Настройка Cisco 2800 как L2TP Client-а
Рабочий крнфиг:
service internal ! Обязятельная скрытая команда
ip cef
ip multicast-routing
!
vpdn-group L2TP-STRONGVPN
request-dialin
protocol l2tp
pool-member 1
initiate-to ip 207.204.224.21
no l2tp tunnel authentication
request-dialin
protocol l2tp
pool-member 1
initiate-to ip 207.204.224.21
no l2tp tunnel authentication
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key _Password_ address 207.204.224.21
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto map STRONGVPN 10 ipsec-isakmp
set peer 207.204.224.21
set transform-set ESP-AES256-SHA
match address L2TP_SA_DIALER1
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key _Password_ address 207.204.224.21
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto map STRONGVPN 10 ipsec-isakmp
set peer 207.204.224.21
set transform-set ESP-AES256-SHA
match address L2TP_SA_DIALER1
!
interface FastEthernet0/0
description -= Local network =-
ip address 172.16.44.44 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip address 172.16.44.44 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description -= Outside Interface =-
ip address 77.91.xxx.yyy 255.255.255.240
ip access-group INPUT_ACL in
ip flow ingress
ip flow egress
description -= Outside Interface =-
ip address 77.91.xxx.yyy 255.255.255.240
ip access-group INPUT_ACL in
ip flow ingress
ip flow egress
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map STRONGVPN
!
duplex auto
speed auto
no cdp enable
crypto map STRONGVPN
!
interface Dialer1
description -= VPN (StrongVPN) L2TP client =-
ip address negotiated
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no cdp enable
ppp chap hostname _USERNAME_
ppp chap password _Password_
description -= VPN (StrongVPN) L2TP client =-
ip address negotiated
ip mtu 1492
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no cdp enable
ppp chap hostname _USERNAME_
ppp chap password _Password_
!
ip route 0.0.0.0 0.0.0.0 Dialer1 ! Весь трафик заворачиваем в тунель
ip route 172.16.44.0 255.255.255.0 FastEthernet0/0
ip route 207.204.224.21 255.255.255.255 77.91.xxx.xxx !на шлюз провайдерв
!
ip route 172.16.44.0 255.255.255.0 FastEthernet0/0
ip route 207.204.224.21 255.255.255.255 77.91.xxx.xxx !на шлюз провайдерв
!
ip flow-top-talkers
top 50
sort-by bytes
cache-timeout 30000
match protocol udp
!
top 50
sort-by bytes
cache-timeout 30000
match protocol udp
!
ip nat translation timeout 30
!НАТ-им в адрес интерфейса Dialer1
ip nat inside source route-map map_IPSEC interface Dialer1 overload
!
ip nat inside source route-map map_IPSEC interface Dialer1 overload
!
ip access-list extended INPUT_ACL
permit ip host 207.204.224.21 host 77.91.xxx.yyy ! Разрешаем трафик между нашим интерфейсом и VPN сервером. Остально е запрещаем.
deny ip any any log
permit ip host 207.204.224.21 host 77.91.xxx.yyy ! Разрешаем трафик между нашим интерфейсом и VPN сервером. Остально е запрещаем.
deny ip any any log
!
ip access-list extended L2TP_SA_DIALER1
permit udp host 77.91.xxx.yyy eq 1701 host 207.204.224.21 eq 1701
remark -= Razreshaem L2TP =-
permit udp host 77.91.xxx.yyy eq 1701 host 207.204.224.21 eq 1701
remark -= Razreshaem L2TP =-
!
ip access-list extended VPN_IPSEC
permit ip host 172.16.44.1 any
permit ip host 172.16.44.44 any
remark -= Vybyraem Local IP adresa korotye NAT-im =-
!
permit ip host 172.16.44.1 any
permit ip host 172.16.44.44 any
remark -= Vybyraem Local IP adresa korotye NAT-im =-
!
dialer-list 1 protocol ip permit
!
route-map map_IPSEC permit 10
match ip address VPN_IPSEC
match interface Dialer1
!
match ip address VPN_IPSEC
match interface Dialer1
!
При таком конфиге весь трафик направляется в тунель.
Локальный трафик с адресов описанных в ip access-list extended VPN_IPSEC натится натится в адрес interface Dialer1 overload (получаем PAT).
Комментариев нет:
Отправить комментарий