Туннель поднялся, но обратный траффик попадает на внешний интерфейс...Сеть:
192.168.0.0 (cisco)
===
100.100.100.100
INTERNET
200.200.200.200
===
192.168.3.0 (zyxel)
Дело в циске, т.к. с тем же конфигом при установке и настройки вместо циски зайксела - проблема снимается.
Пакеты от циски до зайкселя (и обратные) идут на "ура", а вот пакеты с зайкселя на циску приходят на Dialer1 и проходят через acl wan-in. Почему так?
Конфиг:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoTest
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging rate-limit 10000
enable secret 5 xxxxxxxxxxxxxx
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip domain name cisco.easystep.local
!
no ip bootp server
ip cef
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin icmp timeout 15
ip inspect name apache http timeout 3600
ip audit po max-events 100
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
username root secret 5 xxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 12345678 address 200.200.200.200
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-sha-hmac
!
crypto map cm-cryptomap local-address Dialer1
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 10.250.19.120
set transform-set cm-transformset-1
match address 100
!
!
!
interface Ethernet0
no ip address
no ip unreachables
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 192.168.0.21 255.255.255.0
ip access-group lan-in in
no ip redirects
no ip proxy-arp
ip nat inside
ip inspect ethernetin in
ip tcp adjust-mss 1452
no ip mroute-cache
speed auto
!
interface Dialer1
ip address negotiated
ip access-group wan-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username mcc5874 password 0 uy8eichaiY
crypto map cm-cryptomap
!
ip nat inside source list 175 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended lan-in
permit ip 192.168.0.0 0.0.0.255 any log
permit udp 192.168.0.0 0.0.0.255 any log
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
permit udp any any eq isakmp
permit esp any any
logging trap debugging
logging facility local1
logging 192.168.0.150
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 20 permit 192.168.3.0
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 175 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
session-timeout 5
exec-timeout 7 0
login local
transport input ssh
!
end