Jestem początkującym użytkownikiem Cisco, więc proszę o wyrozumiałość i ewentualne odpowiedzi sformułowane jak dla laika:-)
Router Cisco 1812/K9 Połaczenie VPN Klient - Router.
Od kilku dni walczę z ustawieniami tego routera i już tracę cierpliwość:-( Router ma wersję IOS adventerprisek9 12.4.15.T7.
Jaki problem?
Po połączeniu z odległą siecią poprzez VPN-a nie mogę pingować komputerów w sieci. Odpowiada mi tylko router (10.5.5.10) oraz sieć WAN (np. wp.pl).
Przy próbie pingowania sieci będąc zalogowanym do routera wszystko odpowiada.
Adresacja sieci zdalnej to 10.5.5.0/24, a sieci lokalnej to: 192.168.1.0/24. Po połączeniu dostaję adres np: 10.5.10.110/8 brama 10.0.0.1
Poniżej config:
Kod: Zaznacz cały
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER_cISCO
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEST recurring 4 Sun Mar 2:00 4 Sun Oct 2:00
!
!
dot11 syslog
!
!
ip cef
!
!
no ip bootp server
ip domain name XXX.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
!
file prompt quiet
username Wojciech password 7 hasło
username Maciej password 7 hasło
username root privilege 15 password 7 hasło
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 periodic
!
crypto isakmp client configuration group xxx_client
key hasło
dns 8.8.8.8 8.8.4.4
pool cvpnc
!
crypto ipsec security-association idle-time 180
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
description tunel VPN client
set security-association idle-time 7200
set transform-set cm-transformset-1
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
ip tcp path-mtu-discovery
!
!
!
interface Loopback0
ip address 10.5.9.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description WAN
ip address X.X.X.154 255.255.255.248
ip access-group 160 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
no ip mroute-cache
speed 100
full-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description LAN
ip address 10.5.5.10 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool cvpnc 10.5.10.110 10.5.10.160
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.153
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map WAN interface FastEthernet0 overload
!
logging trap debugging
logging facility local6
logging source-interface FastEthernet1
logging 10.5.5.10
access-list 1 permit 10.5.0.0 0.0.0.255
access-list 10 permit 10.5.0.0 0.0.255.255
access-list 11 remark SSH
access-list 11 permit 10.5.0.0 0.0.0.255
access-list 11 permit 10.5.9.0 0.0.0.255
access-list 11 permit 10.5.10.0 0.0.0.255
access-list 11 permit 10.5.5.0 0.0.0.255
access-list 144 remark Internet dla VPN Client
access-list 144 deny ip 10.5.10.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 144 permit ip 10.5.10.0 0.0.0.255 any
access-list 160 remark Wejscie z internetu
access-list 160 permit icmp any any
access-list 160 permit esp any any
access-list 160 permit udp any any
access-list 160 permit tcp any any eq 22
access-list 160 permit tcp any any established
access-list 160 deny ip any any
access-list 190 remark NAT dla ruchu OUT
access-list 190 permit ip 10.5.0.0 0.0.0.255 any
access-list 190 permit ip 10.5.10.0 0.0.0.255 any
access-list 190 permit ip 10.5.9.0 0.0.0.255 any
no cdp run
!
!
!
route-map WAN permit 10
match ip address 190
match interface FastEthernet0
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.5.9.253
!
!
!
!
control-plane
!
!
line con 0
transport output none
escape-character BREAK
line aux 0
transport output none
line vty 0 4
access-class 11 in
transport input ssh
escape-character 3
!
scheduler allocate 4000 1000
ntp clock-period 17180371
ntp server 213.222.193.35
ntp server 212.244.160.67
ntp server 149.156.4.11
ntp server 150.254.183.15
end