[ west_herc @ 21.03.2008. 20:06 ] @
| E napokon kad sam uspio se spojiti na svoj ruter i to preko VPN-a nije mi dovoljno jasna ova access lista:
access-list 110 deny ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip any any
Dakle, moj VPN POOL je u ovom subnetu 192.168.1.0
Zašto ja moram zabraniti NAT u taj pool tj zašto ova linija deny.
Dal mi netko može to objansniti?
Hvala velika!
|
[ optix @ 21.03.2008. 22:08 ] @
Tako kako si artikulisao, sumnjam da ti iko moze ista objasniti.
Osim ocigledne cinjenice da ce access lista 110, koja se primenjuje na xy mestu, odbijati sav IP saobracaj iz pomenutih mreza, a pustati sve ostalo...
Sta pokusavas da uradis, zabranis, na sta je primenjena ta lista, ko ti kaze da moras 'zabraniti NAT u taj pool'.... ??
[ west_herc @ 22.03.2008. 09:06 ] @
Dakle radi se o VPN-u.
Ja se preko IPSEC-a spojim u korporativnu mrežu i primjenim ovu access listu na nat!
Neznam ni ja, zašti ova access lista. Jasno mi je da NAT mora kako bih mogao izići vani, ali zašto baš zabraniti nat u VPN pool?
[ Milan Andjelkovic @ 23.03.2008. 13:58 ] @
10.1.1.0 je lokalni IP opseg, a 192.168.1.0 opseg koji se koristi na toj udaljenoj lokaciji, jel tako? Pretpostavljam da saobraćaj ka toj korporativnoj mreži (192.168.1.0) neće ići kroz VPN ukoliko se NATuje, ili će ići ali sa pogrešnim source adresama što bi napravilo nekakav problem u rutiranju.
Trebalo bi da pastuješ cele konfiguracije da bi mogli preciznije da ti odgovorimo.
[ optix @ 24.03.2008. 00:08 ] @
Ili se jednostavno zabranjuje koriscenje NAT-a (a ako je primenjen na WAN interface - izlazak na internet) tom opsegu adresa?
Nista nece biti jasno dok ne vidimo gde se koristi ta access-lista, a i ostatak konfiguracije...
[ west_herc @ 25.03.2008. 08:56 ] @
Evo konfiguracije:
Code:
Current configuration : 4138 bytes
!
version 12.4
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname my-hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login my_vpn_xauth local
aaa authorization exec default local
aaa authorization network my_vpn_group local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_MOJAGRUPA
key grupaM22lokomotiva
pool VPN_POOL
acl 120
max-users 20
netmask 255.255.255.0
crypto isakmp profile ike_profil_1
match identity group VPN_MOJAGRUPA
client authentication list my_vpn_xauth
isakmp authorization list my_vpn_group
client configuration address respond
virtual-template 1
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ipsec_transset esp-3des esp-sha-hmac
!
crypto ipsec profile ipsec_profile
set security-association lifetime seconds 3600
set transform-set ipsec_transset
set isakmp-profile ike_profil_1
!
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
!
ip dhcp pool my-pool
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 212.39.98.162
lease 10
!
!
ip name-server 212.39.98.162
ip name-server 212.39.98.161
ip ddns update method my_dyndns_org
HTTP
add http://username:password@<s...ame=<h>&ip=<a>
interval maximum 1 0 0 0
!
!
multilink bundle-name authenticated
!
!
username imarkic privilege 15 password 7 **************
archive
log config
hidekeys
!
!
!
class-map match-any P2P_class
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol novadigm
match protocol cuseeme
match protocol gopher
!
!
policy-map P2P_policy
class P2P_class
drop
!
!
!
!
interface FastEthernet0
description $adsl wan interfaces$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description $adsl lan interface$
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile
!
interface Vlan1
no ip address
!
interface Dialer0
description $adsl dialer interface$
ip ddns update hostname gmy.dyndns.org
ip ddns update my_dyndns_org host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname username
ppp chap password 7 password
ppp pap sent-username username password 7 password
!
ip local pool VPN_POOL 192.168.1.1 192.168.1.50
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NAT interface Dialer0 overload
!
logging trap debugging
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 10 protocol ip permit
!
!
!
route-map NAT permit 10
match ip address 110
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 0506130C284F4203
logging synchronous
line aux 0
line vty 0 4
password 7 13080211020F0820
!
!
webvpn cef
end
mod: koristi code tagove
[Ovu poruku je menjao optix dana 25.03.2008. u 23:58 GMT+1]
[ optix @ 25.03.2008. 22:57 ] @
Citat:
...
ip nat inside source route-map NAT interface Dialer0 overload
...
route-map NAT permit 10
match ip address 110
Dakle NAT ce biti dozvoljen adresama definisanim u access listi 110. Time efektivno i internet jer se NAT koristi za translaciju na interfejsima ka toj mrezi. Zasto je to tako najbolje upitaj administratora mreze (ako to nisi ti). Naravno da ne mora biti zabranjeno.
Sledeci put efikasnije postavljaj pitanja (sa svim relevantnim podacima u prvoj poruci).
Poz
[ west_herc @ 26.03.2008. 09:15 ] @
Ja sam tek počeo raditi kao admin mreže i što više posla to mi je više stvari nejasnije! :)
Copyright (C) 2001-2024 by www.elitesecurity.org. All rights reserved.