|
|
|
|
Страница 1 из 1
|
[ 1 сообщение ] |
|
Трафик с R1 в R4 через 2 узла не ходит.
Автор |
Сообщение |
ekspil
Зарегистрирован: 17 сен 2014, 04:53 Сообщения: 4
|
Здравствуйте. Подскажите пожалуйста в следующем вопросе: Есть 3 роутера 1812. R1 10.100.0.0/24 Типо центральный R2 Транзитный, типо эмуляция интернета R3 10.17.0.0/24
R4 192.168.100.0/24 - сервер сторонней компании
VPN IPSec VTI R1-R3 VPN GRE-IPSec R1-R4
Трафик не ходит из R3 в R4 Как это исправить? Вот конфиги R1 и R3 (R2 думаю нет смысла, а R4 не наш):
R1: version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname cisco-01 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! aaa new-model ! ! aaa authentication login default local ! ! aaa session-id common memory-size iomem 25 ! ! dot11 syslog ip source-route ! ! ip dhcp excluded-address 10.100.0.1 10.100.0.99 ip dhcp excluded-address 10.100.0.150 10.100.0.254 ! ip dhcp pool dhcp import all network 10.100.0.0 255.255.255.0 default-router 10.100.0.254 dns-server 10.100.0.254 domain-name ice.local lease infinite ! ! ip cef ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 109.126.0.67 ip name-server 109.126.1.67 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username XXXXXXXXXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXX ! ! crypto isakmp policy 1 authentication pre-share ! crypto isakmp policy 100 encr aes authentication pre-share group 2 crypto isakmp key XXXXXXXXXXXXXXXXXXXXXX address 201.0.0.1 crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 195.68.137.170 ! ! crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac mode transport crypto ipsec transform-set SET1 esp-aes esp-sha-hmac ! crypto ipsec profile P1 set transform-set AES128-SHA ! ! crypto map MAP1 10 ipsec-isakmp set peer 195.68.137.170 set transform-set SET1 match address 101 ! archive log config hidekeys ! ! ip ssh time-out 90 ip ssh authentication-retries 5 ip ssh version 2 ! ! ! interface Tunnel0 ip address 192.168.200.1 255.255.255.0 tunnel source 200.0.0.1 tunnel destination 201.0.0.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! interface Tunnel1 description TO_MEDOVY bandwidth 5000 ip address 172.31.11.78 255.255.255.252 ip flow ingress load-interval 30 tunnel source FastEthernet1 tunnel destination 195.68.189.130 ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet0 ip address 200.0.0.1 255.255.255.252 duplex auto speed auto ! interface FastEthernet1 description WAN mac-address 0017.5a35.1234 ip address dhcp no ip proxy-arp ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache duplex auto speed auto no cdp enable crypto map MAP1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 ip address 10.100.0.254 255.255.255.0 no ip proxy-arp ip nat inside no ip virtual-reassembly load-interval 30 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet1 ip route 10.17.0.0 255.255.255.0 Tunnel0 ip route 192.168.100.0 255.255.255.0 Tunnel1 ip route 201.0.0.0 255.255.255.252 FastEthernet0 no ip http server no ip http secure-server ! ! ip dns server ip nat inside source list FIREWALL interface FastEthernet1 overload ! ip access-list extended FIREWALL permit ip 10.100.0.0 0.0.0.255 any permit ip 10.17.0.0 0.0.0.255 any ! access-list 1 permit 10.17.0.0 0.0.0.255 access-list 1 permit 192.168.200.0 0.0.0.255 access-list 101 permit gre host 37.8.156.226 host 195.68.189.130 ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! end
R3:
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname cisco-17 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 $1$heB6$tp2NHzzw8hVYnw5ICLZ/w. ! aaa new-model ! ! aaa authentication login default local ! ! aaa session-id common ! ! dot11 syslog ip source-route ! ! ip dhcp excluded-address 10.17.0.1 10.17.0.99 ip dhcp excluded-address 10.17.0.150 10.17.0.254 ! ip dhcp pool dhcp import all network 10.17.0.0 255.255.255.0 default-router 10.17.0.254 dns-server 10.17.0.254 domain-name ice.local lease infinite ! ! ip cef ip domain name ice.local ip name-server 8.8.8.8 ip name-server 10.100.0.254 no ipv6 cef ! multilink bundle-name authenticated ! ! ! username admin privilege 15 secret 5 $1$SIMV$rceFUJK5WZRhetPRV6vVV. ! ! crypto isakmp policy 1 authentication pre-share crypto isakmp key Cisco@ffAdm address 200.0.0.1 ! ! crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac mode transport ! crypto ipsec profile P1 set transform-set AES128-SHA ! ! archive log config hidekeys ! ! ip ssh time-out 90 ip ssh authentication-retries 5 ip ssh version 2 ! ! ! interface Tunnel0 ip address 192.168.200.2 255.255.255.0 tunnel source 201.0.0.1 tunnel destination 200.0.0.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile P1 ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface FastEthernet0 ip address 201.0.0.1 255.255.255.252 duplex auto speed auto ! interface FastEthernet1 ip address 192.168.15.176 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 ip address 10.17.0.254 255.255.255.0 ip nat inside no ip virtual-reassembly load-interval 330 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.15.1 ip route 10.100.0.0 255.255.255.0 Tunnel0 ip route 192.168.100.0 255.255.255.0 192.168.200.1 ip route 192.168.200.0 255.255.255.0 Tunnel0 ip route 200.0.0.0 255.255.255.252 FastEthernet0 no ip http server no ip http secure-server ! ! ip dns server ip nat inside source list R-INT interface FastEthernet1 overload ! ip access-list extended R-INT permit ip 10.17.0.0 0.0.0.255 any ! ! ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! end
|
17 сен 2014, 05:05 |
|
|
|
Страница 1 из 1
|
[ 1 сообщение ] |
|
Кто сейчас на конференции |
Сейчас этот форум просматривают: Google [Bot] и гости: 33 |
|
Вы не можете начинать темы Вы не можете отвечать на сообщения Вы не можете редактировать свои сообщения Вы не можете удалять свои сообщения Вы не можете добавлять вложения
|
|
|
|