EZVPN 通过隧道访问公共互联网不起作用 - 发夹!

网络工程 思科 虚拟专用网 纳特 思科-ios
2021-07-25 18:45:20

我有一个任务,我需要能够将 EZVPN 与拆分隧道一起使用,但仍然可以从公司网络访问外部服务器,因为外部服务器只接受来自公司公共 IP 地址的连接。

所以我不仅在有趣的流量中包含了企业 C 类,而且还包含了外部服务器的 IP 地址。

所以到目前为止一切顺利,企业网络的流量和外部服务器的 IP 地址都通过隧道。

现在问题来了,我试图将外部服务器的公共 IP 流量从公司网络发送到公共互联网,但它只是掉线并且没有从相同的接口返回互联网。

我检查了这个过程,但它没有帮助,因为当我尝试到达外部路由器时,路由映射计数器不会增加。

使用Route Map将Next Hop设置为Loopback的解决方案

为了测试这个过程,我移除了分离隧道,让所有东西都沿着隧道传输,这样我就可以在任何网站上进行测试。我可以访问公司网络上的服务器,但可惜它不允许我访问网络上的任何站点。

它是一个 cisco 870 路由器,这是配置

任何帮助将不胜感激,出于绝望,我已将 ip 策略声明放在 ATM 和拨号器上,但我怀疑它应该放在拨号器上。

Router#sh run
Building configuration...

Current configuration : 4617 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 *************************
enable password *************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
!
ip dhcp pool myDhcp
   network 192.168.1.0 255.255.255.0
   dns-server 139.130.4.4 
   default-router 192.168.1.1 
!
!
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
!
!
!
!
username ************************* privilege 15 password 0 *************************
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group HomeFull
 key *************************
 dns 8.8.8.8 8.8.8.4
 pool SDM_POOL_1
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group HomeFull
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 1740
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000 
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback10
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description TimsInternet
 ip flow ingress
 ip policy route-map VPN-Client
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template3 type tunnel
 ip unnumbered Dialer3
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect myfw in
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1372
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer0
 no ip address
!
interface Dialer3
 ip address negotiated
 ip access-group blockall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression
 ip policy route-map VPN-Client
 no ip mroute-cache
 dialer pool 3
 dialer-group 1
 no cdp enable
 ppp chap hostname *************************@direct.telstra.net
 ppp chap password 0 *************************
!
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 101 interface Dialer3 overload
!
ip access-list extended VPN-OUT
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
 remark CCP_ACL Category=17
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit esp any any
 permit ahp any any
 permit tcp any any eq 10000
 deny   ip any any
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
route-map VPN-Client permit 10
 match ip address VPN-OUT
 set ip next-hop 10.0.0.2
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password cisco
!
scheduler max-task-time 5000
end

Router#exit
Connection closed by foreign host.
1个回答

使用这个配置:

interface Virtual-Template3 type tunnel
 ip unnumbered Dialer3
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
其它你可能感兴趣的问题
上一篇Cisco Prime 基础设施 2.1 错误禁用通知 下一篇PIM:客户端如何发现多播流