Буду краток: дана схема соединения двух рутеров через злобный интернет
по типа зашифрованному каналу IPSec
Пример я взял на Cisco.com
с моей ситуацией совпадает
Ну так вот
предположим на Router A на интерфейсе E0/1 я завожу ACL (для фильтрации ненужного трафика) ip access-group 188 in
сам ACL вот такой
access-list 188 permit ip host 95.95.95.2 host 99.99.99.2
access-list 188 permit tcp any eq www any
то есть теоретически я разрешил ipsec и esp между цисками
и немножечко WEBа
мне думалось что шифрованный трафик разрешается первой строчкой в ACL 188
и дальше проваливается внутрь сети
Но я очень удивился когда увидел что приватные сетки всё равно не видят друг друга
а заработало всё только тогда когда я добавил в 188 лист строку
access-list 188 permit ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255
то есть получается что шифрованный трафик приходит
разрешается первой строчкой в 188 листе
дешифруется
и снова проверяется 188 листом?
или я чего то не понимаю?
пример конфигураций http://www.cisco.com/warp/public/707/overload_private.shtml#tools
Router A
Current configuration:
!
version 12.0
hostname rp-3640-2b
!
ip subnet-zero
ip domain-name junk.com
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 95.95.95.2
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 95.95.95.2
set transform-set rtpset
!--- Include the private network to private network traffic
!--- in the encryption process.
match address 115
!
interface Ethernet0/0
ip address 10.50.50.50 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet0/1
ip address 99.99.99.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map rtp
!
interface Ethernet0/2
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/3
no ip address
no ip directed-broadcast
shutdown
!
!--- Except the private network traffic from the NAT process.
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 99.99.99.1
no ip http server
!
!--- Except the private network traffic from the NAT process.
access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
access-list 110 permit ip 10.50.50.0 0.0.0.255 any
!--- Include the private network to private network traffic
!--- in the encryption process.
access-list 115 permit ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
!--- Except the private network traffic from the NAT process.
route-map nonat permit 10
match ip address 110
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
Router B
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rp-3640-6a
!
enable secret 5 $1$S/yK$RE603ZNv8N71GDYDbdMWd0
enable password ww
!
ip subnet-zero
!
ip audit notify log
ip audit PO max-events 100
isdn switch-type basic-5ess
isdn voice-call-failure 0
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 99.99.99.2
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 99.99.99.2
set transform-set rtpset
!--- Include the private network to private network traffic
!--- in the encryption process.
match address 115
!
interface BRI1/0
no ip address
no ip directed-broadcast
shutdown
isdn switch-type basic-5ess
!
interface Ethernet3/0
ip address 95.95.95.2 255.255.255.0
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map rtp
!
interface Ethernet3/1
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/2
ip address 10.103.1.75 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Ethernet3/3
no ip address
no ip directed-broadcast
shutdown
!
!--- Except the private network traffic from the NAT process.
ip nat inside source route-map nonat interface Ethernet3/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 95.95.95.1
ip route 171.68.120.0 255.255.255.0 10.103.1.1
no ip http server
!
!--- Except the private network traffic from the NAT process.
access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255
access-list 110 permit ip 10.103.1.0 0.0.0.255 any
!--- Include the private network to private network traffic
!--- in the encryption process.
access-list 115 permit ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!--- Except the private network traffic from the NAT process.
route-map nonat permit 10
match ip address 110
!
tftp-server flash:c3640-io3s56i-mz.120-7.T
!
line con 0
transport input none
line 65 72
line aux 0
line vty 0 4
password WW
login
!
end