Limitowany download przez VPN tylko na VDSL

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
Makz
wannabe
wannabe
Posty: 79
Rejestracja: 04 kwie 2008, 16:25

Limitowany download przez VPN tylko na VDSL

#1

#1 Post autor: Makz »

Witam,
od niedawna migruje niektorych uzytkownikow z adsl na vdsl. Wczesniejsze routery 877 sa zastepowane przez 887. Pojawil sie jednak problem, z ktorym walcze i niestety przegrywam. Stad prosba o pomoc.
Routery sa skonfigurowane na mieszane polaczenie - jeden vlan prosto do internetu, pozostale przez vpn. VPN koncentruje sie na firewallu od Palo Alto. Tak 887 jak i 877 korzystaja z identycznych ustawien do vpn, mimo to na 887 predkosc DO uzytkownika jest limitowana do 4-5mbit. Upload jest ok (w sensie blisko predkosci lacza). Na adsl (czyli na starym 877) problem nie wystepuje, pomimo identycznych ustawien. Probowalem MSS, MTU w kazdym mozliwym miejscu. Probowalem roznych vdsl firmware. Nic nie robi roznicy i predkosc zdaje sie byc sztucznie limitowana do tych 4-5 mbit. Testowane iperfem i niezadowolonymi uzytkownikami. Polaczenie bezposrednio z internetu dziala prawidlowo i mam normalne predkosci. Tylko vpn i tylko w jedna strone i tylko po vdsl na 887. Byc moze ktos z szanownych kolegow spotkal sie z podobnym problemem lub moze mnie pokierowac w odpowiednia strone. Polaczenie z 887 po sieci lokalnej przez vpn dziala poprawnie, tylko ten nieszczesny vdsl.
Oto wycinki z configu, ktore moga pomoc w rozwiazaniu problemu:
887 (tutaj gdzies jest problem)

Kod: Zaznacz cały

vtp mode transparent


no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname HOSTNAME
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
!

aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 172.17.xxx.126
ip dhcp excluded-address 172.17.xxx.190
ip dhcp excluded-address 172.17.xxx.254
!
ip dhcp pool Home
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.254 
   domain-name homepc.co.uk
   dns-server 212.23.3.100 212.23.6.100 
!
ip dhcp pool Corp
   network 172.17.xxx.0 255.255.255.128
   dns-server  
   default-router 172.17.xxx.126 
   domain-name 
   
!
ip dhcp pool Corp_VoIP
   network 172.17.xxx.128 255.255.255.192
   default-router 172.17.xxx.190 
   
ip dhcp pool Corp_Spare
   network 172.17.xxx.192 255.255.255.192
   default-router 172.17.xxx.254 
    
!         
!
ip cef
no ip bootp server
no ipv6 cef
!
!
!

!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 14
crypto isakmp key THEKEY address IP_ADDRESS
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac 
!
crypto map CRYPTO 10 ipsec-isakmp 
 set peer IP_ADDRESS
 set transform-set AES 
 match address 106
!         
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
 ip address 172.17.200.xxx 255.255.255.255
!
interface ATM0
 no ip address
 shutdown
 !

interface Ethernet0
 no ip address
  no shutdown
 
interface Ethernet0.101
 encapsulation dot1q 101
 pppoe enable
 pppoe-client dial-pool-number 1
 !
interface FastEthernet0
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport trunk native vlan 40
 switchport mode trunk
 no ip address
  no shutdown
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan40
  no shutdown
!
!

interface Vlan1
 description Home Computer Vlan
 no ip address
 bridge-group 10
!
interface Vlan20
 description Corporate Laptop Vlan
 no ip address
 bridge-group 20
!
interface Vlan30
 description Corporate_VoIP Vlan
 no ip address
 bridge-group 30
!
interface Vlan40
 description Corporate_Spare Vlan
 no ip address
 bridge-group 40
! 
      
vlan 20
name Corp
vlan 30
name Corp_VoIP
vlan 40
name Corp_Spare
!
interface Dialer0
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname USERNAME
 ppp chap password 0 PASSWORD
 ppp ipcp address accept
 crypto map CRYPTO
!
interface BVI10
 description Home Computer BridgeGroup
 ip address 192.168.0.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI20
 description Corporate Laptop BridgeGroup
 ip address 172.17.xxx.126 255.255.255.128
 ip access-group 103 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI30
 description Corporate_VoIP BridgeGroup
 ip address 172.17.xxx.190 255.255.255.192
 ip access-group 104 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI40
 description Corporate_Spare BridgeGroup
 ip address 172.17.xxx.254 255.255.255.192
 ip access-group 105 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip tacacs source-interface Loopback0
!
logging trap debugging
access-list 1 remark NAT Home PC's to internet
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 99 permit 172.17.xxx.0 0.0.0.255
access-list 99 deny any any
access-list 101 remark Access List to control access from internet in
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip 172.17.xxx.0 0.0.0.255 any
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 deny   ip any any
access-list 102 remark Access list for public vlan in
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny   ip any 10.0.0.0 0.255.255.255
access-list 102 deny   ip any 172.16.0.0 0.15.255.255
access-list 102 deny   ip any 127.0.0.0 0.255.255.255
access-list 102 deny   ip any any
access-list 103 remark Access list for corporate vlan in
access-list 103 permit udp any any eq bootps
access-list 103 deny   ip any 192.168.0.0 0.0.0.255
access-list 103 permit ip 172.17.xxx.0 0.0.0.127 any
access-list 103 deny   ip any any
access-list 104 remark Access list for corporate VoIP vlan in
access-list 104 permit udp any any eq bootps
access-list 104 deny   ip any 192.168.0.0 0.0.0.255
access-list 104 permit ip 172.17.xxx.128 0.0.0.63 any
access-list 104 deny   ip any any
access-list 105 remark Access list for corporate VoIP vlan in
access-list 105 permit udp any any eq bootps
access-list 105 deny   ip any 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.17.xxx.192 0.0.0.63 any
access-list 105 deny   ip any any
access-list 106 permit ip 172.17.xxx.0 0.0.0.255 any
access-list 106 permit ip host 172.17.200.xxx any
dialer-list 1 protocol ip permit
!
!
!
!

!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip
!
877 (ktory dziala poprawnie i mam maksymalne predkosci adsl)

Kod: Zaznacz cały

no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname HOSTNAME
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
!

aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!

!

ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 172.17.xxx.126
ip dhcp excluded-address 172.17.xxx.190
ip dhcp excluded-address 172.17.xxx.254
!
ip dhcp pool Home
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.254 
   domain-name homepc.co.uk
   dns-server 212.23.3.100 212.23.6.100 
!
ip dhcp pool Corp
   network 172.17.xxx.0 255.255.255.128
   default-router 172.17.xxx.126 
!
ip dhcp pool Corp_VoIP
   network 172.17.xxx.128 255.255.255.192
   default-router 172.17.xxx.190 
!
ip dhcp pool Corp_Spare
   network 172.17.xxx.192 255.255.255.192
   dns-server 
   default-router 172.17.xxx.254 
   domain-name 
  
!         
!
ip cef
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
! 
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 14
crypto isakmp key THEKEY address IP_ADDRESS
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac 
!
crypto map CRYPTO 10 ipsec-isakmp 
 set peer IP_ADDRESS
 set transform-set AES 
 match address 106
!         
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
 ip address 172.17.200.xxx 255.255.255.255
!
interface ATM0
 no shutdown
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description Link to ISP
 ip flow ingress
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet1
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!
interface FastEthernet3
 switchport access vlan 20
 switchport voice vlan 30
 spanning-tree portfast
!

 !

!
!

!         
interface Vlan1
 description Home Computer Vlan
 no ip address
 bridge-group 10
!
interface Vlan20
 description Corporate Laptop Vlan
 no ip address
 bridge-group 20
!
interface Vlan30
 description Corporate_VoIP Vlan
 no ip address
 bridge-group 30
!
interface Vlan40
 description Corporate_Spare Vlan
 no ip address
 bridge-group 40
! 
      
vlan 20
name Corp
vlan 30
name Corp_VoIP
vlan 40
name Corp_Spare
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname USERNAME
 ppp chap password 0 PASSWORD
 crypto map CRYPTO
!
interface BVI10
 description Home Computer BridgeGroup
 ip address 192.168.0.254 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI20
 description Corporate Laptop BridgeGroup
 ip address 172.17.xxx.126 255.255.255.128
 ip access-group 103 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI30
 description Corporate_VoIP BridgeGroup
 ip address 172.17.xxx.190 255.255.255.192
 ip access-group 104 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface BVI40
 description Corporate_Spare BridgeGroup
 ip address 172.17.xxx.254 255.255.255.192
 ip access-group 105 in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip tacacs source-interface Loopback0
!
logging trap debugging
access-list 1 remark NAT Home PC's to internet
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 remark Access List to control access from internet in
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip 172.17.xxx.0 0.0.0.255 any
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 deny   ip any any
access-list 102 remark Access list for public vlan in
access-list 102 permit udp any any eq bootps
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 deny   ip any 10.0.0.0 0.255.255.255
access-list 102 deny   ip any 172.16.0.0 0.15.255.255
access-list 102 deny   ip any 127.0.0.0 0.255.255.255
access-list 102 deny   ip any any
access-list 103 remark Access list for corporate vlan in
access-list 103 permit udp any any eq bootps
access-list 103 deny   ip any 192.168.0.0 0.0.0.255
access-list 103 permit ip 172.17.xxx.0 0.0.0.127 any
access-list 103 deny   ip any any
access-list 104 remark Access list for corporate VoIP vlan in
access-list 104 permit udp any any eq bootps
access-list 104 deny   ip any 192.168.0.0 0.0.0.255
access-list 104 permit ip 172.17.xxx.128 0.0.0.63 any
access-list 104 deny   ip any any
access-list 105 remark Access list for corporate VoIP vlan in
access-list 105 permit udp any any eq bootps
access-list 105 deny   ip any 192.168.0.0 0.0.0.255
access-list 105 permit ip 172.17.xxx.192 0.0.0.63 any
access-list 105 deny   ip any any
access-list 106 permit ip 172.17.xxx.0 0.0.0.255 any
access-list 106 permit ip host 172.17.200.xxx any
dialer-list 1 protocol ip permit
!
!
!
!

!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
bridge 40 protocol ieee
bridge 40 route ip

 
Dzieki i pozdrawiam

ODPOWIEDZ