forum.opennet.ru

Составление сообщения

Исходное сообщение

"Cisco, VPN и внешний клиент"
Отправлено cobold, 06-Фев-07 10:22

да, сервер за NAT'ом, во внутренней сетке
его IP 192.168.55.29
внешние запросы VPN клиента приходят на IP с последним октетом 45 [X.X.X.45 в конфиге]
конфиг cisco такой
-----------------------------------------
interface Ethernet0/0
ip address 192.168.54.3 255.255.254.0
no ip directed-broadcast
ip nat inside
ip route-cache flow
no ip mroute-cache
ntp broadcast
!
interface Serial0/0
no ip address
no ip directed-broadcast
encapsulation frame-relay
ip route-cache flow
no ip mroute-cache
no fair-queue
cdp enable
!
interface Serial0/0.1 point-to-point
ip address 192.168.89.22 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 16
  class NET1
!
interface Serial0/0.2 point-to-point
ip address 192.168.89.42 255.255.255.252
ip access-group 112 in
ip access-group 111 out
no ip directed-broadcast
ip nat outside
frame-relay interface-dlci 32
  class INTERNET
!
interface Serial0/0.3 point-to-point
ip address 192.168.89.54 255.255.255.252
no ip directed-broadcast
frame-relay interface-dlci 64
  class NET2
!
interface Ethernet0/1
ip address 192.168.1.4 255.255.254.0
ip access-group 101 in
no ip directed-broadcast
ip nat inside
ip route-cache flow
no ip mroute-cache
!
ip nat pool NGP_POOL X.X.X.45 X.X.X.46 netmask 255.255.255.248
ip nat inside source list 101 pool POOL overload
ip nat inside source static tcp 192.168.55.29 1723 X.X.X.45 1723 extendable
ip nat inside source static 192.168.1.3 X.X.X.42
ip nat inside source static 192.168.54.6 X.X.X.43
ip nat inside source static 192.168.54.111 X.X.X.44
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.89.41
ip route 172.31.0.0 255.255.0.0 192.168.89.21
ip route 192.168.0.0 255.255.0.0 192.168.54.1
ip route 192.168.56.0 255.255.255.0 192.168.89.21
ip route 192.168.89.48 255.255.255.252 192.168.89.53
ip route 192.168.201.0 255.255.255.0 192.168.89.53
no ip http server
!
!
map-class frame-relay NET1
frame-relay adaptive-shaping becn
frame-relay cir 65540
frame-relay bc 16380
frame-relay be 0
frame-relay mincir 65540
frame-relay fair-queue
!
map-class frame-relay INTERNET
frame-relay adaptive-shaping becn
frame-relay cir 524300
frame-relay bc 16380
frame-relay be 0
frame-relay mincir 524300
frame-relay fair-queue
!
map-class frame-relay NET2
frame-relay adaptive-shaping becn
frame-relay cir 65540
frame-relay bc 16380
frame-relay be 0
frame-relay mincir 65540
frame-relay fair-queue
logging facility local1
logging 192.168.1.3
access-list 101 permit tcp host 192.168.1.3 any eq domain
access-list 101 permit tcp host 192.168.1.3 any eq ftp
access-list 101 permit tcp host 192.168.1.3 any eq ftp-data
access-list 101 permit tcp host 192.168.1.3 any eq www
access-list 101 permit tcp host 192.168.1.3 any eq smtp
access-list 101 permit tcp host 192.168.1.3 eq smtp any
access-list 101 permit tcp host 192.168.1.3 any eq 5999
access-list 101 permit udp host 192.168.1.3 any eq domain
access-list 101 permit udp host 192.168.1.3 eq domain 192.168.0.0 0.0.255.255
access-list 101 permit udp host 192.168.1.3 host 192.168.1.4 eq snmp
access-list 101 permit tcp host 192.168.54.6 any eq ftp
access-list 101 permit tcp host 192.168.54.6 any eq ftp-data
access-list 101 permit tcp host 192.168.54.6 any eq www
access-list 101 permit tcp host 192.168.54.6 any eq 443
access-list 101 permit tcp host 192.168.54.6 any eq 873
access-list 101 permit tcp host 192.168.54.6 any eq 3900
access-list 101 permit tcp host 192.168.54.6 any eq 5190
access-list 101 permit tcp host 192.168.54.6 any eq 5222
access-list 101 permit tcp host 192.168.54.6 any eq 5223
access-list 101 permit tcp host 192.168.54.6 any eq 7778
access-list 101 permit tcp host 192.168.54.6 any eq 8080
access-list 101 permit tcp host 192.168.54.6 any eq 8081
access-list 101 permit tcp host 192.168.54.111 any
access-list 101 permit udp host 192.168.54.111 any
access-list 101 permit icmp host 192.168.54.111 any
access-list 101 permit tcp host 192.168.55.29 eq 1723 any
access-list 101 permit gre host 192.168.55.29 any
access-list 101 permit tcp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 101 permit udp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 101 permit icmp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 101 deny   tcp 192.168.0.0 0.0.255.255 any log
access-list 101 deny   udp 192.168.0.0 0.0.255.255 any log
access-list 101 deny   icmp 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip any any log
access-list 111 remark
access-list 111 permit tcp X.X.X.40 0.0.0.7 any
access-list 111 permit udp X.X.X.40 0.0.0.7 any
access-list 111 permit icmp X.X.X.40 0.0.0.7 any
access-list 111 deny   ip any any log
access-list 112 remark
access-list 112 permit tcp any X.X.X.40 0.0.0.7 established
access-list 112 permit udp any eq ntp X.X.X.40 0.0.0.7 eq ntp
access-list 112 permit tcp any host X.X.X.42 eq smtp
access-list 112 permit tcp any eq ftp-data host X.X.X.42
access-list 112 permit udp any eq domain host X.X.X.42
access-list 112 permit tcp any eq ftp-data host X.X.X.43
access-list 112 permit tcp any eq ftp host X.X.X.43
access-list 112 permit icmp any host X.X.X.43
access-list 112 permit tcp any host X.X.X.44
access-list 112 permit udp any host X.X.X.44
access-list 112 permit icmp any host X.X.X.44
access-list 112 permit tcp any host X.X.X.45 eq 1723
access-list 112 permit gre any host X.X.X.45
access-list 112 deny   tcp any X.X.X.40 0.0.0.7 log
access-list 112 deny   udp any X.X.X.40 0.0.0.7 log
access-list 112 deny   icmp any X.X.X.40 0.0.0.7 log
access-list 112 deny   ip any any log
------------------------------------------

Исходное сообщение
"Cisco, VPN и внешний клиент" Отправлено cobold, 06-Фев-07 10:22
да, сервер за NAT'ом, во внутренней сетке его IP 192.168.55.29 внешние запросы VPN клиента приходят на IP с последним октетом 45 [X.X.X.45 в конфиге] конфиг cisco такой ----------------------------------------- interface Ethernet0/0 ip address 192.168.54.3 255.255.254.0 no ip directed-broadcast ip nat inside ip route-cache flow no ip mroute-cache ntp broadcast ! interface Serial0/0 no ip address no ip directed-broadcast encapsulation frame-relay ip route-cache flow no ip mroute-cache no fair-queue cdp enable ! interface Serial0/0.1 point-to-point ip address 192.168.89.22 255.255.255.252 no ip directed-broadcast frame-relay interface-dlci 16 class NET1 ! interface Serial0/0.2 point-to-point ip address 192.168.89.42 255.255.255.252 ip access-group 112 in ip access-group 111 out no ip directed-broadcast ip nat outside frame-relay interface-dlci 32 class INTERNET ! interface Serial0/0.3 point-to-point ip address 192.168.89.54 255.255.255.252 no ip directed-broadcast frame-relay interface-dlci 64 class NET2 ! interface Ethernet0/1 ip address 192.168.1.4 255.255.254.0 ip access-group 101 in no ip directed-broadcast ip nat inside ip route-cache flow no ip mroute-cache ! ip nat pool NGP_POOL X.X.X.45 X.X.X.46 netmask 255.255.255.248 ip nat inside source list 101 pool POOL overload ip nat inside source static tcp 192.168.55.29 1723 X.X.X.45 1723 extendable ip nat inside source static 192.168.1.3 X.X.X.42 ip nat inside source static 192.168.54.6 X.X.X.43 ip nat inside source static 192.168.54.111 X.X.X.44 ip classless ip route 0.0.0.0 0.0.0.0 192.168.89.41 ip route 172.31.0.0 255.255.0.0 192.168.89.21 ip route 192.168.0.0 255.255.0.0 192.168.54.1 ip route 192.168.56.0 255.255.255.0 192.168.89.21 ip route 192.168.89.48 255.255.255.252 192.168.89.53 ip route 192.168.201.0 255.255.255.0 192.168.89.53 no ip http server ! ! map-class frame-relay NET1 frame-relay adaptive-shaping becn frame-relay cir 65540 frame-relay bc 16380 frame-relay be 0 frame-relay mincir 65540 frame-relay fair-queue ! map-class frame-relay INTERNET frame-relay adaptive-shaping becn frame-relay cir 524300 frame-relay bc 16380 frame-relay be 0 frame-relay mincir 524300 frame-relay fair-queue ! map-class frame-relay NET2 frame-relay adaptive-shaping becn frame-relay cir 65540 frame-relay bc 16380 frame-relay be 0 frame-relay mincir 65540 frame-relay fair-queue logging facility local1 logging 192.168.1.3 access-list 101 permit tcp host 192.168.1.3 any eq domain access-list 101 permit tcp host 192.168.1.3 any eq ftp access-list 101 permit tcp host 192.168.1.3 any eq ftp-data access-list 101 permit tcp host 192.168.1.3 any eq www access-list 101 permit tcp host 192.168.1.3 any eq smtp access-list 101 permit tcp host 192.168.1.3 eq smtp any access-list 101 permit tcp host 192.168.1.3 any eq 5999 access-list 101 permit udp host 192.168.1.3 any eq domain access-list 101 permit udp host 192.168.1.3 eq domain 192.168.0.0 0.0.255.255 access-list 101 permit udp host 192.168.1.3 host 192.168.1.4 eq snmp access-list 101 permit tcp host 192.168.54.6 any eq ftp access-list 101 permit tcp host 192.168.54.6 any eq ftp-data access-list 101 permit tcp host 192.168.54.6 any eq www access-list 101 permit tcp host 192.168.54.6 any eq 443 access-list 101 permit tcp host 192.168.54.6 any eq 873 access-list 101 permit tcp host 192.168.54.6 any eq 3900 access-list 101 permit tcp host 192.168.54.6 any eq 5190 access-list 101 permit tcp host 192.168.54.6 any eq 5222 access-list 101 permit tcp host 192.168.54.6 any eq 5223 access-list 101 permit tcp host 192.168.54.6 any eq 7778 access-list 101 permit tcp host 192.168.54.6 any eq 8080 access-list 101 permit tcp host 192.168.54.6 any eq 8081 access-list 101 permit tcp host 192.168.54.111 any access-list 101 permit udp host 192.168.54.111 any access-list 101 permit icmp host 192.168.54.111 any access-list 101 permit tcp host 192.168.55.29 eq 1723 any access-list 101 permit gre host 192.168.55.29 any access-list 101 permit tcp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 access-list 101 permit udp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 access-list 101 permit icmp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 access-list 101 deny tcp 192.168.0.0 0.0.255.255 any log access-list 101 deny udp 192.168.0.0 0.0.255.255 any log access-list 101 deny icmp 192.168.0.0 0.0.255.255 any log access-list 101 deny ip any any log access-list 111 remark access-list 111 permit tcp X.X.X.40 0.0.0.7 any access-list 111 permit udp X.X.X.40 0.0.0.7 any access-list 111 permit icmp X.X.X.40 0.0.0.7 any access-list 111 deny ip any any log access-list 112 remark access-list 112 permit tcp any X.X.X.40 0.0.0.7 established access-list 112 permit udp any eq ntp X.X.X.40 0.0.0.7 eq ntp access-list 112 permit tcp any host X.X.X.42 eq smtp access-list 112 permit tcp any eq ftp-data host X.X.X.42 access-list 112 permit udp any eq domain host X.X.X.42 access-list 112 permit tcp any eq ftp-data host X.X.X.43 access-list 112 permit tcp any eq ftp host X.X.X.43 access-list 112 permit icmp any host X.X.X.43 access-list 112 permit tcp any host X.X.X.44 access-list 112 permit udp any host X.X.X.44 access-list 112 permit icmp any host X.X.X.44 access-list 112 permit tcp any host X.X.X.45 eq 1723 access-list 112 permit gre any host X.X.X.45 access-list 112 deny tcp any X.X.X.40 0.0.0.7 log access-list 112 deny udp any X.X.X.40 0.0.0.7 log access-list 112 deny icmp any X.X.X.40 0.0.0.7 log access-list 112 deny ip any any log ------------------------------------------

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> да, сервер за NAT'ом, во внутренней сетке 
> его IP 192.168.55.29 
> внешние запросы VPN клиента приходят на IP с последним октетом 45 [X.X.X.45 
> в конфиге]

> конфиг cisco такой

> ----------------------------------------- 
> interface Ethernet0/0 
>  ip address 192.168.54.3 255.255.254.0 
>  no ip directed-broadcast 
>  ip nat inside 
>  ip route-cache flow 
>  no ip mroute-cache 
>  ntp broadcast 
> !
> interface Serial0/0 
>  no ip address 
>  no ip directed-broadcast 
>  encapsulation frame-relay 
>  ip route-cache flow 
>  no ip mroute-cache 
>  no fair-queue 
>  cdp enable 
> !
> interface Serial0/0.1 point-to-point 
>  ip address 192.168.89.22 255.255.255.252 
>  no ip directed-broadcast 
>  frame-relay interface-dlci 16 
>   class NET1 
> !
> interface Serial0/0.2 point-to-point 
>  ip address 192.168.89.42 255.255.255.252 
>  ip access-group 112 in 
>  ip access-group 111 out 
>  no ip directed-broadcast 
>  ip nat outside 
>  frame-relay interface-dlci 32 
>   class INTERNET 
> !
> interface Serial0/0.3 point-to-point 
>  ip address 192.168.89.54 255.255.255.252 
>  no ip directed-broadcast 
>  frame-relay interface-dlci 64 
>   class NET2 
> !
> interface Ethernet0/1 
>  ip address 192.168.1.4 255.255.254.0 
>  ip access-group 101 in 
>  no ip directed-broadcast 
>  ip nat inside 
>  ip route-cache flow 
>  no ip mroute-cache 
> !
> ip nat pool NGP_POOL X.X.X.45 X.X.X.46 netmask 255.255.255.248 
> ip nat inside source list 101 pool POOL overload 
> ip nat inside source static tcp 192.168.55.29 1723 X.X.X.45 1723 extendable 
> ip nat inside source static 192.168.1.3 X.X.X.42 
> ip nat inside source static 192.168.54.6 X.X.X.43 
> ip nat inside source static 192.168.54.111 X.X.X.44 
> ip classless 
> ip route 0.0.0.0 0.0.0.0 192.168.89.41 
> ip route 172.31.0.0 255.255.0.0 192.168.89.21 
> ip route 192.168.0.0 255.255.0.0 192.168.54.1 
> ip route 192.168.56.0 255.255.255.0 192.168.89.21 
> ip route 192.168.89.48 255.255.255.252 192.168.89.53 
> ip route 192.168.201.0 255.255.255.0 192.168.89.53 
> no ip http server 
> !
> !
> map-class frame-relay NET1 
>  frame-relay adaptive-shaping becn 
>  frame-relay cir 65540 
>  frame-relay bc 16380 
>  frame-relay be 0 
>  frame-relay mincir 65540 
>  frame-relay fair-queue 
> !
> map-class frame-relay INTERNET 
>  frame-relay adaptive-shaping becn 
>  frame-relay cir 524300 
>  frame-relay bc 16380 
>  frame-relay be 0 
>  frame-relay mincir 524300 
>  frame-relay fair-queue 
> !
> map-class frame-relay NET2 
>  frame-relay adaptive-shaping becn 
>  frame-relay cir 65540 
>  frame-relay bc 16380 
>  frame-relay be 0 
>  frame-relay mincir 65540 
>  frame-relay fair-queue 
> logging facility local1 
> logging 192.168.1.3 
> access-list 101 permit tcp host 192.168.1.3 any eq domain 
> access-list 101 permit tcp host 192.168.1.3 any eq ftp 
> access-list 101 permit tcp host 192.168.1.3 any eq ftp-data 
> access-list 101 permit tcp host 192.168.1.3 any eq www 
> access-list 101 permit tcp host 192.168.1.3 any eq smtp 
> access-list 101 permit tcp host 192.168.1.3 eq smtp any 
> access-list 101 permit tcp host 192.168.1.3 any eq 5999 
> access-list 101 permit udp host 192.168.1.3 any eq domain 
> access-list 101 permit udp host 192.168.1.3 eq domain 192.168.0.0 0.0.255.255 
> access-list 101 permit udp host 192.168.1.3 host 192.168.1.4 eq snmp 
> access-list 101 permit tcp host 192.168.54.6 any eq ftp 
> access-list 101 permit tcp host 192.168.54.6 any eq ftp-data 
> access-list 101 permit tcp host 192.168.54.6 any eq www 
> access-list 101 permit tcp host 192.168.54.6 any eq 443 
> access-list 101 permit tcp host 192.168.54.6 any eq 873 
> access-list 101 permit tcp host 192.168.54.6 any eq 3900 
> access-list 101 permit tcp host 192.168.54.6 any eq 5190 
> access-list 101 permit tcp host 192.168.54.6 any eq 5222 
> access-list 101 permit tcp host 192.168.54.6 any eq 5223 
> access-list 101 permit tcp host 192.168.54.6 any eq 7778 
> access-list 101 permit tcp host 192.168.54.6 any eq 8080 
> access-list 101 permit tcp host 192.168.54.6 any eq 8081 
> access-list 101 permit tcp host 192.168.54.111 any 
> access-list 101 permit udp host 192.168.54.111 any 
> access-list 101 permit icmp host 192.168.54.111 any 
> access-list 101 permit tcp host 192.168.55.29 eq 1723 any 
> access-list 101 permit gre host 192.168.55.29 any 
> access-list 101 permit tcp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 
> access-list 101 permit udp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 
> access-list 101 permit icmp 192.168.54.0 0.0.0.255 192.168.201.0 0.0.0.255 
> access-list 101 deny   tcp 192.168.0.0 0.0.255.255 any log 
> access-list 101 deny   udp 192.168.0.0 0.0.255.255 any log 
> access-list 101 deny   icmp 192.168.0.0 0.0.255.255 any log 
> access-list 101 deny   ip any any log 
> access-list 111 remark 
> access-list 111 permit tcp X.X.X.40 0.0.0.7 any 
> access-list 111 permit udp X.X.X.40 0.0.0.7 any 
> access-list 111 permit icmp X.X.X.40 0.0.0.7 any 
> access-list 111 deny   ip any any log 
> access-list 112 remark 
> access-list 112 permit tcp any X.X.X.40 0.0.0.7 established 
> access-list 112 permit udp any eq ntp X.X.X.40 0.0.0.7 eq ntp 
> access-list 112 permit tcp any host X.X.X.42 eq smtp 
> access-list 112 permit tcp any eq ftp-data host X.X.X.42 
> access-list 112 permit udp any eq domain host X.X.X.42 
> access-list 112 permit tcp any eq ftp-data host X.X.X.43 
> access-list 112 permit tcp any eq ftp host X.X.X.43 
> access-list 112 permit icmp any host X.X.X.43 
> access-list 112 permit tcp any host X.X.X.44 
> access-list 112 permit udp any host X.X.X.44 
> access-list 112 permit icmp any host X.X.X.44 
> access-list 112 permit tcp any host X.X.X.45 eq 1723 
> access-list 112 permit gre any host X.X.X.45 
> access-list 112 deny   tcp any X.X.X.40 0.0.0.7 log 
> access-list 112 deny   udp any X.X.X.40 0.0.0.7 log 
> access-list 112 deny   icmp any X.X.X.40 0.0.0.7 log 
> access-list 112 deny   ip any any log 
> ------------------------------------------

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру