Описывал проблему в community циски и на stackoverflow, сам потратил достаточно много времени, но решения нет... Поэтому буду благодарен за любое обсуждение, которое позволит хоть немного приблизиться к решению.
Имеется роутер Cisco CSR1000V к которому.
1. Подключаются пользователи AnyConnect (10.251.100.0/24);
2. За которым есть своя LAN (10.251.0.0/24);
3. Роутер держит IPSec с удаленной LAN (10.120.0.0/16).
Схема во вложенииЧто работает:Хосты LAN 10.251.0.0/24 достукиваются через IPSec до хостов удаленной LAN 10.120.0.0/16
Клиентам AnyConnect 10.251.100.0/24 доступна LAN 10.251.0.0/24
Что не работает и нужно чтобы заработало:Клиентам AnyConnect 10.251.100.0/24 не доступна удаленная LAN 10.120.0.0/16.
Ниже конфиг. Немного поскипал и подменил IP.
Код:
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname r0
!
boot-start-marker
boot-end-marker
!
!
logging buffered 262144
enable password 7 [...hash...]
!
aaa new-model
!
!
aaa authentication login sslvpn local
aaa authorization network sslvpn local
!
!
!
!
!
aaa session-id common
clock timezone MSK 3 0
!
!
!
!
!
!
!
no ip domain lookup
ip domain name host.ru
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki trustpoint anyconnectvpn
enrollment selfsigned
subject-name CN=vpn.host.ru
revocation-check none
rsakeypair anyconnect
!
!
crypto pki certificate chain anyconnectvpn
certificate self-signed 01
30820340 30820228 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
[...skip...]
9F249E29 B0751377 4908FC4C 7EA6E2EC 8EC0E650 93E3E831 B52BB531 D4E56161 1BB70DBE
quit
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn [...skip...]
license accept end user agreement
license boot level ax
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
!
object-group network lan_10.251.0.0-16
10.251.0.0 255.255.0.0
!
!
!
!
username root privilege 15 password 7 [...hash...]
!
redundancy
!
!
!
!
!
!
!
crypto ssl proposal sslvpn-proposal
protection rsa-aes256-sha1
!
crypto ssl authorization policy sslvpn-auth-policy
include-local-lan
pool SSL_Client
dns 8.8.8.8
def-domain host.ru
route set access-list sslvpn-tunnel
!
crypto ssl policy sslvpn-policy
ssl proposal sslvpn-proposal
pki trustpoint anyconnectvpn sign
ip address local 1.2.3.2 port 443
!
crypto ssl profile sslvpn-profile
match policy sslvpn-policy
aaa authentication user-pass list sslvpn
aaa authorization group user-pass list sslvpn sslvpn-auth-policy
authentication remote user-pass
max-users 20
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-macos-4.6.02074-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.6.02074-webdeploy-k9.pkg sequence 2
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 36600
!
crypto isakmp key [...key...] address 1.7.1.243
!
!
crypto ipsec transform-set ESP-AES-256-SHA256 esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map WAN_map local-address Loopback1
crypto map WAN_map 10 ipsec-isakmp
set peer 1.7.1.243
set security-association lifetime seconds 10800
set transform-set ESP-AES-128-SHA
set pfs group2
match address l2l-acl
!
!
!
!
!
!
!
!
interface Loopback1
description IPSec
ip address 1.2.3.1 255.255.255.255
no ip redirects
no ip proxy-arp
ip virtual-reassembly
!
interface Loopback2
ip address 1.2.3.2 255.255.255.255
!
interface GigabitEthernet1
description LAN
ip address 10.251.0.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
negotiation auto
no mop enabled
no mop sysid
ip virtual-reassembly
!
interface GigabitEthernet2
description WAN
ip address 1.5.58.58 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip access-group WAN in
negotiation auto
no mop enabled
no mop sysid
crypto map WAN_map
ip virtual-reassembly
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip local pool SSL_Client 10.251.100.2 10.251.100.254
ip nat pool default_nat 1.2.3.5 1.2.3.5 netmask 255.255.255.0
ip nat inside source list NAT pool default_nat overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 1.5.58.57
!
!
!
!
ip access-list standard sslvpn-tunnel
permit 10.251.0.0 0.0.255.255
permit 10.120.0.0 0.0.255.255
!
ip access-list extended NAT
deny ip 10.251.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 10.251.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 10.251.0.0 0.0.255.255 172.16.0.0 0.15.255.255
permit ip object-group lan_10.251.0.0-16 any
ip access-list extended WAN
permit tcp any host 1.2.3.100 eq www 443
permit ip any host 1.5.58.58
permit ip any host 1.2.3.5
permit ip any host 1.2.3.1
permit tcp any host 1.2.3.2 eq www 443
deny ip any any
ip access-list extended l2l-acl
permit ip 10.251.0.0 0.0.255.255 10.120.0.0 0.0.255.255
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 60 0
privilege level 15
logging synchronous
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end