ipsecvpn client端可以连接,但不能访问server端。
本帖最后由 goflylong 于 2010-12-31 11:58 编辑最近做了个ipsecvpn,遇到一问题,client端可以获取到地址池ip也可以访问公网,但就是没法访问server端的内网。这最有可能是哪里问题?请多多指教。以下是我的配置:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ezvpn-authentication local
aaa authorization exec default local
aaa authorization network ezvpn-authorization local
!
no ip domain lookup
!
username long privilege 15 password 0 long
username cisco password 0 cisco
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group myezvpn
key myezvpn
pool ezvpn-pool
acl 101
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
!
crypto dynamic-map ezvpn-dynamic-map 1
set transform-set ccsp
!
!
crypto map cisco client authentication list ezvpn-authentication
crypto map cisco isakmp authorization list ezvpn-authorization
crypto map cisco client configuration address respond
crypto map cisco 1 ipsec-isakmp dynamic ezvpn-dynamic-map
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial1/1
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
crypto map cisco
!
ip local pool ezvpn-pool 192.168.100.1 192.168.100.100
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip http server
no ip http secure-server
ip nat pool cisco 172.16.1.1 172.16.1.1 netmask 255.255.255.0
ip nat inside source list 100 pool cisco overload
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
LZ,为了更好的回答您的问题,请把拓扑帖出来哦。 林原静羽 发表于 2010-12-31 10:15 static/image/common/back.gif
LZ,为了更好的回答您的问题,请把拓扑帖出来哦。
哈哈,顶置LS的。 提问的楼主哪去了呢?-- 看照片 是ZL? 高手赶紧进来,要不一个技术问题放到明年才能得到解答了!-woniu7- 本帖最后由 Jeff. 于 2010-12-31 19:11 编辑
检查下你的client获取到的IP 和路由情况... 一般是路由的问题可能性比较大~~
查看你的client端软件的有一个route detail 的地方获取到的是什么路由~~
回复 7 # Jeff. 的帖子
jeff .我记得当时检查的时候,client端的路由细节里面是有去往192.168.1.0目的地的路由的。而且服务端也有一条注入的去往192.168.100.0的静态路由。所以也不大会是这里的问题。之后我用sdm做了一次,测试正常了。可配置文件里面是定义了一个虚拟模板,并把静态映射应用到了该模板上。而不是应用到了外网接口上。奇怪?难道服务端的配置方案不可行? 回复 8 # goflylong 的帖子
你把配置发我下.. 回复 9 # Jeff. 的帖子
SDM的配置:
R1#show running-config
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
no ip domain lookup
!
!
username longlong privilege 15 password 0 longlong
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group test
key test
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group test
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.121.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 123.1.1.1 123.1.1.100
ip route 0.0.0.0 0.0.0.0 100.1.1.2
!
!
ip http server
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/0 overload
!
access-list 10 permit 10.10.121.0 0.0.0.255
access-list 101 permit ip 10.10.121.0 0.0.0.255 any
。
页:
[1]
2