Тема: Настройка VPN+NAT на Cisco 851-K9 / 850 серия
Приветствую!
Есть Cisco851-K9 за которой стоит локальный сервер. Задача в том чтобы с интернета заходить через VPN на киску и дальше на сервер через ремоутдесктоп.
Настроил почти наполовину. Работает НАТ и работает VPN но образно, в обрезанном виде. Криптование не поддерживается, так как виндовый клиент отваливается с предупреждением об этом.
При чем Виндовый клиент изнутри(на самом сервере) может коннектится и подключается к киске. А вот снаружи, дело доходит до проверки имени юзера и пароля, и дальше отваливается с таймаутом в ошибке 619
A connection to remote host could not be established, so the port used for this connection was closed.
Прилагаю конфиг далее.
Current configuration : 5261 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname moin
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging console critical
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-566857557
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-566857557
revocation-check none
rsakeypair TP-self-signed-566857557
!
!
crypto pki certificate chain TP-self-signed-566857557
certificate self-signed 01
<-- CUTED -->
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
!
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
dns-server 193.33.96.23
domain-name moin.rucable.net
default-router 192.168.1.1
lease 2
!
!
no ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name rucable.net
ip name-server 193.33.96.23
!
vpdn enable
vpdn source-ip 193.33.96.xxx
!
vpdn-group 1
! Default PPTP VPDN group
description Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 128
!
!
!
username MainCisco privilege 15 secret 5 DDDDDDDDDDDDDD
username vpn password 0 test
username vpn aaa attribute list vpn
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 480
crypto isakmp key Mainkey address 193.33.96.xxx
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
! Incomplete
description VPN Tunnel
set peer 193.33.96.xxx
set ip access-group 1 in
set transform-set ESP-3DES-SHA
match address 100
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 193.33.96.xxx 255.255.254.0
ip access-group Internet-inbound-ACL in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map static-map
!
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
ip mtu 1492
ip virtual-reassembly
peer default ip address dhcp-pool DHCPPOOL
ppp authentication ms-chap ms-chap-v2
ppp chap hostname vpn
ppp chap password 0 test
ppp timeout authentication 255
crypto map static-map
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip default-gateway 193.33.96.1
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 193.33.96.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255
ip nat inside source list 1 interface Virtual-Template1 overload
ip nat inside source list acl1 pool pool1
!
ip access-list extended Internet-inbound-ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any
permit udp any any
ip access-list extended vpnstatic
permit gre 192.168.1.0 0.0.0.255 any
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end