не получается правильно настроить VPN

@barmalei · Регистрация: 29.07.2011

Author24 — интернет-сервис помощи студентам

Доброе утро!
Ребят у меня есть мост впн п2п оборудование cisco 876 и cisco 887. Со стороны 876 айпи статический, а с 887 динамический. Вроде бы все нормально работает с обеих сторон вижу локальные сети и подключаюсь к серверу, только есть не большая пробрела с достуром в DVR через вебброузер. Пигую вроде все ок а страница не открывается.. фаейвол вроде бы отключен.. посмотрите пожалуйста что не так я настроил.. а то уже замучался

спасибо

cisco 876

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Aheloou
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $XXXXXXXXXX
!
no aaa new-model
clock timezone ATHENS 2
clock summer-time ATHENS recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint TP-self-signed-10461806
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-10461806
revocation-check none
rsakeypair TP-self-signed-10461806
!
!
crypto pki certificate chain TP-self-signed-10461806
certificate self-signed 01
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 195.170.2.1
ip name-server 195.170.0.2
no ipv6 cef
ntp logging
ntp master
ntp server 155.207.1.8
!
multilink bundle-name authenticated
!
!
!
username XXXXXXX privilege 15 secret 5 XXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 83.235.XX.XX
crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 102
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to83.235.XX.XX
set peer 83.235.XX.XX
set transform-set ESP-3DES-SHA1
match address 103
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Vlan1
no ip address
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan100
ip address 192.168.2.1 255.255.255.0
ip access-group ETHERNET_IN in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX@XXX.XX password 7 XXXXXXXX
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.2.9 192.168.2.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 192.168.2.100 8080 interface Dialer0 8080
ip nat inside source static tcp 192.168.2.100 9000 interface Dialer0 9000
ip nat inside source static tcp 192.168.2.100 9001 interface Dialer0 9001
ip nat inside source static tcp 192.168.2.127 2020 interface Dialer0 8088
ip nat inside source static tcp 192.168.2.100 8888 interface Dialer0 8888
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended ETHERNET_IN
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark What to proccess for NAT
access-list 100 remark CCP_ACL Category=16
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip any any log
access-list 101 remark What to proccess for IPSec
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 199 remark What to process for Telnet
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 deny ip any any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input all
transport output all
!
scheduler max-task-time 5000
end

cisco 887

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Myrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 XXXXXXXX
!
no aaa new-model
memory-size iomem 10
clock timezone ATHENS 2
clock summer-time ATHENS recurring last Sun Mar 3:00 last Sun Oct 4:00
!
crypto pki trustpoint TP-self-signed-1294242805
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1294242805
revocation-check none
rsakeypair TP-self-signed-1294242805
!
!
crypto pki certificate chain TP-self-signed-1294242805
certificate self-signed 01
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.1.61 192.168.1.254
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 195.170.0.1 195.170.2.2
!
!
ip cef
ip domain name mydomain.com
ip name-server 195.170.0.1
ip name-server 195.170.2.2
no ipv6 cef
!
!
!
!
username XXXXXXX privilege 15 secret 5 XXXXXXXXXX
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address 79.129.XX.XX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to79.129.XX.XX
set peer 79.129.XX.XX
set transform-set ESP-3DES-SHA1
match address 102
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX@XXX.XX password 0 XXXXXX
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CAuthorized Access Only!^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 155.207.1.8 prefer source Dialer0
end

@barmalei 3 / 3 / 0 Регистрация: 29.07.2011 Сообщений: 13
		1
	не получается правильно настроить VPN 08.10.2011, 07:32. Показов 1845. Ответов 0 Метки нет (Все метки) Доброе утро! Ребят у меня есть мост впн п2п оборудование cisco 876 и cisco 887. Со стороны 876 айпи статический, а с 887 динамический. Вроде бы все нормально работает с обеих сторон вижу локальные сети и подключаюсь к серверу, только есть не большая пробрела с достуром в DVR через вебброузер. Пигую вроде все ок а страница не открывается.. фаейвол вроде бы отключен.. посмотрите пожалуйста что не так я настроил.. а то уже замучался спасибо cisco 876 version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Aheloou ! boot-start-marker boot-end-marker ! logging message-counter syslog no logging buffered enable secret 5 $XXXXXXXXXX ! no aaa new-model clock timezone ATHENS 2 clock summer-time ATHENS recurring last Sun Mar 3:00 last Sun Oct 4:00 ! crypto pki trustpoint TP-self-signed-10461806 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-10461806 revocation-check none rsakeypair TP-self-signed-10461806 ! ! crypto pki certificate chain TP-self-signed-10461806 certificate self-signed 01 quit dot11 syslog ip source-route ! ! ! ! ip cef ip name-server 195.170.2.1 ip name-server 195.170.0.2 no ipv6 cef ntp logging ntp master ntp server 155.207.1.8 ! multilink bundle-name authenticated ! ! ! username XXXXXXX privilege 15 secret 5 XXXXXXXX ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key XXXXXXXXX address 83.235.XX.XX crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA match address 102 ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to83.235.XX.XX set peer 83.235.XX.XX set transform-set ESP-3DES-SHA1 match address 103 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! archive log config hidekeys ! ! ip tcp synwait-time 10 ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface ATM0 no ip address no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 switchport access vlan 100 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface Vlan1 no ip address no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Vlan100 ip address 192.168.2.1 255.255.255.0 ip access-group ETHERNET_IN in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username XXX@XXX.XX password 7 XXXXXXXX crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.9 192.168.2.20 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ip http server ip http authentication local ip http secure-server ! ! ip nat inside source static tcp 192.168.2.100 8080 interface Dialer0 8080 ip nat inside source static tcp 192.168.2.100 9000 interface Dialer0 9000 ip nat inside source static tcp 192.168.2.100 9001 interface Dialer0 9001 ip nat inside source static tcp 192.168.2.127 2020 interface Dialer0 8088 ip nat inside source static tcp 192.168.2.100 8888 interface Dialer0 8888 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! ip access-list extended ETHERNET_IN deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 100 remark What to proccess for NAT access-list 100 remark CCP_ACL Category=16 access-list 100 remark IPSec Rule access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 deny ip any any log access-list 101 remark What to proccess for IPSec access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 102 remark CCP_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 103 remark CCP_ACL Category=4 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 199 remark What to process for Telnet access-list 199 permit ip 192.168.2.0 0.0.0.255 any access-list 199 deny ip any any dialer-list 1 protocol ip permit ! ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! control-plane ! ! line con 0 login local no modem enable line aux 0 line vty 0 4 login local transport input all transport output all ! scheduler max-task-time 5000 end cisco 887 version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Myrouter ! boot-start-marker boot-end-marker ! logging buffered 51200 enable secret 5 XXXXXXXX ! no aaa new-model memory-size iomem 10 clock timezone ATHENS 2 clock summer-time ATHENS recurring last Sun Mar 3:00 last Sun Oct 4:00 ! crypto pki trustpoint TP-self-signed-1294242805 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1294242805 revocation-check none rsakeypair TP-self-signed-1294242805 ! ! crypto pki certificate chain TP-self-signed-1294242805 certificate self-signed 01 quit ip source-route ! ! ip dhcp excluded-address 192.168.1.1 192.168.1.50 ip dhcp excluded-address 192.168.1.61 192.168.1.254 ! ip dhcp pool ccp-pool import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 195.170.0.1 195.170.2.2 ! ! ip cef ip domain name mydomain.com ip name-server 195.170.0.1 ip name-server 195.170.2.2 no ipv6 cef ! ! ! ! username XXXXXXX privilege 15 secret 5 XXXXXXXXXX ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key XXXXXXXX address 79.129.XX.XX ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to79.129.XX.XX set peer 79.129.XX.XX set transform-set ESP-3DES-SHA1 match address 102 ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface ATM0 no ip address no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 192.168.1.254 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username XXX@XXX.XX password 0 XXXXXX no cdp enable crypto map SDM_CMAP_1 ! ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 23 remark CCP_ACL Category=16 access-list 23 permit 192.168.1.0 0.0.0.255 access-list 100 remark CCP_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 remark CCP_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 102 remark CCP_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! ! control-plane ! banner login ^CAuthorized Access Only!^C ! line con 0 login local no modem enable line aux 0 line 2 no activation-character no exec transport preferred none transport input all line vty 0 4 privilege level 15 login local transport input telnet ssh transport output telnet ssh ! scheduler max-task-time 5000 ntp update-calendar ntp server 155.207.1.8 prefer source Dialer0 end 0

	08.10.2011, 07:32

Опции темы