|
|
Страница 1 из 1
|
[ Сообщений: 10 ] |
|
Автор |
Сообщение |
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Доброго времени суток. Гуру подскажите что не так? Знаю что это вероятно решиться route-map, но интересно почему моя схема не работает. Общее описание: интернет от Билайн, nat во внешнюю сеть. Клиент PPTP в сеть 10.0.1.0. С маршрутизатора 10-я сеть пингуется, с клиентов Vlan 1 - нет. Задача: с клиентов Vlan 1 сделать доступную сеть 10.0.1.0. Cisco 891, Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2) Запустил ping в 10-ю сеть и клиентов 192.168.1.x и заметил что в access list Komarov пакеты не попадают. Вместо этого растет deny в OutInternet " 30 deny ip any any" show ip access-listsКод: Extended IP access list Komarov 10 permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 (420 matches) Extended IP access list OutInternet 10 deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 20 permit ip 192.168.1.0 0.0.0.255 any (3656 matches) 30 deny ip any any (8279 matches)
show ip nat translationsКод: Pro Inside global Inside local Outside local Outside global icmp 10.0.1.209:1 192.168.1.19:1 10.0.1.1:1 10.0.1.1:1
show ip interface briefКод: Interface IP-Address OK? Method Status Protocol Async1 unassigned YES unset down down Dialer0 10.0.1.209 YES IPCP up up FastEthernet0 unassigned YES unset down down FastEthernet1 unassigned YES unset up up FastEthernet2 unassigned YES unset down down FastEthernet3 unassigned YES unset up up FastEthernet4 unassigned YES unset down down FastEthernet5 unassigned YES unset down down FastEthernet6 unassigned YES unset up up FastEthernet7 unassigned YES unset up up FastEthernet8 unassigned YES NVRAM administratively down down GigabitEthernet0 unassigned YES NVRAM administratively down down NVI0 unassigned YES unset administratively down down Virtual-Access1 unassigned YES unset up up Virtual-PPP1 95.33.120.85 YES IPCP up up Vlan1 192.168.1.1 YES NVRAM up up Vlan10 10.64.31.12 YES DHCP up up
Код: service internal ! hostname halt ! boot-start-marker boot-end-marker ! ! enable secret password ! no aaa new-model ! ! ip cef ! ! ! ! ! ! ! !
! ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool MYDHCP network 192.168.1.0 255.255.255.0 dns-server 85.21.192.3 default-router 192.168.1.1 ! ! ! ip domain name beeline.ru ip name-server 213.234.192.8 ip name-server 85.21.192.3 ip multicast-routing ip inspect WAAS flush-timeout 10 ip ddns update method DynDNS HTTP add http://email@email.ru:password@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> interval maximum 0 0 2 0 ! no ipv6 cef l2tp-class beeline-l2tp-class multilink bundle-name authenticated vpdn enable ! vpdn-group 1 request-dialin protocol pptp rotary-group 0 initiate-to ip 11.11.11.11 - заменено ! redundancy notification-timer 60000 ! ! ! ! ! pseudowire-class beeline-pseudowire-class encapsulation l2tpv2 protocol l2tpv2 beeline-l2tp-class ip local interface Vlan10 ! csdb tcp synwait-time 30 csdb tcp idle-time 3600 csdb tcp finwait-time 5 csdb tcp reassembly max-memory 1024 csdb tcp reassembly max-queue-length 16 csdb udp idle-time 30 csdb icmp idle-time 10 csdb session max-session 65535 ! ! ! ! ! ! ! ! ! interface FastEthernet0 no ip address ! interface FastEthernet1 description TV switchport access vlan 10 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 description Wi-Fi no ip address ! interface FastEthernet7 description WAN switchport access vlan 10 no ip address ! interface FastEthernet8 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Virtual-PPP1 ip ddns update hostname hostname.ddns.net ip ddns update DynDNS ip address negotiated ip mtu 1460 ip nat outside ip virtual-reassembly in ip tcp adjust-mss 1400 ntp disable ppp chap hostname user ppp chap password 0 password no cdp enable pseudowire 78.107.38.7 10 pw-class beeline-pseudowire-class ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ! interface Vlan10 ip address dhcp ip pim dense-mode ! interface Async1 no ip address encapsulation slip ! interface Dialer0 mtu 1450 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string 123 dialer vpdn dialer-group 1 ppp pfc local request ppp pfc remote apply ppp encrypt mppe auto ppp chap hostname user ppp chap password 0 password ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list Komarov interface Dialer0 overload ip nat inside source list OutInternet interface Virtual-PPP1 overload ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 ip route 10.0.1.0 255.255.255.0 Dialer0 ip route 78.107.38.7 255.255.255.255 dhcp ! ip access-list extended Komarov permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 ip access-list extended OutInternet deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any deny ip any any ! dialer-list 1 protocol ip permit ! ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! ! line con 0 line 1 modem InOut speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login local transport input ssh ! ! end
|
09 мар 2018, 16:32 |
|
|
crash
Зарегистрирован: 10 окт 2012, 09:51 Сообщения: 2679
|
адрес из сети 10.0.1.0 должен быть на вашем маршрутизаторе?
|
09 мар 2018, 18:28 |
|
|
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Да, он есть. Код: Dialer0 is up (spoofing), line protocol is up (spoofing) Hardware is Unknown Internet address is 10.0.1.209/32 MTU 1450 bytes, BW 56 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Closed, loopback not set Keepalive set (10 sec) DTR is pulsed for 1 seconds on reset Last input never, output never, output hang never Last clearing of "show interface" counters 04:50:39 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 350 packets input, 36702 bytes 1951 packets output, 89956 bytes
|
09 мар 2018, 19:05 |
|
|
crash
Зарегистрирован: 10 окт 2012, 09:51 Сообщения: 2679
|
А какой физически интерфейс подключен к провайдеру? На нем адрес не назначается?
|
10 мар 2018, 04:04 |
|
|
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Физически сеть подключена к Fe 7, в Gi 0 не смог настроить multicast от билайна, поэтому пока сделал так. Код: interface FastEthernet7 description WAN switchport access vlan 10 no ip address
Код: interface Vlan10 ip address dhcp ip pim dense-mode
на int vlan 10 адрес назначется, Vlan10 10.64.32.12 YES DHCP up up Дальще поднимаю interface Virtual-PPP1, конфиг выше. Virtual-PPP1 91.32.120.255 YES IPCP up up
|
11 мар 2018, 07:33 |
|
|
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Я опять вернулся к этой теме ios обновил, не помогло.
|
18 окт 2019, 08:35 |
|
|
Silent_D
Зарегистрирован: 07 сен 2014, 02:54 Сообщения: 548 Откуда: Msk
|
halt писал(а): Я опять вернулся к этой теме ios обновил, не помогло. Это не баг, это фича. Код: ip nat inside source list Komarov interface Dialer0 overload ip nat inside source list OutInternet interface Virtual-PPP1 overload
В этой конструкции ACL влияет только на создание NAT трансляции. Когда она создана, то роутер начинает NAT-ить все подряд, смотря только на source IP. Чтобы это работало постоянно, per packet, нужна конструкция с route-map. ACL остаются те же. halt писал(а): Знаю что это вероятно решиться route-map, ... "Ты знал, ты знал!!!" Раньше это называлось Policy NAT, но сейчас по этим словам ничего всеобъемлющего не гуглится. Наверное маркетологи переименовали помоднее. Но вот почитайте: https://community.cisco.com/t5/routing/ ... d-p/407153Route Map Approach https://www.cisco.com/c/en/us/support/d ... temap.html
_________________ Knowledge is Power
|
24 окт 2019, 02:51 |
|
|
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Переехал на route-map, с маршрутизатора пинги в сеть dialer 0 работають, если пингую с домашней сети (vlan1) - нет и не вижу tcpdump пакеты icmp на удаленной стороне. dump пакетов Код: ########################################### From cisco ###########################################
*Nov 11 05:20:58.323: IP: s=10.0.1.211 (local), d=10.0.1.1, len 100, local feature *Nov 11 05:20:58.327: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:20:58.327: FIBipv4-packet-proc: route packet from (local) src 10.0.1.211 dst 10.0.1.1 *Nov 11 05:20:58.327: FIBfwd-proc: Default:10.0.1.0/24 process level forwarding *Nov 11 05:20:58.327: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0) *Nov 11 05:20:58.327: FIBfwd-proc: try path 0 (of 1) v4-con-Dialer0 first short ext 0(-1) *Nov 11 05:20:58.327: FIBfwd-proc: v4-con-Dialer0 valid *Nov 11 05:20:58.327: FIBfwd-proc: Dialer0 no nh type 2 - deag *Nov 11 05:20:58.327: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none deag 1 chg_if 0 via fib 0 path type connected prefix *Nov 11 05:20:58.327: FIBfwd-proc: packet routed to Dialer0 p2p(0) *Nov 11 05:20:58.327: FIBipv4-packet-proc: packet routing succeeded *Nov 11 05:20:58.327: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none uhp 1 deag 0 ttlexp 0 *Nov 11 05:20:58.327: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0 *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, sending *Nov 11 05:20:58.327: ICMP type=8, code=0 *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, output feature *Nov 11 05:20:58.327: ICMP type=8, code=0, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, output feature *Nov 11 05:20:58.327: ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, output feature *Nov 11 05:20:58.327: ICMP type=8, code=0, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE halt# *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, output feature *Nov 11 05:20:58.327: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:20:58.327: IP: s=10.0.1.211 (local), d=10.0.1.1 (Dialer0), len 100, output feature *Nov 11 05:20:58.327: ICMP type=8, code=0, Dialer idle reset(102), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
################################################# from PC ################################################# *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Common Flow Table(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, MFIB NAT(104), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=192.168.1.20 (Vlan1), d=10.0.1.1, len 60, input feature *Nov 11 05:24:24.299: ICMP type=8, code=0, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: FIBipv4-packet-proc: route packet from Vlan1 src 192.168.1.20 dst 10.0.1.1 *Nov 11 05:24:24.299: FIBfwd-proc: Default:10.0.1.0/24 process level forwarding *Nov 11 05:24:24.299: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0) *Nov 11 05:24:24.299: FIBfwd-proc: try path 0 (of 1) v4-con-Dialer0 first short ext 0(-1) *Nov 11 05:24:24.299: FIBfwd-proc: v4-con-Dialer0 valid *Nov 11 05:24:24.299: FIBfwd-proc: Dialer0 no nh type 2 - deag *Nov 11 05:24:24.299: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none deag 1 chg_if 0 via fib 0 path type connected prefix *Nov 11 05:24:24.299: FIBfwd-proc: packet routed to Dialer0 p2p(0) *Nov 11 05:24:24.299: FIBipv4-packet-proc: packet routing succeeded *Nov 11 05:24:24.299: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none uhp 1 deag 0 ttlexp 0 *Nov 11 05:24:24.299: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer0 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0 *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), len 60, output feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Post-routing NAT Outside(26), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), len 60, output feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Common Flow Table(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), len 60, output feature *Nov 11 05:24:24.299: ICMP type=8, code=0, Stateful Inspection(30), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), len 60, output feature *Nov 11 05:24:24.299: ICMP type=8, code=0, NAT ALG proxy(63), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), len 60, output feature *Nov 11 05:24:24.299: ICMP type=8, code=0 halt#, Dialer idle reset(102), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Nov 11 05:24:24.299: IP: s=10.0.1.211 (Vlan1), d=10.0.1.1 (Dialer0), g=10.0.1.1, len 60, forward *Nov 11 05:24:24.299: ICMP type=8, code=0
Конфиг Код: Building configuration...
Current configuration : 6813 bytes ! ! Last configuration change at 05:20:44 UTC Mon Nov 11 2019 by halt ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname halt ! boot-start-marker boot system flash:c890-universalk9-mz.158-3.M2.bin boot-end-marker ! ! no logging rate-limit enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! no aaa new-model ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !
! ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool MYDHCP network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 213.234.192.8 85.21.192.3 ! ! ! ip domain name beeline.ru ip name-server 213.234.192.8 ip name-server 85.21.192.3 ip multicast-routing ip inspect WAAS flush-timeout 10 ip inspect name INSPECT ftp ip inspect name INSPECT h323 ip inspect name INSPECT icmp ip inspect name INSPECT netshow ip inspect name INSPECT rcmd ip inspect name INSPECT realaudio ip inspect name INSPECT rtsp ip inspect name INSPECT streamworks ip inspect name INSPECT tftp ip inspect name INSPECT udp ip inspect name INSPECT pptp ip inspect name INSPECT dns ip inspect name INSPECT tcp ip ddns update method DynDNS HTTP add http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX@dynupdate.no-ip.com/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 0 0 5 0 ! ip cef no ipv6 cef l2tp-class beeline-l2tp-class ! ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group 1 request-dialin protocol pptp rotary-group 0 initiate-to ip 46.146.247.7 ! ! ! ! ! ! ! cts logging verbose license udi pid CISCO891-K9 sn XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! ! username halt privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! redundancy notification-timer 60000 ! ! ! ! ! pseudowire-class beeline-pseudowire-class encapsulation l2tpv2 protocol l2tpv2 beeline-l2tp-class ip local interface Vlan10 ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 0.0.0.0 ! ! crypto ipsec transform-set TS esp-3des esp-md5-hmac mode tunnel ! ! crypto ipsec profile protect-gre set security-association lifetime seconds 86400 set transform-set TS ! ! ! ! ! ! interface Tunnel1 ip address 172.16.1.3 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ip nhrp map 172.16.1.1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ip nhrp network-id 1 ip nhrp nhs 172.16.1.1 load-interval 30 shutdown keepalive 5 10 tunnel source Virtual-PPP1 tunnel mode gre multipoint tunnel protection ipsec profile protect-gre ! interface FastEthernet0 description TV switchport access vlan 10 no ip address ! interface FastEthernet1 description Link2-PC no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 description WiFi-ASUS no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 description Synology no ip address ! interface FastEthernet7 description WAN switchport access vlan 10 no ip address ! interface FastEthernet8 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 no ip address shutdown duplex auto speed auto ! interface Virtual-PPP1 ip ddns update hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ip ddns update DynDNS ip address negotiated ip mtu 1460 ip nat outside no ip virtual-reassembly in ip tcp adjust-mss 1400 no cdp enable no peer neighbor-route ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pseudowire 89.179.75.139 10 encapsulation l2tpv2 pw-class beeline-pseudowire-class ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip igmp helper-address 10.189.84.121 ip igmp join-group 224.0.1.40 ip igmp mroute-proxy Vlan10 ! interface Vlan10 ip address dhcp ip pim dense-mode ! interface Vlan100 ip address 192.168.0.10 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Async1 no ip address encapsulation slip ! interface Dialer0 ip address 10.0.1.211 255.255.255.0 ip nat outside ip virtual-reassembly in encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string 123 dialer vpdn dialer-group 1 no cdp enable no peer neighbor-route ppp pfc local request ppp pfc remote apply ppp encrypt mppe auto ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source static tcp 192.168.1.100 22 interface Virtual-PPP1 45002 ip nat inside source static tcp 192.168.1.100 5060 interface Virtual-PPP1 5060 ip nat inside source static udp 192.168.1.100 5060 interface Virtual-PPP1 5060 ip nat inside source static tcp 192.168.1.2 21 interface Virtual-PPP1 45003 ip nat inside source static tcp 192.168.1.20 3389 interface Virtual-PPP1 45001 ip nat inside source route-map NAT_TO_Dialler interface Dialer0 overload ip nat inside source route-map NAT_TO_ISP interface Virtual-PPP1 overload ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 ip route 192.168.88.0 255.255.255.0 172.16.1.1 ip route 89.179.75.139 255.255.255.255 dhcp ip route 89.179.75.138 255.255.255.255 dhcp ip route 85.21.31.39 255.255.255.255 dhcp ip route 78.107.196.21 255.255.255.255 dhcp ip route 78.107.196.10 255.255.255.255 dhcp ip route 78.107.196.14 255.255.255.255 dhcp ip route 85.21.0.1 255.255.255.255 dhcp ! ip access-list standard Internet-In deny 192.168.1.0 0.0.0.255 permit any ! ip access-list extended OUTSIDE-IN deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any permit tcp any any eq 22 telnet permit gre any any permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp ip access-list extended TO_Dialler permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 permit icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 ip access-list extended TO_ISP deny icmp 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any ! dialer-list 1 protocol ip permit ipv6 ioam timestamp ! route-map NAT_TO_ISP permit 10 match ip address TO_ISP match interface Virtual-PPP1 ! route-map NAT_TO_Dialler permit 10 match ip address TO_Dialler match interface Dialer0 ! ! access-list 100 permit icmp any host 10.0.1.1 ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! line con 0 line 1 modem InOut speed 115200 flowcontrol hardware line aux 0 line vty 0 4 logging synchronous login local transport input ssh ! ! end
|
11 ноя 2019, 10:37 |
|
|
Silent_D
Зарегистрирован: 07 сен 2014, 02:54 Сообщения: 548 Откуда: Msk
|
Смущает наличие статики на этот адрес ip nat inside source static tcp 192.168.1.20 3389 interface Virtual-PPP1 45001
Я вижу, что там PAT, но бывает, что помимо TCP трансляции, создается еще и IP трансляция. Посмотрите внимательно на show ip nat transl.
Попробуйте поставить на PC любой другой IP из этой же сети .
_________________ Knowledge is Power
|
11 ноя 2019, 15:55 |
|
|
halt
Зарегистрирован: 09 мар 2018, 16:19 Сообщения: 47
|
Оказывается я неправильно? захватывал пакеты на pptp сервере, если пользоваться командой - tcpdump -ni any proto gre пакеты на сервере видны.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 16:33:50.629486 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 12, ack 11, length 1451: compressed PPP data 16:33:50.632583 IP 10.0.1.205 > 2.94.181.72: GREv1, call 52401, seq 12, ack 12, length 1451: compressed PPP data 16:33:55.622284 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 13, ack 11, length 1451: compressed PPP data 16:33:55.624805 IP 10.0.1.205 > 2.94.181.72: GREv1, call 52401, seq 13, ack 13, length 1451: compressed PPP data 16:33:56.359392 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 14, ack 11, length 32: LCP, Echo-Request (0x09), id 1, length 14 16:34:00.615904 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 15, ack 11, length 1451: compressed PPP data 16:34:05.623691 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 16, ack 11, length 1451: compressed PPP data 16:34:06.376450 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 17, ack 11, length 32: LCP, Echo-Request (0x09), id 2, length 14 16:34:10.615388 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 18, ack 11, length 1451: compressed PPP data 16:34:15.623034 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 19, ack 11, length 1451: compressed PPP data 16:34:16.391627 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 20, ack 11, length 32: LCP, Echo-Request (0x09), id 3, length 14 16:34:20.614724 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 21, ack 11, length 1451: compressed PPP data 16:34:25.623259 IP 2.94.181.72 > 10.0.1.205: GREv1, call 21504, seq 22, ack 11, length 1451: compressed PPP data
|
12 ноя 2019, 08:01 |
|
|
|
Страница 1 из 1
|
[ Сообщений: 10 ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 42 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|