Добрый день... Помогите разобраться с ВПН. Есть PIX515 и роутер Cisco 871
pix служит сервером, 871 клиентом.
Туннель между ними устанавливается, но пользователи за 871 роутером не получают адресса из пулаи соответсвенно не видят локалки за пиксом. Что я делаю не так. Конфиг PIX:
PIX Version 7.2(2)
!
hostname pixfirewall
domain-name rian.ru
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 213.243.84.94 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.105.14 255.255.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name rian.ru
access-list inside_nat0_outbound extended permit ip any 10.10.100.0 255.255.255.128
access-list OUT extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.100.1-10.10.100.100 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group OUT in interface outside
route outside 0.0.0.0 0.0.0.0 213.243.84.81 1
route inside 0.0.0.0 0.0.0.0 192.168.18.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpngroup internal
group-policy vpngroup attributes
dns-server value 192.168.18.16 195.230.73.2
vpn-tunnel-protocol IPSec
default-domain value msk.rian
nem enable
address-pools value vpnpool
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username admin password OnI.5d6bvV.5pHvC encrypted privilege 15
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
address-pool vpnpool
default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dadde72b1428fa604c845ee8119bb91c
------
sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 213.243.122.114
Type : user Role : responder
Rekey : no State : AM_ACTIVE
sh ipsec sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 213.243.84.94
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 213.243.122.114, username: vpngroup
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.243.84.94, remote crypto endpt.: 213.243.122.114
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 29CE92D1
inbound esp sas:
spi: 0x0D361FCF (221650895)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 803, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 27770
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x29CE92D1 (701403857)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 803, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 27770
IV size: 8 bytes
replay detection support: Y
конфиг 871:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$5gBV$gohuH8fSPV4sV8IzQ7LCA0
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 192.168.18.16
ip name-server 195.230.73.2
!
!
crypto pki trustpoint TP-self-signed-3748893683
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3748893683
revocation-check none
rsakeypair TP-self-signed-3748893683
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-3748893683
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373438 38393336 3833301E 170D3037 31303330 31303331
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37343838
39333638 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BA8B 80A15D71 48A1FA1C 25BDAC3D A3559700 057BB358 3157229D C970EAC3
40D25F6D 8DEAF469 1B937FA4 79E96BD7 EE09FE6C 0962717D 3E763521 B56EBF0A
70CE2AE5 805D9D63 32DD92CE B5E5A294 CC07EEB3 48D46607 0F958C74 A7C12B70
78C5E24D B4175E92 2ACDEB78 1EB65200 F2F4E8B7 E9A8F726 4A247DB9 A7F5D5C3
6C890203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 149FB62F 21924891 0CDF73DE 6A57B46A 06E6B6D6
3E301D06 03551D0E 04160414 9FB62F21 9248910C DF73DE6A 57B46A06 E6B6D63E
300D0609 2A864886 F70D0101 04050003 81810031 322D2D8B 59A01A54 C0BA2CF8
0123A6BB 04704876 71C487D6 E4796B50 2BA63116 BA507B5F 318874B7 399C1147
BA1F39A9 B59B78AE D49A72B4 C9705FD9 E10869D6 C5899A17 0E8FEF82 122B87BD
28FBE716 76C95D02 49BC6043 027D4698 0086B182 8853DE74 73A6A2D5 E39F87DF
73EFDA57 8663001F D05A1C17 E79C2C5B 1C0488
quit
crypto pki certificate chain tti
username admin privilege 15 secret 5 $1$NcnI$ggHwiPFhu687eIzyh1Fsc0
!
!
!
!
!
!
!
crypto ipsec client ezvpn vpn
connect auto
group vpngroup key vpnkey
mode network-extension
peer 213.243.84.94
xauth userid mode interactive
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 213.243.122.114 255.255.255.252
ip access-group 101 in
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn vpn
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 out
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
crypto ipsec client ezvpn vpn inside
!
ip default-gateway 213.243.84.94
ip classless
ip route 0.0.0.0 0.0.0.0 213.243.122.113
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map vpn interface FastEthernet4 overload
!
logging trap debugging
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
route-map vpn permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
213.243.84.94 213.243.122.114 QM_IDLE 1010 0 ACTIVE
sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: FastEthernet4-head-0, local addr 213.243.122.114
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 213.243.84.94 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 213.243.122.114, remote crypto endpt.: 213.243.84.94
path mtu 1500, ip mtu 1500
current outbound spi: 0xD361FCF(221650895)
inbound esp sas:
spi: 0x29CE92D1(701403857)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: C87X_MBRD:13, crypto map: FastEthernet4-head-0
sa timing: remaining key lifetime (k/sec): (4581402/27859)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD361FCF(221650895)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: C87X_MBRD:14, crypto map: FastEthernet4-head-0
sa timing: remaining key lifetime (k/sec): (4581402/27859)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(??) on 08-Ноя-07, 14:37 
