Witam,
Mam problem z puszczeniem ruchu do jednej ze zdalnych lokalizacji. Zmieniałem wczoraj główny router na ISR4321, konfigurowałem ZBFW i wszystkie tunele GRE+IPSEC. Dodałem do nich Inside zone i z nimi wszystko jest ok. Problem mam z tunelem policy based. Brak interface'u więc nie mam gdzie przypisać zone. Problem jest taki że ze strony LAN ISR4321 wszystko jest ok. ICMP na drugą stronę przechodzi i wraca. Ale z drugiej strony Ping dochodzi tylko do ISR4321 a z innymi hostami jest problem. Czyli zdalna lokalizacja widzi tylko bramę z drugiej strony tunelu.
ZBFW i IPSEC VPN
Re: ZBFW i IPSEC VPN
Czesc,
mozesz pokazac kawalek konfiga z interfejsami, zonami, GRE i IPsec?
mozesz pokazac kawalek konfiga z interfejsami, zonami, GRE i IPsec?
Re: ZBFW i IPSEC VPN
Kod: Zaznacz cały
class-map type inspect match-all all-private
match access-group 90
class-map type inspect match-all private-ftp
match protocol ftp
match access-group 90
class-map type inspect match-all private-ssh
match protocol ssh
match access-group 90
class-map type inspect match-any ipsec-class
match access-group name IPSECtraffic
class-map type inspect match-all private-http
match protocol http
match protocol https
match access-group 90
class-map type inspect match-any netbios
match protocol msrpc
match protocol netbios-dgm
match protocol netbios-ns
match protocol netbios-ssn
class-map type inspect match-all private-netbios
match class-map netbios
match access-group 90
!
policy-map type inspect priv-pub-pmap
class type inspect private-http
inspect
class type inspect private-ftp
inspect
class type inspect private-ssh
inspect
class type inspect private-netbios
inspect
class type inspect all-private
inspect
class type inspect ipsec-class
pass
class class-default
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect priv-pub-pmap
!
crypto logging session
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
crypto isakmp key IPSecPSK address 123.456.789.013 no-xauth
crypto isakmp key IPSecPSK address 123.456.789.012 no-xauth
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set transformset-01 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
crypto dynamic-map DynMap 10
set transform-set TransformSet
crypto dynamic-map DynMap 15
set transform-set myset
reverse-route
!
!
crypto map nolan03 client authentication list userauthen
crypto map nolan03 isakmp authorization list groupauthor
crypto map nolan03 client configuration address respond
crypto map nolan03 170 ipsec-isakmp
set peer 123.123.123.013
set peer 123.123.123.012
set transform-set transformset-01
match address 109
crypto map nolan03 65535 ipsec-isakmp dynamic DynMap
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface GigabitEthernet0/0/0
description Link to LAN
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip flow monitor LAN input
ip flow monitor LAN output
ip access-group ToInternet in
zone-member security private
ip route-cache policy
ip policy route-map serwer
load-interval 30
negotiation auto
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/0/1.99
description *** VLAN 99 WAN ***
encapsulation dot1Q 99
ip address 123.123.123.014 255.255.255.224 secondary
ip address 123.123.123.015 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
ip flow monitor Flowmon1 input
ip flow monitor Flowmon input
ip flow monitor Flowmon1 output
ip flow monitor Flowmon output
ip access-group FromInternet in
zone-member security public
ip tcp adjust-mss 1400
ip policy route-map serwer
crypto map nolan03
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
!
router eigrp 100
network 10.0.0.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.11.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 172.16.1.0 0.0.0.3
network 172.16.1.4 0.0.0.3
redistribute static route-map RedStatic
passive-interface GigabitEthernet0/0/1
passive-interface GigabitEthernet0/0/1.99
!
ip nat inside source list natACL interface GigabitEthernet0/0/1.99 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 123.123.123.016
ip ssh logging events
!
!
!
ip access-list extended FromInternet
permit ip any any
ip access-list extended IPSEC
permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
permit ip 192.168.150.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended IPSECtraffic
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp
permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
permit ip 192.168.150.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended ToInternet
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.103.0 0.0.0.255 any
permit ip 10.0.11.0 0.0.0.255 any
permit ip 10.0.12.0 0.0.0.255 any
permit ip 10.0.13.0 0.0.0.255 any
permit ip 192.168.150.0 0.0.0.255 any
deny ip any any
ip access-list extended natACL
deny ip 192.168.103.0 0.0.0.255 192.168.97.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.99.0 0.0.0.255
deny ip 192.168.103.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.103.0 0.0.0.255 any
permit ip 10.0.13.0 0.0.0.255 any
deny ip 10.0.12.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.0.12.0 0.0.0.255 172.0.0.0 0.240.255.255
deny ip 10.0.12.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.12.0 0.0.0.255 any
permit ip 10.0.11.0 0.0.0.255 any
deny ip 10.250.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 10.250.0.0 0.0.255.255 172.0.0.0 0.240.255.255
deny ip 10.250.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.250.0.0 0.0.255.255 any
permit ip 10.0.2.0 0.0.0.255 any
permit ip 192.168.70.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.70.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
deny ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.255.255
deny ip 10.0.0.0 0.0.0.255 host 172.168.1.1
permit ip 10.0.0.0 0.0.0.255 any
deny ip 10.0.201.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.0.201.0 0.0.0.255 172.0.0.0 0.240.255.255
deny ip 10.0.201.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.0.201.0 0.0.0.255 any
permit ip 192.168.70.0 0.0.0.255 any
!
access-list 109 permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
!
!
route-map nonat permit 10
match ip address nonat
!
Re: ZBFW i IPSEC VPN
Czesc,
to pokaz jeszcze PBR bo tutaj nie ma w konfigu (serwer, potrzebna jest na obu interfejsach?).
Jesli chodzi o ZBFW to dodaj sobie
bedzie widac w logach co jest dropowane przez ZBFW. Wydaje mi sie ze powinienes jeszcze dodac ruch z zone public do self, cos jak:
ale nie jestem pewien bo dawno sie tym bawilem.
to pokaz jeszcze PBR bo tutaj nie ma w konfigu (serwer, potrzebna jest na obu interfejsach?).
Jesli chodzi o ZBFW to dodaj sobie
Kod: Zaznacz cały
class class-default
drop log
bedzie widac w logach co jest dropowane przez ZBFW. Wydaje mi sie ze powinienes jeszcze dodac ruch z zone public do self, cos jak:
Kod: Zaznacz cały
policy-map type inspect OutsideToRouter
class type inspect ipsec-class
pass
class class-default
drop
zone-pair security OutsideToRouter source public destination self
service-policy type inspect OutsideToRouter