URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 1821
[ Назад ]

Исходное сообщение
"при подключении через VPN PPTP нет доступа в корпоративную сеть"

Отправлено Kudrin , 16-Сен-15 09:14 
Добрый день, коллеги, помогите разобраться с проблемой- нет доступа в корпоративную сеть при подключении через VPN PPTP, отключаю файрвол - доступ появляется. вот конфигурация.


Current configuration : 12032 bytes
!
! Last configuration change at 08:52:08 MSK Tue Sep 15 2015 by kudrin
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname spb-bt-gw1
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M3.bin
boot-end-marker
!
!
logging buffered 8128
enable secret 5 $1$t1xS$qOd7VntGCprZ5OjTYpZNr1
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
clock timezone MSK 4 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip flow-cache timeout active 1
no ip bootp server
ip domain name cryogas.ru
ip ips config location flash:/ips retries 1
ip ips notify SDEE
ip ips name IOS-IPS
!
ip ips signature-category
  category all
   retired true
  category ios_ips advanced
   retired false
!
ip sdee subscriptions 2
ip cef
ip cef load-sharing algorithm include-ports source destination
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group VPN
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
!
!
cts logging verbose
!
!
license udi pid CISCO2921/K9 sn FCZ190560U0
license boot module c2900 technology-package securityk9
!
!
file verify auto
username admin privilege 15 secret 5 $1$LYcl$zt.ESrApSt1kVuD4HW2Dm/
username Tihomirov privilege 15 password 7 06331C245E1F5B4A51
username kudrin privilege 15 password 7 123E171E10090936737E
!
redundancy
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit
!
!
!
!
!
track 10 ip sla 1 reachability
!
track 20 ip sla 2 reachability
!
track 30 ip sla 3 reachability
!
track 100 list boolean or
object 10
object 20
object 30
delay down 10 up 5
!
track 110 ip sla 11 reachability
!
track 120 ip sla 12 reachability
!
track 130 ip sla 13 reachability
!
track 200 list boolean or
object 110
object 120
object 130
delay down 10 up 5
!
ip ssh version 2
!
class-map type inspect match-any cm_http_dns_smtp
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol smtp
match protocol pop3
match access-group name TO_INTERNET
match protocol pptp
class-map match-all TOR
match protocol bittorrent
class-map type inspect match-any PPTP_traf
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any cm_to_lan
match access-group name TO_LAN
match protocol pptp
!
policy-map QOS
class TOR
  drop
policy-map type inspect pptp-in
class type inspect PPTP_traf
  inspect
class class-default
  drop log
policy-map type inspect in-out
class type inspect cm_http_dns_smtp
  inspect
class class-default
  drop log
policy-map type inspect out-in
class type inspect cm_to_lan
  inspect
class class-default
  drop log
!
zone security outside
description Big and Scary internet
zone security inside
description Shy and modest intranet
zone security PPTP
description Very small client VPN access
zone-pair security inside-outside source inside destination outside
service-policy type inspect in-out
zone-pair security outside-inside source outside destination inside
service-policy type inspect out-in
zone-pair security PPTP-inside source PPTP destination inside
service-policy type inspect pptp-in
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ===LAN===
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ===ISP1===
ip address 85.17.12.202 255.255.255.252
ip nat outside
ip ips IOS-IPS in
ip virtual-reassembly in
zone-member security outside
ip policy route-map PBR_SLA
duplex auto
speed auto
!
interface GigabitEthernet0/2
description ===ISP2===
ip address 212.34.25.31 255.255.255.252
ip nat outside
ip ips IOS-IPS in
ip virtual-reassembly in
ip policy route-map PBR_SLA
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
zone-member security PPTP
peer default ip address pool VPN
ppp encrypt mppe auto
ppp authentication pap chap ms-chap ms-chap-v2
!
ip local policy route-map PBR_SLA
ip local pool VPN 192.168.1.123 192.168.1.124
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map ISP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 192.168.1.14 21 85.17.12.202 21 extendable
ip nat inside source static tcp 192.168.1.14 22 85.17.12.202 22 extendable
ip nat inside source static tcp 192.168.1.15 25 85.17.12.202 25 extendable
ip nat inside source static tcp 192.168.1.15 110 85.17.12.202 110 extendable
ip nat inside source static tcp 192.168.1.15 389 85.17.12.202 389 extendable
ip nat inside source static tcp 192.168.1.21 3389 85.17.12.202 3389 extendable
ip nat inside source static tcp 192.168.1.13 3389 85.17.12.202 3390 extendable
ip nat inside source static tcp 192.168.1.16 3389 85.17.12.202 3391 extendable
ip nat inside source static tcp 192.168.1.53 3389 85.17.12.202 3392 extendable
ip nat inside source static tcp 192.168.1.213 3389 85.17.12.202 3393 extendable
ip nat inside source static tcp 192.168.1.16 8080 85.17.12.202 8080 extendable
ip nat inside source static udp 192.168.1.16 8080 85.17.12.202 8080 extendable
ip route 0.0.0.0 0.0.0.0 85.17.12.201 track 100
ip route 0.0.0.0 0.0.0.0 212.34.25.30 20 track 200
!
ip access-list standard LAN
permit 10.9.8.0 0.0.7.255
deny   any
!
ip access-list extended SLA1_ACL
permit icmp host 85.17.12.202 host 8.8.8.8
permit icmp host 85.17.12.202 host 8.8.4.4
permit icmp host 85.17.12.202 host 4.4.4.4
ip access-list extended SLA2_ACL
permit icmp host 192.168.1.11 host 8.8.8.8
permit icmp host 192.168.1.11 host 8.8.4.4
permit icmp host 192.168.1.11 host 4.4.4.4
ip access-list extended TO_INTERNET
permit tcp any eq 1723 any
permit tcp host 10.9.8.53 any eq 8444
permit tcp any any eq 1723
permit ip host 192.168.1.10 any
permit ip any host 192.168.1.10
permit tcp any host 85.114.14.41 eq 1024
permit tcp any host 195.131.157.101 eq 1024
permit tcp any any range 3389 3392
permit tcp any range 3389 3392 any
permit tcp any any eq 8080
permit udp any any eq 8080
permit tcp any eq 8080 any
permit udp any eq 8080 any
permit tcp any any eq 443
permit udp any any eq 443
permit tcp any eq 443 any
permit udp any eq 443 any
permit tcp any any eq 465
permit udp any any eq 465
permit tcp any eq 465 any
permit udp any eq 465 any
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq ftp
permit tcp any eq ftp any
permit tcp any any eq ftp-data
permit tcp any eq ftp-data any
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any eq domain any
permit udp any eq domain any
permit tcp any any eq pop3
permit tcp any eq pop3 any
permit tcp any any eq smtp
permit tcp any eq smtp any
permit udp any any eq ntp
permit udp any eq ntp any
permit tcp any any eq 6036
permit udp any any eq 6036
permit tcp any eq 6036 any
permit udp any eq 6036 any
permit udp any any eq netbios-dgm
permit udp any any eq netbios-ns
permit udp any eq netbios-dgm any
permit udp any eq netbios-ns any
deny   ip any any
ip access-list extended TO_LAN
permit tcp any eq 1723 any
permit gre any any
permit tcp any any eq 1723
permit ip host 192.168.1.10 any
permit ip any host 192.168.1.10
permit tcp host 85.114.14.41 any eq 1024
permit tcp host 85.114.14.41 eq 1024 any
permit tcp host 195.131.157.101 any eq 1024
permit tcp host 195.131.157.101 eq 1024 any
permit tcp any any range 3389 3392
permit tcp any range 3389 3392 any
permit tcp any any eq 8080
permit udp any any eq 8080
permit tcp any eq 8080 any
permit udp any eq 8080 any
permit tcp any any eq 443
permit udp any any eq 443
permit tcp any eq 443 any
permit udp any eq 443 any
permit tcp any any eq 465
permit udp any any eq 465
permit tcp any eq 465 any
permit udp any eq 465 any
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq ftp
permit tcp any eq ftp any
permit tcp any any eq ftp-data
permit tcp any eq ftp-data any
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any eq domain any
permit udp any eq domain any
permit tcp any any eq pop3
permit tcp any eq pop3 any
permit tcp any any eq smtp
permit tcp any eq smtp any
permit udp any any eq ntp
permit udp any eq ntp any
permit tcp any any eq 6036
permit udp any any eq 6036
permit tcp any eq 6036 any
permit udp any eq 6036 any
permit udp any any eq netbios-dgm
permit udp any any eq netbios-ns
permit udp any eq netbios-dgm any
permit udp any eq netbios-ns any
permit icmp any any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
deny   ip any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 1000
timeout 1500
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/1
threshold 1000
timeout 1500
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 4.4.4.4 source-interface GigabitEthernet0/1
threshold 1000
timeout 1500
frequency 3
ip sla 11
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/2
threshold 1000
timeout 1500
frequency 3
ip sla schedule 11 life forever start-time now
ip sla 12
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/2
threshold 1000
timeout 1500
frequency 3
ip sla schedule 12 life forever start-time now
ip sla 13
icmp-echo 4.4.4.4 source-interface GigabitEthernet0/2
threshold 1000
timeout 1500
frequency 3
ip sla schedule 13 life forever start-time now
logging host 192.168.1.213 transport tcp port 514
!
route-map ISP_1 permit 10
match ip address LAN
match interface GigabitEthernet0/1
!
route-map ISP_2 permit 20
match ip address LAN
match interface GigabitEthernet0/2
!
route-map PBR_SLA permit 10
match ip address SLA1_ACL
set ip next-hop 85.17.12.201
!
route-map PBR_SLA permit 20
match ip address SLA2_ACL
set ip next-hop 212.34.25.30
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
exec-timeout 0 0
no activation-character
no editing
transport output none
escape-character NONE
stopbits 1
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LAN in
exec-timeout 60 0
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
event manager applet ISP_1_UP
event track 100 state up
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 003 syslog msg "ISP 1 IS UP"
event manager applet ISP_1_DOWN
event track 100 state down
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 003 syslog msg "ISP 1 IS DOWN"
event manager applet ISP_2_UP
event track 200 state up
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 003 syslog msg "ISP 1 IS UP"
event manager applet ISP_2_DOWN
event track 200 state down
action 001 cli command "enable"
action 002 cli command "clear ip nat trans *"
action 03  syslog msg "ISP 2 IS DOWN"
!
end


Содержание

Сообщения в этом обсуждении
"при подключении через VPN PPTP нет доступа в корпоративную сеть"
Отправлено crash , 17-Сен-15 04:44 
пробовали настроить правильно файрвол?

"при подключении через VPN PPTP нет доступа в корпоративную сеть"
Отправлено Kudrin , 17-Сен-15 14:44 
> пробовали настроить правильно файрвол?

пробовал, правильно не получается


"при подключении через VPN PPTP нет доступа в корпоративную сеть"
Отправлено Kudrin , 24-Сен-15 08:57 
сам допер до ответа - надо просто GRE трафик сделать отдельным классом и в политике тип проверки трафика поставить pass -Доступ в локальную сеть обеспечен
>> пробовали настроить правильно файрвол?
> пробовал, правильно не получается

class-map type inspect match-any all_traf_to_internet
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol smtp
match protocol pop3
match protocol netbios-dgm
match protocol netbios-ns
match access-group name TO_INTERNET
class-map type inspect match-any all_traf_to_lan
match protocol ldap
match protocol pop3
match protocol smtp
match protocol ftp
match protocol icmp
match access-group name TO_LAN
class-map type inspect match-all gre
match access-group name GRE
!
policy-map type inspect all_traf_to_internet_policy
class type inspect gre
  pass
class type inspect all_traf_to_internet
  inspect
class class-default
  drop
policy-map type inspect all_traf_to_lan_policy
class type inspect gre
  pass
class type inspect all_traf_to_lan
  inspect
class class-default
  drop
!
zone security outside
zone security inside
zone-pair security inside-outside source inside destination outside
service-policy type inspect all_traf_to_internet_policy
zone-pair security outside-inside source outside destination inside
service-policy type inspect all_traf_to_lan_policy