VPN后只有三台电脑能ping通8.8.8.8

网络工程 虚拟专用网 互联网 acl
2022-02-25 19:22:22

我们接手了一个非常旧的 2811 的客户端,配置文件很乱。我们为我们建立了一个新的 IPsec 隧道。隧道工作得很好,但是,现在只有三台计算机可以 ping 到 8.8.8.8,其余的得到报告:destination host unreachable. 我尝试编写一个 ACL,允许其中一台受影响的计算机进入 8.8.8.8,但我仍然一无所获,调试时也没有显示任何内容。

Building configuration...

Current configuration : 10307 bytes
!
version 12.4
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot system flash xxxxxxx
boot-end-marker
!
logging buffered 16384 informational
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
!
!
ip cef
ip inspect max-incomplete high 2000
ip inspect max-incomplete low 1200
ip inspect one-minute high 2000
ip inspect one-minute low 1200
ip inspect name MLPPP_1 tcp
ip inspect name MLPPP_1 udp
ip inspect name MLPPP_1 cuseeme
ip inspect name MLPPP_1 ftp
ip inspect name MLPPP_1 h323
ip inspect name MLPPP_1 rcmd
ip inspect name MLPPP_1 realaudio
ip inspect name MLPPP_1 streamworks
ip inspect name MLPPP_1 vdolive
ip inspect name MLPPP_1 sqlnet
ip inspect name MLPPP_1 tftp
ip inspect name MLPPP_1 esmtp max-data 102400000
ip inspect name MLPPP_1 dns
ip inspect name MLPPP_1 ddns-v3
ip inspect name MLPPP_1 fragment maximum 256 timeout 1
ip inspect name MLPPP_1 https
ip inspect name MLPPP_1 imap
ip inspect name MLPPP_1 imap3
ip inspect name MLPPP_1 isakmp
ip inspect name MLPPP_1 l2tp
ip inspect name MLPPP_1 ldap
ip inspect name MLPPP_1 ldap-admin
ip inspect name MLPPP_1 pop3
ip inspect name MLPPP_1 pptp
ip inspect name MLPPP_1 ssh
ip inspect name MLPPP_1 syslog
ip inspect name MLPPP_1 telnet
ip inspect name MLPPP_1 time
ip inspect name MLPPP_1 timed
ip inspect name MLPPP_1 ms-sql
ip inspect name MLPPP_1 ms-sql-m
ip inspect name MLPPP_1 msexch-routing alert on
ip inspect name MLPPP_1 rpc program-number 100003
ip inspect name MLPPP_1 rpc program-number 100005
ip inspect name MLPPP_1 rpc program-number 100021
ip inspect name MLPPP_1 rpc program-number 100024
!
!
ip domain name xxxxxxx
!
!
!
crypto pki trustpoint TP-self-signed-2276015229
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2276015229
 revocation-check none
 rsakeypair TP-self-signed-2276015229
!
!
login  stuff xxxxxxxxxx
!
!
class-map match-any BUSINESS-WRED
 match access-group name WRED_LIST
class-map match-all VPN
 match access-group name QOS_VPN
class-map match-all FLASH
 match access-group name QOS_FLASH
 match protocol syslog
 match protocol ntp
 match protocol telnet
 match protocol ssh
class-map match-any SCAVENGER
 match protocol napster
 match protocol fasttrack
 match protocol gnutella
 match protocol kazaa2
class-map match-any BUSINESS-WFQ
 match access-group name WFQ_LIST
!
!
policy-map NESTED-VPN
 class BUSINESS-WFQ
  shape average 196000
 class BUSINESS-WRED
  bandwidth percent 56
  random-detect dscp-based
  shape average 392000
 class class-default
  fair-queue
policy-map QUEUE-EGRESS
 class FLASH
  priority percent 28
 class VPN
  shape average percent 56
  service-policy NESTED-VPN
 class SCAVENGER
  shape average percent 1
  police cir percent 5
    conform-action transmit 
    exceed-action drop 
 class class-default
  bandwidth percent 16
  random-detect dscp-based
!
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key xxxxx address xxxxx "sitebresponder"
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 4
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxxxxxx
 set peer xxxxxxx "sitebresponder"
 set transform-set test 
 match address 100
!
!
!
interface Loopback0
 description Nail down NAT
 ip address "weirdwanaddress" 255.255.255.248
!
interface Multilink1
 description ACC Business 3Mb DIA 2xT1
 ip address "wan address" 255.255.255.252
 ip access-group INGRESS in
 ip inspect MLPPP_1 out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1320
 load-interval 30
 ppp multilink
 ppp multilink group 1
!
interface FastEthernet0/0
 description Markline PA LAN
 ip address 172.16.16.1 255.255.255.0 secondary
 ip address 192.168.56.1 255.255.248.0
 ip helper-address 192.168.48.14 "these arent even needed"
 ip helper-address 192.168.48.9  "old stuff SMH"
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
 load-interval 30
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description DMZ With ISA Server
 ip address "another weird wan" 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1200
 load-interval 30
 duplex auto
 speed auto
!
interface Serial0/0/0
 description xxxxx
 no ip address
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 service-module t1 timeslots 1-24
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1/0
 description xxxxx
 no ip address
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 service-module t1 timeslots 1-24
 ppp multilink
 ppp multilink group 1
!
router ospf 100
 log-adjacency-changes
 redistribute connected
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel101
 network 192.168.0.0 0.0.255.255 area 0
!
ip route 0.0.0.0 0.0.0.0 "wan interface"
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MLPA-POOL1 "more werid wan" "another weird wan" netmask 255.255.255.248
ip nat inside source list TOINTERNET pool MLPA-POOL1 overload
!
ip access-list extended INGRESS
 permit ip "wan" 0.0.31.255 any
 permit gre "wan" 0.0.31.255 any
 permit esp "wan" 0.0.31.255 any
 permit ip 192.168.48.0 "siteb" 0.0.7.255 192.168.56.0 "site a" 0.0.7.255
 permit udp host "sitebwan" host "siteawan" eq non500-isakmp
 permit udp host "sitebwan" host "siteawan" eq isakmp
 permit esp host "sitebwan" host "siteawan"
 permit ahp host "sitebwan" host "siteawan"
 permit tcp any any eq 22
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit udp any host "siteawan" eq isakmp
 permit gre any host "siteawan"
 permit esp any host "siteawan"
 permit udp any host "siteawan" eq non500-isakmp
 permit udp any eq isakmp host "siteawan"
 permit ip 192.168.24.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended QOS_FLASH
 remark -- SNMP,Telnet, SSH and Net Mgmt
 permit icmp any any echo
 permit icmp any any echo-reply
 permit udp any any eq echo
 permit udp any eq echo any
 permit udp any any eq snmp
 permit udp any eq snmp any
 remark -- Ntop Box
 permit ip any host 192.168.48.20
ip access-list extended QOS_VPN
 remark -- DMVPN Traffic
 deny   ip any host 192.168.48.20
 permit ip 192.168.56.0 0.0.7.255 192.168.48.0 0.0.7.255
ip access-list extended TOINTERNET
 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip 192.168.56.0 0.0.7.255 any
ip access-list extended WFQ_LIST
 remark -- Terminal Service,share point, AD and SQl
 permit ip any host 192.168.48.8
 permit ip any host 192.168.48.9
ip access-list extended WRED_LIST
 remark -- CAD Printing
 permit ip any host 192.168.48.11
 permit ip any host 192.168.48.14
 remark -- Anti Virus,file and print server
 permit ip any host 192.168.48.21
 remark -- WSUS
 permit ip any host 192.168.48.9
 remark -- POP3 and SMTP
 permit tcp any any eq smtp
 permit tcp any eq smtp any
 permit tcp any any eq pop3
 permit tcp any eq pop3 any
ip access-list extended remote-manage
 permit tcp any host  eq 2222
 permit tcp any host  eq 2222
 permit tcp any host  eq 22
 permit tcp any host  eq 22
 permit tcp any host "bunch of weird wans" eq 22
!
logging trap debugging
logging facility local2
logging 192.168.48.20
access-list 108 permit ip host 192.168.56.11 192.168.64.0 0.0.0.255
access-list 108 permit ip any 192.168.64.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.56.0 0.0.7.255 192.168.48.0 0.0.7.255
access-list 108 permit ip host 192.168.56.11 192.168.64.0 0.0.0.255
access-list 108 permit ip any 192.168.64.0 0.0.0.255
snmp-server community xxxxxxx RO
!
!
control-plane
!
!
banner login ^C
Authorized Users Only !!!
^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

192.168.56.0 是站点发起者。这也是只有三台PC可以ping通8.8.8.8的站点。它们都有相同的网关,并且可以ping通网关。

192.168.48.0 是站点 B 的响应者。

查找我清理配置的位置" "xxxx

ACL 或 NAT 问题?

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇如何监控基于 D-Link DWS-4026 的 wifi 网络 下一篇两台 WIFI 路由器,一台专用于 VPN