Решил все сбросить и переделать
Все работает до подключения easy vpn. как только подключается vpn вторая подсеть отваливается..
Подскажи че в чем может быть проблема.
Описание всего что сделал:Вот так работает:
Код:
Building configuration...
Current configuration : 7800 bytes
!
! Last configuration change at 17:54:18 UTC Mon May 13 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-2811
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip name-server 91.210.XXX.XXX
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-423590207
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423590207
revocation-check none
rsakeypair TP-self-signed-423590207
!
!
crypto pki certificate chain TP-self-signed-423590207
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323335 39303230 37301E17 0D313330 35313231 36353434
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 33353930
32303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3EE357F FB510CF1 1D7FF3F1 FE067DE7 A6704F9A A397C406 E464AD9F 397DD629
3649C003 90071657 9675F37F DEADC8DA 8BA53F6F 457CD4DC 64AFF8C3 C61A8B68
7A210659 EE9BFC21 855F3C08 A254EF9C F6245D24 16BD0C5D FE7AF2F9 38FCDE2C
BACE933B 045E883B 9B75B03F 6723E5BB C30392ED F9E9F68E 813427B4 A483CCAF
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014FA 2A546D2E 452ED49D 74F086E0 54368FF6 D01D2330 1D060355
1D0E0416 0414FA2A 546D2E45 2ED49D74 F086E054 368FF6D0 1D23300D 06092A86
4886F70D 01010505 00038181 000F149F 9ED9ACAB A6985552 12E4190A 468C11B9
F9B2303A 81F9EBAA 90FFF413 812D45CF 6BE042BB 87738D12 0A4B1FC1 911759E3
8169D7DF DEE3695C 5822005B F848629E E900892C 7CCF2392 A769C860 B1B03990
F03FF26B 78CEE11C 500837A7 17F34643 2F9BB9E2 E6222658 EB5575A9 1DAC6F11
6F27D735 39E361E4 DB79BA88 81
quit
!
!
license udi pid CISCO2811 sn FCZ122172S7
username ******
username *****
username ****
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.139.1 255.255.255.0 secondary
ip address 10.3.14.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 91.210.XXX.XXX 255.255.255.252
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-inet interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 91.210.XXX.XXX
!
ip access-list extended nat-inet
permit ip 192.168.139.0 0.0.0.255 any
permit ip 10.3.14.0 0.0.0.255 any
!
access-list 23 permit 10.3.14.8
access-list 23 remark SDM_ACL Category=16
access-list 23 permit 10.3.14.31
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq 22
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq 22
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq www
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq www
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq 443
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq 443
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq cmd
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq cmd
access-list 100 deny tcp any host 10.3.14.1 eq telnet
access-list 100 deny tcp any host 10.3.14.1 eq 22
access-list 100 deny tcp any host 10.3.14.1 eq www
access-list 100 deny tcp any host 10.3.14.1 eq 443
access-list 100 deny tcp any host 10.3.14.1 eq cmd
access-list 100 deny udp any host 10.3.14.1 eq snmp
access-list 100 permit ip any any
access-list 101 permit ip host 10.3.14.31 any
access-list 101 permit ip host 10.3.14.8 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 permit ip host 10.3.14.31 any
access-list 102 permit ip host 10.3.14.8 any
!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCC
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Но стоит добавить easy vpn как пинги из дополнительной подсети (192.168.139.0/24) пропадают но в основной (10.3.14.0/24) все работает
Код:
Building configuration...
Current configuration : 7903 bytes
!
! Last configuration change at 17:54:18 UTC Mon May 13 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-2811
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip name-server 91.210.XXX.XXX
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-423590207
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423590207
revocation-check none
rsakeypair TP-self-signed-423590207
!
!
crypto pki certificate chain TP-self-signed-423590207
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323335 39303230 37301E17 0D313330 35313231 36353434
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3432 33353930
32303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B3EE357F FB510CF1 1D7FF3F1 FE067DE7 A6704F9A A397C406 E464AD9F 397DD629
3649C003 90071657 9675F37F DEADC8DA 8BA53F6F 457CD4DC 64AFF8C3 C61A8B68
7A210659 EE9BFC21 855F3C08 A254EF9C F6245D24 16BD0C5D FE7AF2F9 38FCDE2C
BACE933B 045E883B 9B75B03F 6723E5BB C30392ED F9E9F68E 813427B4 A483CCAF
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014FA 2A546D2E 452ED49D 74F086E0 54368FF6 D01D2330 1D060355
1D0E0416 0414FA2A 546D2E45 2ED49D74 F086E054 368FF6D0 1D23300D 06092A86
4886F70D 01010505 00038181 000F149F 9ED9ACAB A6985552 12E4190A 468C11B9
F9B2303A 81F9EBAA 90FFF413 812D45CF 6BE042BB 87738D12 0A4B1FC1 911759E3
8169D7DF DEE3695C 5822005B F848629E E900892C 7CCF2392 A769C860 B1B03990
F03FF26B 78CEE11C 500837A7 17F34643 2F9BB9E2 E6222658 EB5575A9 1DAC6F11
6F27D735 39E361E4 DB79BA88 81
quit
!
!
license udi pid CISCO2811 sn FCZ122172S7
username ******
username *****
username ****
!
redundancy
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
connect auto
group *** key 6 *****
mode network-plus
peer 89.XXX.XXX.34
peer 89.XXX.XXX.35
username **** password 6 *****
xauth userid mode local
!
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.139.1 255.255.255.0 secondary
ip address 10.3.14.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 91.210.XXX.XXX 255.255.255.252
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-inet interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 91.210.XXX.XXX
!
ip access-list extended nat-inet
permit ip 192.168.139.0 0.0.0.255 any
permit ip 10.3.14.0 0.0.0.255 any
!
access-list 23 permit 10.3.14.8
access-list 23 remark SDM_ACL Category=16
access-list 23 permit 10.3.14.31
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq 22
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq 22
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq www
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq www
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq 443
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq 443
access-list 100 permit tcp host 10.3.14.31 host 10.3.14.1 eq cmd
access-list 100 permit tcp host 10.3.14.8 host 10.3.14.1 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.7 host 10.3.14.1 eq cmd
access-list 100 deny tcp any host 10.3.14.1 eq telnet
access-list 100 deny tcp any host 10.3.14.1 eq 22
access-list 100 deny tcp any host 10.3.14.1 eq www
access-list 100 deny tcp any host 10.3.14.1 eq 443
access-list 100 deny tcp any host 10.3.14.1 eq cmd
access-list 100 deny udp any host 10.3.14.1 eq snmp
access-list 100 permit ip any any
access-list 101 permit ip host 10.3.14.31 any
access-list 101 permit ip host 10.3.14.8 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 permit ip host 10.3.14.31 any
access-list 102 permit ip host 10.3.14.8 any
!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCC
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Отключаешь VPN
Просто удаляю привязку к выходному интерфейсу
Код:
conf t
fa 0/1
non crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
Vpn Отваливается вторая подсеть начинает работать
вставляю эту строку обратно vpn подымается вторая подсеть отпадает из инета.
Никогда не думал ччто столько времени заберет задача "Организовать некоторым людям доступ в Интернет но без доступа к нашей локалке"