AF 2ACA9000 14301D06
03551D0E 04160414 3CB26F0D E7330F08 0098D190 1F95AF2A CA900014 300D0609
2A864886 F70D0101 04050003 818100C7 31E3E7B8 E4894F41 675CD915 9FF7D6E7
690C5D09 44C067D4 B955B27A C70A52CB 68C0068A 5131EF9A B7BB26FC 729C708A
5F706316 9B8DED1C 5E1F47EF 4E65515C D9179805 6D01D23C 4D086FED 0667B550
DE79A4FD 43D35960 19F2C7D7 9FAAEF1A 1A4B0AE4 050886C9 FB0C7AC5 95AF54E4
4284EBCC 1BBAD614 F1D7EE8E 52221D
quit
username xy privilege 15 secret 123
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abcd address A.B.C.D
!
!
crypto ipsec transform-set Set1 esp-3des esp-sha-hmac
!
crypto map Mapa1 1 ipsec-isakmp
set peer A.B.C.D
set transform-set Set1
match address SDM_2
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
crypto map detelinara
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username adsl.adsl@eunet password 0 lozinka
crypto map detelinara
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.168.0 255.255.255.0 Dialer1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended SDM_2
remark SDM_ACL Category=20
permit ip 10.10.10.0 0.0.0.255 192.168.168.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Neautorizovan pristup zabranjen
Unesite korisnicko ime i lozinku
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
Hub:
Code:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Vpn_hub
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000 debugging
enable secret lozinka
!
no aaa new-model
!
resource policy
--More--
!
clock timezone Prague 1
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
!
!
ip domain name nstrznica.co.yu
ip name-server 192.168.168.2
ip name-server 194.247.192.33
!
!
!
voice-card 0
no dspfarm
!
crypto pki trustpoint TP-self-signed-757496410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-757496410
revocation-check none
rsakeypair TP-self-signed-757496410
!
!
crypto pki certificate chain TP-self-signed-757496410
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353734 39363431 30301E17 0D303730 38323132 31323031
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 37343936
34313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B74CAA0B 68075A93 162C4590 0D54145F C3114DDD 927E8F31 D0401034 9F61ADF5
56D8E8D3 50628ADB 5A17AAC9 A97A86DD 439E200A 063157FD 75545994 AB1DA546
B476200B F758549B FCF4CE53 7E55B9CD 84E8C54C 56472ED6 0B3832A1 80754C73
B6E0909E 18CDF1FA D5FEAECC 1195F4B7 6D206695 D598EB26 15B035BC 3E214CFD
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821756 706E5F68 75622E6E 7374727A 6E696361 2E636F2E 7975301F
0603551D 23041830 1680146B CF95C02F 97D2EC48 91D604EA 3455B67D 62A1B930
1D060355 1D0E0416 04146BCF 95C02F97 D2EC4891 D604EA34 55B67D62 A1B9300D
06092A86 4886F70D 01010405 00038181 0026DB54 80B842DA 78A23E9F 726E4FB3
FFD60F11 638AC37B D3A89349 4B6E0160 3B2737FB 9AD98C77 3A92ED1B C64BC2EE
E612B6DD D4621AAA DE0CCCB4 18C2855A 17F823C8 F0BC357C C321D56E 85D5B476
19B0966A 029E0B00 688014C5 8AF258BA 374DC7DE 26F6F281 E3478E86 440D8B9A
BFAAB979 1E82B70C 9FC451AE BF63BCB5 2C
quit
username xy privilege 15 secret lozinka
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abcd address A.B.C.D
!
!
crypto ipsec transform-set Set1 esp-3des esp-sha-hmac
!
!
crypto map Map1 1 ipsec-isakmp
set peer A.B.C.D
set transform-set Set1
match address 100
!
!
!
!
!
interface FastEthernet0/0
description Lokalna mreza$ETH-LAN$$FW_INSIDE$
ip address 192.168.168.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
description Internet veza
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
crypto map Map1
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip address a.b.c.d 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username adsl.adsl@eunet password lozinka
crypto map Map1
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 Dialer1 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool nat-pool1 a.b.c.d a.b.c.e netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.168.2 25 a.b.c.d 25 extendable
ip nat inside source static tcp 192.168.168.2 110 a.b.c.d 110 extendable
ip nat inside source static tcp 192.168.168.2 443 a.b.c.d 443 extendable
ip nat inside source static tcp 192.168.168.2 3389 a.b.c.d 3389 extendable
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit any
access-list 100 permit ip 192.168.168.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.168.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip any any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
banner login ^CC
-----------------------------------------------------------------------
Neautorizovan pristup zabranjen
Unesite korisnicko ime i lozinku
-----------------------------------------------------------------------
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
password 7 0107141E5502050E2F5F
login
transport input none
transport output none
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179828
ntp server 147.91.8.77 source Dialer1 prefer
ntp server 217.26.78.34 source Dialer1 prefer
ntp server 87.237.201.132 source Dialer1 prefer
!
end [ marxer @ 20.09.2007. 21:29 ] @
... i da, ping na javnu adresu interfejsa prolazi bez problema
[ gandalf @ 20.09.2007. 21:32 ] @
imena krypto mapa na spoke ruteru ti se razlikuju
imas crypto-map detelinara na dialer interface-u a napravio si samo crypto-map-u Map1
[ markom @ 20.09.2007. 21:33 ] @
Pa neće ovo da radi ja bih rekao. Na Hubu pokušavaš da uspostaviš vezu sa samim sobom:
Citat: Code:
crypto map Map1 1 ipsec-isakmp
set peer A.B.C.D
set transform-set Set1
match address 100
...
interface Dialer1
mtu 1492
ip address a.b.c.d 255.255.255.248
Ako ja to nisam protumačio kako treba, cenim da to svakako neće da radi zato što spoke ima dinamičku adresu, koja ne mora uvek da bude ista. [ marxer @ 20.09.2007. 21:35 ] @
Nisam promenio. Greška je u postu, nije i na ruteru
[ markom @ 20.09.2007. 21:37 ] @
Jel ovo komentar gandalfu ili meni? Mislim da je ono što ti je gandalf napisao ključna stavka :-)
[ marxer @ 20.09.2007. 21:39 ] @
Mala i velika slova su trebala da predstavljaju različite IP adrese. Nisam bio kreativan :-(. Inače adresa je statička, tj uvek ista, alije provajder dodeljuje preko DHCP-a nemam pojma zašto. Meni bi bilo lakše da ja upišem adresu ito je onda zakucano, ali...
[ markom @ 20.09.2007. 21:39 ] @
OK. Pogledaj Goranov komentar. Cenim da je tu problem.
[ marxer @ 20.09.2007. 21:41 ] @
... i da, prvi komentar je upućen Gandalfu
[ markom @ 20.09.2007. 21:44 ] @
OK, onda smo nazad na prvom koraku. Jel možeš da nam pošalješ trenutni "show run" sa rutera... Onakav kakav je na ruteru (bez passworda i budi kreativan sa IP adresama).
Prilično je nemoguće pomoći nekome ako nemaš relevantne informacije.
[ marxer @ 20.09.2007. 21:44 ] @
Map1 = detelinara. Nije to u pitanju. Ispravljao sam na brzinu pa sam prevideo na tom jednom mestu. Nisam te sreće da je tako banalno
[ marxer @ 20.09.2007. 21:56 ] @
Hub:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Vpn_hub
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000 debugging
enable secret 5 lozinka
!
no aaa new-model
!
resource policy
!
clock timezone Prague 1
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
!
!
ip domain name nstrznica.co.yu
ip name-server 192.168.168.2
ip name-server 194.247.192.33
ip name-server 194.247.192.1
!
voice-card 0
no dspfarm
!
crypto pki trustpoint TP-self-signed-757496410
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-757496410
revocation-check none
rsakeypair TP-self-signed-757496410
!
!
crypto pki certificate chain TP-self-signed-757496410
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
...
quit
username admin privilege 15 secret lozinka
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abcd address 213.198.227.133
!
!
crypto ipsec transform-set Set1 esp-3des esp-sha-hmac
!
!
crypto map Map1 1 ipsec-isakmp
set peer 213.198.227.133
set transform-set Set1
match address 100
!
!
!
!
!
interface FastEthernet0/0
description Lokalna mreza$ETH-LAN$$FW_INSIDE$
ip address 192.168.168.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
description Internet veza
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
crypto map detelinara
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip address 213.198.232.185 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username adsl.adsl@eunet password lozinka
crypto map Map1
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 Dialer1 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool nat-pool1 213.198.242.187 213.198.242.190 netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.168.2 25 213.198.232.186 25 extendable
ip nat inside source static tcp 192.168.168.2 110 213.198.232.186 110 extendable
ip nat inside source static tcp 192.168.168.2 443 213.198.232.186 443 extendable
ip nat inside source static tcp 192.168.168.2 3389 213.198.232.186 3389 extendab
le
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit any
access-list 100 permit ip 192.168.168.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 192.168.168.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Neautorizovan pristup zabranjen
Unesite korisnicko ime i lozinku
-----------------------------------------------------------------------
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
password 7 0107141E5502050E2F5F
login
transport input none
transport output none
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179829
ntp server 147.91.8.77 source Dialer1 prefer
ntp server 217.26.78.34 source Dialer1 prefer
ntp server 87.237.201.132 source Dialer1 prefer
!
end
Spoke:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ADSL
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone Prague 1
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 194.247.192.33 194.247.192.1
lease 0 2
!
!
ip domain name yourdomain.com
ip name-server 194.247.192.33
ip name-server 194.247.192.1
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-3605020521
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3605020521
revocation-check none
rsakeypair TP-self-signed-3605020521
!
!
crypto pki certificate chain TP-self-signed-3605020521
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363035 30323035 3231301E 170D3037 30383138 31383236
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36303530
32303532 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F6C6 DC4E5780 C7DD77C7 67BA216A B220FAE2 A4040BBA D5574820 C1AC8356
A1F37BF3 8774BB5C AEF036D8 484579F2 F28A214E 55C66B4C 5837F1F7 301F870C
0828F33A 06D673A8 3D9F0F85 4AFB8A7D 7807FB3C E0CA2260 C87DE765 94501F48
DF0A4022 B12B3332 DE51A341 A84AFA1B 0B25E0B0 2BF16E6E FB43675A 0740CCF2
42F10203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13414453 4C2E796F 7572646F 6D61696E 2E636F6D 301F0603
551D2304 18301680 143CB26F 0DE7330F 080098D1 901F95AF 2ACA9000 14301D06
03551D0E 04160414 3CB26F0D E7330F08 0098D190 1F95AF2A CA900014 300D0609
2A864886 F70D0101 04050003 818100C7 31E3E7B8 E4894F41 675CD915 9FF7D6E7
690C5D09 44C067D4 B955B27A C70A52CB 68C0068A 5131EF9A B7BB26FC 729C708A
5F706316 9B8DED1C 5E1F47EF 4E65515C D9179805 6D01D23C 4D086FED 0667B550
DE79A4FD 43D35960 19F2C7D7 9FAAEF1A 1A4B0AE4 050886C9 FB0C7AC5 95AF54E4
4284EBCC 1BBAD614 F1D7EE8E 52221D
quit
username admin privilege 15 secret lozinka
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abcd address 213.198.232.185
!
!
crypto ipsec transform-set Set1 esp-3des esp-sha-hmac
!
crypto map Map1 1 ipsec-isakmp
set peer 213.198.232.185
set transform-set Set1
match address SDM_2
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
crypto map detelinara
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username adsl.trznicad@eunet password 0 trznicad1
crypto map Map1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.168.0 255.255.255.0 Dialer1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 10.10.10.222 4672 interface Dialer1 4672
ip nat inside source static tcp 10.10.10.222 4662 interface Dialer1 4662
!
ip access-list extended SDM_2
remark SDM_ACL Category=20
permit ip 10.10.10.0 0.0.0.255 192.168.168.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 10.10.10.0 0.0.0.255
no cdp run
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Neautorizovan pristup zabranjen
Unesite korisnihko ime i lozinku
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
[ gandalf @ 20.09.2007. 21:58 ] @
nisam siguran ali koliko me secanje sluzi ovde ce se prvo odraditi nat na spoke ruteru pa onda ce proci kroz crypto map-u
tako da bi valjalo da ovu acl listu 1 promenis u nesto tipa
ip access-list 102 deny ip 10.10.10.0 0.0.0.255 192.168.168.0 0.0.0.255
ip access-list 102 permit ip 10.10.10.0 0.0.0.255 any
pa da to stavis u ip nat inside source list 102 inte dialer0 overload
[ marxer @ 20.09.2007. 22:05 ] @
eto rešenja. Izgleda da sam upravo ispingovao drugu stranu. Dalji test sledi
[ marxer @ 20.09.2007. 22:15 ] @
Ping prolazi, ali ostalo za sada ne. Ali tu je i ISA koja nam verovatno pravi zvrčku, ali to je tema za sutra.
Za danas - tunnel is UP! Nastavak sledi ...
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.
|