鸿鹄论坛 › CCNP求助答疑 › 关于cisco2821的VPN配置，懂的进来看看

35954514 发表于 2012-4-19 10:08:40

关于cisco2821的VPN配置，懂的进来看看

网络是这样的，2821路由器---3560交换机
2821要配置VPN连接管理公司的服务器，现在就是ping不通，我贴出的我配置，大家帮我看看，出点主意
cisco2821#show run
Building configuration...

Current configuration : 1914 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2821
!
boot-start-marker
boot-end-marker
!
enable password cisco5510
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!         
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
username XXXXXX password 0 XXXXXXXX
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key * address 220.231.188.44
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set my-set esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
set peer 220.231.188.44
set transform-set my-set
match address vpn
reverse-route
!
archive
log config
hidekeys
!         
!
!
class-map match-all inspection_default
!
!
!
!
!
interface GigabitEthernet0/0
ip address 116.6.*.* 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map cisco
!
interface GigabitEthernet0/1
ip address 10.112.2.1 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!         
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 116.6.21.129
!
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
ip access-list extended vpn
permit ip 10.112.0.0 0.0.255.255 172.17.208.0 0.0.0.255
!
access-list 101 permit ip 10.112.0.0 0.0.255.255 any
access-list 101 permit ip 10.112.0.0 0.0.255.255 172.17.208.0 0.0.0.255
snmp-server enable traps snmp authentication linkdown linkup coldstart
!
!
!
!
!
!
control-plane
!
!         
!
!
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 3 0
privilege level 15
password cisco5510
login local
transport input telnet ssh
line vty 5 15
access-class 1 in
privilege level 15
login local
transport input telnet ssh
!         
scheduler allocate 20000 1000
!
end

qq360870025 发表于 2012-4-19 10:19:22

你NAT和VPN做在同一个设备上你需要在NAT的ACL中 deny掉 VPN的感兴趣流量 让它触发接口map 走VPN ，不然就直接被NAT转换了

qq360870025 发表于 2012-4-19 10:21:01

最好用debug crypto isakmp   来排错 如果过了 IKE的第一阶段 就看第二阶段的策略是否匹配了

35954514 发表于 2012-4-19 10:30:52

qq360870025 发表于 2012-4-19 10:19 static/image/common/back.gif
你NAT和VPN做在同一个设备上你需要在NAT的ACL中 deny掉 VPN的感兴趣流量 让它触发接口map 走VPN ，不然就 ...

多谢回复，那这样设置您看对吗
access-list 101 deny ip 10.112.0.0 0.0.255.255 172.17.208.0 0.0.0.255
access-list 101 permit ip 10.112.0.0 0.0.255.255 any

ip access-list extended vpn
permit ip 10.112.0.0 0.0.255.255 172.17.208.0 0.0.0.255

qq360870025 发表于 2012-4-19 10:35:05

35954514 发表于 2012-4-19 10:30 static/image/common/back.gif
多谢回复，那这样设置您看对吗
access-list 101 deny ip 10.112.0.0 0.0.255.255 172.17.208.0 0.0.0.25 ...

可以， 做同一设备上 必须这么做才能实现VPN

35954514 发表于 2012-4-19 10:44:55

qq360870025 发表于 2012-4-19 10:35 static/image/common/back.gif
可以， 做同一设备上 必须这么做才能实现VPN

十分感谢{:6_299:}

qq360870025 发表于 2012-4-19 10:46:18

35954514 发表于 2012-4-19 10:44 static/image/common/back.gif
十分感谢

搞定了 {:6_264:}

35954514 发表于 2012-4-19 10:50:47

qq360870025 发表于 2012-4-19 10:46 static/image/common/back.gif
搞定了

再问下您
之前网络是防火墙ASA5510----接交换机，NAT和VPN、网关都做在5510上，运行勉强正常
现在是2821接交换机，昨天VPN不通，我就把路由器换回防火墙了，但是竟然VPN 也不通。。。完全一样的配置，以前能通，现在怎么不能通了呢

mike 发表于 2012-4-19 10:52:26

果然，高手如云啊。呵呵，前面这兄弟，学过CCIE安全吧。

qq360870025 发表于 2012-4-19 11:15:23

35954514 发表于 2012-4-19 10:50 static/image/common/back.gif
再问下您
之前网络是防火墙ASA5510----接交换机，NAT和VPN、网关都做在5510上，运行勉强正常
现在是282 ...

把配置贴上来看下

35954514 发表于 2012-4-19 11:26:10

qq360870025 发表于 2012-4-19 11:15 static/image/common/back.gif
把配置贴上来看下

ciscoasa# show run
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
enable password oRmx3R1CItyN8X6z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 116.6.*.*255.255.255.128
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.112.2.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
access-list 111 extended permit ip 10.112.0.0 255.255.0.0 any
access-list no-nat extended permit ip 10.112.0.0 255.255.0.0 172.17.208.0 255.25
5.255.0
access-list vpn extended permit ip 10.112.0.0 255.255.0.0 172.17.208.0 255.255.2
55.0
pager lines 24
mtu outside 1500
mtu inside 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 access-list 111
route outside 0.0.0.0 0.0.0.0 116.6.21.129 1
route inside 192.168.0.0 255.255.255.0 10.112.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set my-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map smap 20 match address vpn
crypto map smap 20 set peer 220.231.188.44
crypto map smap 20 set transform-set my-set
crypto map smap 20 set security-association lifetime seconds 28800
crypto map smap 20 set security-association lifetime kilobytes 4608000
crypto map smap 20 set reverse-route
crypto map smap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
tunnel-group 220.231.188.44 type ipsec-l2l
tunnel-group 220.231.188.44 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 10.112.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 50
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:2eb5270886167459f18ad09a241c0062
: end

qq360870025 发表于 2012-4-19 12:04:30

35954514 发表于 2012-4-19 11:26 static/image/common/back.gif
ciscoasa# show run
: Saved
:


crypto isakmp enable 开启了没

35954514 发表于 2012-4-19 12:33:26

qq360870025 发表于 2012-4-19 12:04 static/image/common/back.gif
crypto isakmp enable 开启了没

开启了

qq360870025 发表于 2012-4-19 14:16:39

35954514 发表于 2012-4-19 12:33 static/image/common/back.gif
开启了

开启了 默认不是有65535的系列号 跟在后面的   你的配置没有哦
nat (inside) 1 access-list 111
你这个列表后面可以直接跟 地址

35954514 发表于 2012-4-19 15:16:52

qq360870025 发表于 2012-4-19 14:16 static/image/common/back.gif
开启了 默认不是有65535的系列号 跟在后面的   你的配置没有哦
nat (inside) 1 access-list 111
你 ...

多谢回复，我再试试吧

查看完整版本: 关于cisco2821的VPN配置，懂的进来看看