1. Fórum Root.cz
  2. Hlavní témata
  3. Sítě
  4. Cisco VPN přes NAT
« předchozí další »
Stran: [1]

Cisco VPN přes NAT

  • 1 Odpovědí
  • 2380 Zhlédnutí

LakY

Cisco VPN přes NAT
« kdy: 06. 04. 2011, 11:47:16 »
Zdravim,

mam dotaz ohledne spravneho nastaveni VPN. Jestli by se mi mohli nekdo podivat na konfiguraci, co mam spatne...
Problem je v tom ze kdyz se prihlasim do VPN a ziskam IP z rozsahu 192.168.5.11 - 20
tak bych mel snad nalezet do VLANy 192.168.5.0 a tim padem se dostat na server 192.168.5.2 ale dostanu se jenom na router 192.168.5.1.
Teda zjistil jsem ze pokud se snazim napr. pres ssh dostat na server (..5.2) tak komunikace se smerem k serveru se dostane, ale po ceste zpet se uz nekde ztrati.
Pokud bych VPN zkousel naprimo bez NATu (ktery je na ADSL modemu) tak vse funguje jak ma. Ale pokud jde ten tunel pres modem (NAT) tak se do vpn dostanu,ale na server uz ne.

zjednodusene schema

INTERNET ---- | ADSL modem | 10.0.0.1 ------------ 10.0.0.250 | Cisco ROUTER | 192.168.5.1 ---------- 192.168.5.2 | server |

Na ADSL modemu jsou forwardovane porty na 10.0.0.250
80,443,10111 (aplikacni)
500,4500,10000 (VPN)

Na cisco routeru
aplikacni NAT s forwarddem na ip 10.0.5.5 (funguje to neni problem)

Predem diky za jakekoliv rady a pripominky

Kód: [Vybrat]

!
! Last configuration change at 11:43:54 CET Thu Mar 10 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname routerSW1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
!
!
clock timezone CET 1
!
!
ip source-route
!
!
ip cef
ip name-server 10.0.0.1
ip name-server 10.0.0.1
no ipv6 cef
!
!
spanning-tree portfast bpduguard
username admin privilege 15 secret 5 $1$DFVSD!SDV0!RVWR:Dvc$YOPA/
crypto ctcp port 10000
!
!
ip ssh time-out 60
ip ssh version 2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key heslo
dns 10.0.0.1
domain domena.cz
pool IP_RANGE_1
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map VPN_servis client authentication list default
crypto map VPN_servis isakmp authorization list default
crypto map VPN_servis client configuration address respond
crypto map VPN_servis 1 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0
switchport access vlan 3
!
!
interface FastEthernet1
switchport access vlan 3
!
!
interface FastEthernet2
switchport access vlan 4
!
!
interface FastEthernet3
switchport access vlan 8
!
!
interface FastEthernet4
switchport access vlan 4
!
!
interface FastEthernet5
switchport access vlan 4
!
!
interface FastEthernet6
switchport access vlan 4
!
!
interface FastEthernet7
switchport access vlan 4
!
!
interface FastEthernet8
description $ETH-LAN$
ip address 10.0.0.250 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_servis
!
!
interface GigabitEthernet0
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
interface Vlan3
ip address 10.0.5.1 255.255.255.0
ip access-group vlan10in in
ip nat inside
ip virtual-reassembly
!
!
interface Vlan4
ip address 172.22.22.1 255.255.255.0
!
!
interface Vlan8
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip local pool IP_RANGE_1 192.168.5.11 192.168.5.20
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 10 interface FastEthernet8 overload
ip nat inside source static tcp 10.0.5.5 80 interface FastEthernet8 80
ip nat inside source static tcp 10.0.5.5 10444 interface FastEthernet8 10111
ip nat inside source static tcp 10.0.5.5 443 interface FastEthernet8 443
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
ip access-list extended vlan10in
permit icmp any any echo
permit icmp any any echo-reply
permit udp 10.0.5.0 0.0.0.255 any eq domain
permit tcp 10.0.5.0 0.0.0.255 eq 443 any
permit tcp 10.0.5.0 0.0.0.255 any eq 443
permit tcp 10.0.5.0 0.0.0.255 eq www any
permit tcp 10.0.5.0 0.0.0.255 any eq www
permit tcp 10.0.5.0 0.0.0.255 eq 10111 any
permit tcp 10.0.5.0 0.0.0.255 any eq 10111
permit tcp 10.0.5.0 0.0.0.255 any eq smtp
!
access-list 10 permit 10.0.5.0 0.0.0.255
access-list 120 permit ip 192.168.5.0 0.0.0.255 any
access-list 120 permit ip 172.22.22.0 0.0.0.255 any
access-list 120 permit ip 172.25.0.0 0.0.255.255 any
no cdp run

!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 120 in
transport input ssh
line vty 5 15
access-class 120 in
transport input ssh
!
scheduler max-task-time 5000
end
« Poslední změna: 06. 04. 2011, 11:57:27 od Petr Krčmář »
IP zaznamenána

Reklama

  • * * * * *

smoofy

  • *****
  • 1 056
    • Zobrazit profil
    • E-mail
Re: Cisco VPN přes NAT
« Odpověď #1 kdy: 14. 04. 2011, 16:33:31 »
To IP 10.0.5.5 patří čemu? Pripojujes se odnekad z venku (Internetu)?  Jak vys ze bez toho ADSL modemu to funguje? Co routovaci tabulky? Mas ty site spravne naroutovane?
IP zaznamenána
Stran: [1]
« předchozí další »
  1. Fórum Root.cz
  2. Hlavní témata
  3. Sítě
  4. Cisco VPN přes NAT