Сообщения без ответов | Активные темы Текущее время: 29 мар 2024, 13:35



Ответить на тему  [ 1 сообщение ] 
Трафик с R1 в R4 через 2 узла не ходит. 
Автор Сообщение

Зарегистрирован: 17 сен 2014, 04:53
Сообщения: 4
Здравствуйте. Подскажите пожалуйста в следующем вопросе:
Есть 3 роутера 1812.
R1 10.100.0.0/24 Типо центральный
R2 Транзитный, типо эмуляция интернета
R3 10.17.0.0/24

R4 192.168.100.0/24 - сервер сторонней компании

VPN IPSec VTI R1-R3
VPN GRE-IPSec R1-R4

Трафик не ходит из R3 в R4
Как это исправить? Вот конфиги R1 и R3 (R2 думаю нет смысла, а R4 не наш):


R1:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco-01
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
memory-size iomem 25
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.100.0.1 10.100.0.99
ip dhcp excluded-address 10.100.0.150 10.100.0.254
!
ip dhcp pool dhcp
import all
network 10.100.0.0 255.255.255.0
default-router 10.100.0.254
dns-server 10.100.0.254
domain-name ice.local
lease infinite
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 109.126.0.67
ip name-server 109.126.1.67
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username XXXXXXXXXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXX address 201.0.0.1
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 195.68.137.170
!
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
!
crypto ipsec profile P1
set transform-set AES128-SHA
!
!
crypto map MAP1 10 ipsec-isakmp
set peer 195.68.137.170
set transform-set SET1
match address 101
!
archive
log config
hidekeys
!
!
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
tunnel source 200.0.0.1
tunnel destination 201.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface Tunnel1
description TO_MEDOVY
bandwidth 5000
ip address 172.31.11.78 255.255.255.252
ip flow ingress
load-interval 30
tunnel source FastEthernet1
tunnel destination 195.68.189.130
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 200.0.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1
description WAN
mac-address 0017.5a35.1234
ip address dhcp
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map MAP1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.100.0.254 255.255.255.0
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
load-interval 30
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 10.17.0.0 255.255.255.0 Tunnel0
ip route 192.168.100.0 255.255.255.0 Tunnel1
ip route 201.0.0.0 255.255.255.252 FastEthernet0
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list FIREWALL interface FastEthernet1 overload
!
ip access-list extended FIREWALL
permit ip 10.100.0.0 0.0.0.255 any
permit ip 10.17.0.0 0.0.0.255 any
!
access-list 1 permit 10.17.0.0 0.0.0.255
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 101 permit gre host 37.8.156.226 host 195.68.189.130
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
end



R3:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco-17
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$heB6$tp2NHzzw8hVYnw5ICLZ/w.
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.17.0.1 10.17.0.99
ip dhcp excluded-address 10.17.0.150 10.17.0.254
!
ip dhcp pool dhcp
import all
network 10.17.0.0 255.255.255.0
default-router 10.17.0.254
dns-server 10.17.0.254
domain-name ice.local
lease infinite
!
!
ip cef
ip domain name ice.local
ip name-server 8.8.8.8
ip name-server 10.100.0.254
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5 $1$SIMV$rceFUJK5WZRhetPRV6vVV.
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key Cisco@ffAdm address 200.0.0.1
!
!
crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile P1
set transform-set AES128-SHA
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 90
ip ssh authentication-retries 5
ip ssh version 2
!
!
!
interface Tunnel0
ip address 192.168.200.2 255.255.255.0
tunnel source 201.0.0.1
tunnel destination 200.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 201.0.0.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet1
ip address 192.168.15.176 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 10.17.0.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
load-interval 330
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.15.1
ip route 10.100.0.0 255.255.255.0 Tunnel0
ip route 192.168.100.0 255.255.255.0 192.168.200.1
ip route 192.168.200.0 255.255.255.0 Tunnel0
ip route 200.0.0.0 255.255.255.252 FastEthernet0
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list R-INT interface FastEthernet1 overload
!
ip access-list extended R-INT
permit ip 10.17.0.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
end


17 сен 2014, 05:05
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ 1 сообщение ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 85


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB