CiscoVPN Client (VPNPool 192.168.1.*) – fe0/1_CiscoRouter_fe0/0.1 - Catalyst – BackBoneServer(172.16.172.*)
Запрос сертификата от VPN сервера на 2801 и подключение клиента проходит нормально. Клиент получает адрес 192.168.1.*, пингует другого пользователя, тоже подключенного через VPNClient, к примеру на порт catalyst, с этим все хорошо. Но клиенты не могут получить доступ к серверу(172.16.172.*), тоже подключенному к catalyst. Где что не так настроил?
На каталисте fe0/1 настроен как транк с vlan100 и подключен к fe0/0 c2801, а несколько портов настроены как switchport mode access, switchport access vlan100.
Вот конфиг роутера
Код: Выделить всё
hostname c2801
!
aaa new-model
!
!
aaa authentication login vpnauth local
aaa authorization network vpngroup local
!
aaa session-id common
!
resource policy
!
clock timezone MSK 4
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip dhcp use vrf connected
!
ip domain name domain.ru
ip host c2801.domain.ru 172.16.172.1
ip name-server 172.16.172.1
no ip ips deny-action ips-interface
!
!
crypto pki server c2801ca
database archive pem password 7 082245544541
issuer-name OU=domain, CN=c2801, C=ru
!
crypto pki trustpoint c2801ca
revocation-check crl
rsakeypair c2801ca
!
crypto pki trustpoint c2801rsa
enrollment url http://172.16.172.1:80
serial-number none
fqdn c2801.domain.ru
ip-address none
password
subject-name OU=domain, CN=c2801, C=ru
revocation-check crl
rsakeypair c2801rsa
auto-enroll
!
!
crypto pki certificate chain c2801ca
certificate ca 01
30820237 308201A0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
7C8E283F 58C046CC 67B3D85E 0CB8EE10 F0702DB0 0E404C19 60E3C36F B52168A9
5726422A 65677EB1 4487BB5B 308C292D 8DF2202B 91376CFD F7AE72
quit
crypto pki certificate chain c2801rsa
certificate 02
30820244 308201AD A0030201 02020102 300D0609 2A864886 F70D0101 04050030
09B210AA 95564D4D 7D3F466A F4C7402C C778D6FC 7A8B9795 AEFDD51B F30B1A1E
A7882081 DD708DAB
quit
certificate ca 01
30820237 308201A0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
7C8E283F 58C046CC 67B3D85E 0CB8EE10 F0702DB0 0E404C19 60E3C36F B52168A9
5726422A 65677EB1 4487BB5B 308C292D 8DF2202B 91376CFD F7AE72
quit
username qwerty privilege 7 secret 5 $1$uQtR$OKrW6HtimJ/
!
crypto isakmp policy 3
encr aes 256
group 2
crypto isakmp identity dn
crypto isakmp keepalive 120 periodic
no crypto isakmp ccm
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group domain
pool vpnpool
acl 100
pfs
crypto isakmp profile vpnprof
match identity group domain
client authentication list vpnauth
isakmp authorization list vpngroup
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto ipsec profile myipsec
set transform-set myset
set isakmp-profile vpnprof
!
!
crypto dynamic-map dynmap 1
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list vpnauth
crypto map mymap isakmp authorization list vpngroup
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0.1
description VPN_Inside
encapsulation dot1Q 100
ip address 172.16.172.1 255.255.255.0
ip virtual-reassembly
no snmp trap link-status
no cdp enable
crypto map mymap
!
interface FastEthernet0/1
description VPN_Outside
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/3/0
no ip address
shutdown
clockrate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile myipsec
!
ip local pool vpnpool 192.168.1.1 192.168.1.100
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.10
!
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
control-plane
!
!
end