При такой конфигурации и нас наблюдается проблема с исходящим VPN подключением на порт 1723/tcp.
Подскажи что необходимо добавить для решения этой проблемы.
- This is the running config of the router
----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpn
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$gk7j$C0BtFqKG3Hg0NY89GG8kj.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone Tbilisi 4
clock summer-time Tbilisi date Mar 30 2003 1:00 Oct 26 2003 1:00
clock calendar-valid
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.100.1 192.168.100.99
ip dhcp excluded-address 192.168.100.111 192.168.100.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 217.14.192.170 217.14.192.173
default-router 192.168.10.1
!
ip dhcp pool sdm-pool100
import all
network 192.168.100.0 255.255.255.0
dns-server 217.14.192.170 217.14.192.173
default-router 192.168.100.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name mydomen
ip name-server 217.14.192.170
ip name-server 217.14.192.173
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-406614270
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-406614270
revocation-check none
rsakeypair TP-self-signed-406614270
!
!
crypto pki certificate chain TP-self-signed-406614270
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303636 31343237 30301E17 0D313230 33303630 35353531
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3430 36363134
32373030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B0617105 89DD5059 7A78C16F C8054252 DB024927 51FCED3B B64DCC40 775A1C6A
CD7D1387 43BD2609 A6E0B715 4E39C305 90735E40 7C13F44A E0F97B16 587E2AFD
5065AC11 337B2DE8 C8EDF60B 2F844754 86235492 314C6A6D 30025279 3735D8A0
750432B9 CBA687BD 3A57BCFA 649F92D0 7C9BAC8C 78F3F81B 36C4B301 95E335CD
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C76 706E2E66 76676775 2E727530 1F060355 1D230418 30168014
290E48BA E14421BC 4651A8E6 C9688E0D D4D41F7B 301D0603 551D0E04 16041429
0E48BAE1 4421BC46 51A8E6C9 688E0DD4 D41F7B30 0D06092A 864886F7 0D010104
05000381 8100AB4A 29B6A69E E5F09C99 A912C483 B6CB7816 00409B9C 775AE900
FDB667B5 B67251CA E6CB7F70 A2A0B2DA 225DBD7C 45EB7059 A7FA72F9 AD619734
ADE821B3 2A9C33C3 A6D63083 BC056769 9388DB90 4C5A39F9 44BBE927 952A5CA6
8309B0CD 3FA34345 CB315479 6B865005 578759D4 EFD367C3 318A592E E97619CE
E917E75C 2400
quit
username user privilege 15 secret 5 $1$k07y$DoEW1ymI0jU8DQW6rvU.y.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key passwords
dns 192.168.0.3 192.168.0.1
wins 192.168.0.3 192.168.0.1
domain mydomen
pool SDM_POOL_1
acl 102
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address xxx.xx.xxx.117 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport access vlan 3
!
interface FastEthernet9
switchport access vlan 2
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.0.4 255.255.255.0
!
interface Vlan3
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.0.230 192.168.0.240
ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.118
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.10.145 80 interface FastEthernet0 80
!
no logging trap
access-list 1 remark -=NTP Servers=-
access-list 1 permit 91.198.10.20
access-list 1 permit 62.149.2.1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny any
access-list 2 remark -=NTP Clients=-
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.14.193.116 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host xxx.xx.xxx.117 eq non500-isakmp
access-list 101 permit udp any host xxx.xx.xxx.117 eq isakmp
access-list 101 permit esp any host xxx.xx.xxx.117
access-list 101 permit ahp any host xxx.xx.xxx.117
access-list 101 permit udp host 217.14.192.173 eq domain host xxx.xx.xxx.117
access-list 101 permit udp host 217.14.192.170 eq domain host xxx.xx.xxx.117
access-list 101 permit tcp any host xxx.xx.xxx.117 eq www
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any host xxx.xx.xxx.117 echo-reply
access-list 101 permit icmp any host xxx.xx.xxx.117 time-exceeded
access-list 101 permit icmp any host xxx.xx.xxx.117 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
control-plane
!
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp access-group peer 1
ntp access-group serve 2
ntp master 3
ntp update-calendar
ntp server 62.149.2.1 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
