Добрый день!Прошу совета, сам уже неделю тритий день мозг разрушаю - пока безрезультатно.
Суть проблемы: стандартная ситуация - нужно присоеденить удаленныю площадку к офису.
Имеем 2-и 871 Cisco - Одна обычная, вторая ADSL. Поднят gre tunnel защищенный IPsec-ом.
Все пингуется, телнет ходит и Radmin соединения тоже держит, НО! если соединение инициировано со стороны удаленной площадки, если тоже самое делать из офиса, сессия виснет наглухо, как только со стороны удаленной площадки ожидаюется прием пакетов.
Абсолюно такая же схема у меня работает прекрасно, но собрана она на двух роутерах (без ADSL), мне кажется каким то образом влияет bridg между интерефейсами atm0 и BVI может здесь собака порылась? Посмотрите плиз конфиги:
Офис:
-------------------------------------
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname home
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name host.local
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxx address 212.100.xxx.42
!
!
crypto ipsec transform-set MYTS esp-des esp-md5-hmac
!
crypto ipsec profile IPSECLINK
set transform-set MYTS
!
!
!
!
interface Tunnel0
ip address 172.30.1.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1460
ip tcp adjust-mss 1420
no ip mroute-cache
tunnel source FastEthernet4
tunnel destination 212.100.xxx.42
tunnel protection ipsec profile IPSECLINK
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Uplink
ip address 62.100.xxx.150 255.255.255.252
ip access-group 103 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description inside
ip address 192.168.120.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 62.100.xxx.149
ip route 192.168.100.0 255.255.255.0 172.30.1.2
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 9 interface FastEthernet4 overload
!
access-list 9 permit 192.168.120.0 0.0.0.255
access-list 23 permit 192.168.120.18
access-list 23 permit 192.168.100.3
access-list 23 permit 212.100.xxx.42
access-list 23 permit 213.120.xxx.2
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 permit ip any any
access-list 103 permit tcp host 212.100.xxx.42 host 62.140.251.150 eq 22
access-list 103 permit tcp host 212.100.xxx.41 host 62.140.251.150 eq 22
access-list 103 permit tcp host 213.120.xxx.2 host 62.140.251.150 eq 22
access-list 103 deny tcp any host 62.100.xxx.150 eq 22
access-list 103 permit ip any any
no cdp run
!
control-plane
!
banner login
h0me.
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport preferred none
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end
Удаленная площадка:
-------------------------------------------------
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname farm
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxx address 62.100.xxx.150
!
!
crypto ipsec transform-set MYTS esp-des esp-md5-hmac
!
crypto ipsec profile IPSECLINK
set transform-set MYTS
!
!
bridge irb
!
!
!
interface Tunnel0
ip address 172.30.1.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1460
ip tcp adjust-mss 1420
no ip mroute-cache
tunnel source BVI1
tunnel destination 62.100.xxx.150
tunnel protection ipsec profile IPSECLINK
!
interface ATM0
description DSL
no ip address
no atm ilmi-keepalive
pvc 0/33
encapsulation aal5snap
!
dsl operating-mode auto
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description inside
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface BVI1
description Uplink
ip address 212.100.xxx.42 255.255.255.248
ip access-group 103 in
ip nat outside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 212.100.xxx.41
ip route 192.168.120.0 255.255.255.0 172.30.1.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface BVI1 overload
!
logging trap debugging
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 11 permit 213.120.xxx.2
access-list 11 permit 62.100.xxx.150
access-list 11 permit 192.168.120.0 0.0.0.255
access-list 11 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 103 permit tcp host 213.120.xxx.2 host 212.100.xxx.42 eq 22
access-list 103 permit tcp host 62.100.xxx.150 host 212.100.xxx.42 eq 22
access-list 103 deny tcp any host 212.100.xxx.42 eq 22
access-list 103 permit ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login
fArm.
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 11 in
privilege level 15
login local
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
_____________________________________________________________
sh ip ro - офис:
-----------------------------
Gateway of last resort is 62.100.xxx.149 to network 0.0.0.0
C 192.168.120.0/24 is directly connected, Vlan1
172.30.0.0/30 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, Tunnel0
62.0.0.0/30 is subnetted, 1 subnets
C 62.100.xxx.148 is directly connected, FastEthernet4
S 192.168.100.0/24 [1/0] via 172.30.1.2
S* 0.0.0.0/0 [1/0] via 62.100.xxx.149
sh ip ro - удаленная площадка:
-----------------------------
Gateway of last resort is 212.100.xxx.41 to network 0.0.0.0
S 192.168.120.0/24 [1/0] via 172.30.1.1
172.30.0.0/30 is subnetted, 1 subnets
C 172.30.1.0 is directly connected, Tunnel0
212.100.xxx.0/29 is subnetted, 1 subnets
C 212.100.xxx.40 is directly connected, BVI1
C 192.168.100.0/24 is directly connected, Vlan1
S* 0.0.0.0/0 [1/0] via 212.100.xxx.41
sh ip int brie - офис:
------------------------------------------
home#sh ip int brie
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 62.100.xxx.150 YES NVRAM up up
Vlan1 192.168.120.1 YES NVRAM up up
Tunnel0 172.30.1.1 YES NVRAM up up
NVI0 unassigned YES unset up up
sh ip int brie - удаленная площадка:
------------------------------------------
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
ATM0 unassigned YES NVRAM up up
Vlan1 192.168.100.1 YES NVRAM up up
Tunnel0 172.30.1.2 YES NVRAM up up
BVI1 212.100.xxx.42 YES NVRAM up up
NVI0 unassigned NO unset up up
___________________________________________________________________________________
Спасибо всем откликнувшимся и нашедшим время посмотреть конфиги.