:strip_icc():strip_exif()/u/34693/crop637fb3b893210_cropped.jpg?f=community)
Klant heeft 2 dsl lijnen op één Cisco 2800 router
GE0/0 : DMZ // ISA Server
GE0/1 : inside LAN network (172.20.1.x/24)
DSL 1 : Access to Internet // incoming mail // incoming VPN clients
Dit deel werkt.
DSL 2: Gebruikt voor SITE to SITE VPN only naar remote kantoor Cisco 877 router ( remote LAN 10.20.1.x/). Voor raadplegen van de resources op het hoofdkantoor 172.20.1.x.
VPN IPSec Site to Site tunnel is connected, routing gaat natuurlijk fout. Is er een mogelijkheid de packets voor netwerk 10.20.1.x naar de juiste Dialer interface te sturen.
GE0/0 : DMZ // ISA Server
GE0/1 : inside LAN network (172.20.1.x/24)
DSL 1 : Access to Internet // incoming mail // incoming VPN clients
Dit deel werkt.
DSL 2: Gebruikt voor SITE to SITE VPN only naar remote kantoor Cisco 877 router ( remote LAN 10.20.1.x/). Voor raadplegen van de resources op het hoofdkantoor 172.20.1.x.
VPN IPSec Site to Site tunnel is connected, routing gaat natuurlijk fout. Is er een mogelijkheid de packets voor netwerk 10.20.1.x naar de juiste Dialer interface te sturen.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
| ===================
rtr-2801#wr t
Building configuration...
Current configuration : 11680 bytes
!
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr-2801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 5
logging buffered 8192 debugging
logging console informational
enable secret [REMOVED]
!
username administrator privilege 15 [removed]
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
no network-clock-participate aim 0
no network-clock-participate aim 1
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication login RADIUS group radius
aaa authentication login LOCAL local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network GROUPLIST local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name new-2801.nl
ip name-server 172.20.1.7
ip name-server 172.20.1.6
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
ip ips po max-events 100
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key [REMOVED] address 82.eee.fff.49
!
crypto isakmp client configuration group vpnclient
key [REMOVED]
dns 172.20.1.7 172.20.1.6
domain new-2801.nl
pool vpnclient
acl 106
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpnusers 1
description Client to Site VPN Users
set transform-set ESP-3DES-SHA
!
!
crypto map CM-LAN2LAN 65001 ipsec-isakmp
description Tunnel to 82.eee.fff.49
set peer 82.eee.fff.49
set transform-set ESP-3DES-SHA
match address 109
!
crypto map CM-VPNCLIENT client authentication list RADIUS
crypto map CM-VPNCLIENT isakmp authorization list GROUPLIST
crypto map CM-VPNCLIENT client configuration address respond
crypto map CM-VPNCLIENT 65000 ipsec-isakmp dynamic vpnusers
!
!
!
!
interface GigabitEthernet0/0
description DMZ
ip address 10.21.23.222 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description Local-LAN
ip address 172.20.1.222 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0/0/0.1 point-to-point
description 1e DSL
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface ATM0/1/0.1 point-to-point
description 2e DSL
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex B
dsl linerate AUTO
!
interface Dialer0
description 1 DSL
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username [REMOVED] password [REMOVED]
crypto map CM-VPNCLIENT
!
interface Dialer1
description 2e DSL
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 2
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username [REMOVED] password [REMOVED]
crypto map CM-LAN2LAN
!
ip local pool vpnclient 10.10.222.1 10.10.222.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.20.1.0 255.255.255.0 Dialer1
ip route 82.eee.fff.49 255.255.255.255 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source route-map RMAP_ODE3 interface Dialer1 overload
ip nat inside source static tcp 172.20.1.222 22 interface Dialer0 22
!
logging 172.20.1.3
access-list 1 remark INSIDE_IF=GigabitEthernet0/1
access-list 1 permit 172.20.1.0 0.0.0.255
access-list 1 permit 10.21.23.0 0.0.0.255
access-list 3 remark Traffic not to check for intrusion detection
access-list 3 deny 10.20.222.0 0.0.0.255
access-list 3 permit any
access-list 100 remark Inbound on GE 0/1
access-list 100 remark NTP (123) 145.7.191.18
access-list 100 permit udp host 145.7.191.18 eq ntp host 172.20.1.222 eq ntp
access-list 100 permit ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255
access-list 100 remark To ODE3
access-list 100 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255
access-list 100 remark Intranetserver to Outside
access-list 100 permit ip host 172.20.1.3 any
access-list 100 remark Dataserver to Outside
access-list 100 permit ip host 172.20.1.6 any
access-list 100 remark Mailserver to Outside
access-list 100 permit ip host 172.20.1.7 any
access-list 100 remark WS-Beheer to Outside
access-list 100 permit ip host 172.20.1.10 any
access-list 100 remark Laptop Service Engineer to Outside
access-list 100 permit ip host 172.20.1.199 any
access-list 100 remark Cisco 2801 tbv NTP update
access-list 100 permit ip host 172.20.1.253 any
access-list 100 deny ip any any
access-list 101 remark Inbound rule on Dialer 0
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit ip 10.10.222.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 101 remark ssh from service engineer
access-list 101 permit ip host 82.iii.jj.22 any
access-list 101 remark Inbound mail (172.20.1.7)
access-list 101 permit tcp any host 80.aaa.bbb.221 eq smtp
access-list 101 remark Timeserver NTP (123) ntp1.kpn.com
access-list 101 permit udp host 145.7.191.18 eq ntp any eq ntp
access-list 101 deny ip 10.21.23.0 0.0.0.255 any
access-list 101 deny ip 172.20.1.0 0.0.0.255 any
access-list 101 permit tcp any any eq 1723
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark Inbound on GE 0/0
access-list 102 remark ISA server from DMZ to Outside
access-list 102 permit ip host 10.21.23.1 any
access-list 102 deny ip any any log
access-list 103 remark Dialer 1
access-list 103 permit udp host 82.eee.fff.49 any eq non500-isakmp
access-list 103 permit udp host 82.eee.fff.49 any eq isakmp
access-list 103 permit esp host 82.eee.fff.49 any
access-list 103 permit ahp host 82.eee.fff.49 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit ip 10.20.1.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 105 remark Traffic to NAT
access-list 105 deny ip 172.20.1.0 0.0.0.255 10.10.222.0 0.0.0.255 log
access-list 105 permit ip 10.21.23.0 0.0.0.255 any
access-list 105 permit ip 172.20.1.0 0.0.0.255 any
access-list 106 remark User to Site VPN Clients
access-list 106 permit ip 172.20.1.0 0.0.0.255 any
access-list 109 remark Traffic to NAT ODE3
access-list 109 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255
access-list 110 remark IPSec Rule ODE3
access-list 110 permit ip 172.20.1.0 0.0.0.255 10.20.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
route-map RMAP_ODE3 permit 1
match ip address 110
!
radius-server host 172.20.1.7 auth-port 1645 acct-port 1646 key [REMOVED]
!
control-plane
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 0 0
login authentication LOCAL
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login authentication LOCAL
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179467
ntp master
ntp update-calendar
ntp server 145.7.191.18 source Dialer0
!
end
rtr-2801# sh crypto isakmp sa
dst src state conn-id slot
80.aaa.bbb.217 193.ggg.hhh.58 QM_IDLE 45 0
195.cc.dd.217 82.eee.fff.49 QM_IDLE 44 0
rtr-2801#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
80.0.0.0/32 is subnetted, 1 subnets
C 80.aaa.bbb.217 is directly connected, Dialer0
172.20.0.0/24 is subnetted, 1 subnets
C 172.20.1.0 is directly connected, GigabitEthernet0/1
82.0.0.0/32 is subnetted, 1 subnets
S 82.eee.fff.49 is directly connected, Dialer1
10.0.0.0/24 is subnetted, 2 subnets
C 10.21.23.0 is directly connected, GigabitEthernet0/0
S 10.20.1.0 is directly connected, Dialer1
194.109.5.0/32 is subnetted, 1 subnets
C 194.109.5.245 is directly connected, Dialer0
195.cc.dd.0/32 is subnetted, 1 subnets
C 195.cc.dd.217 is directly connected, Dialer1
62.0.0.0/32 is subnetted, 1 subnets
C 62.12.4.48 is directly connected, Dialer1
S* 0.0.0.0/0 is directly connected, Dialer0
rtr-2801# |
If you see me collapse, pause my Garmin!🚶🏃
:strip_exif()/u/21590/icon4.gif?f=community)
Dit topic is gesloten.