- PR -

Cisco1712ルータ上でのeasyVPNサーバ設定について

投稿者	投稿内容
だん会議室デビュー日: 2008/07/06 投稿数: 3	投稿日時: 2009-03-17 00:01 よろしくお願いします。 Cisco1712ルータ(IOS12.3)にてeasyVPNサーバの設定をおこない、リモートPCからはCisco VPN Clientにて接続ができるようになりました。しかし、リモートPCからVPNサーバに接続されているInternal LANへの接続ができません。リモートPC ---- Cisco1712(VPNサーバ) ---- Internal LAN(VLAN1:192.168.10.0/24) ・Cisco1712 Fa1にVLAN1(192.168.10.1)をaccess portとして割り当てています。・リモートPCにてVPNに接続し、10.1.1.XのIPアドレスが割り当てられた後、192.168.10.1にpingできますが、192.168.10.10にpingできません。・VPN接続後、リモートPC側では192.168.10.0/24のルーティングを持っており、ルータ側では10.1.1.Xに対するスタティックrouteを持っています。リモートVPN PCからInternal LAN(192.168.10.X)へアクセスさせるためにはどうすればよろしいでしょうか。下記がconfigです。 ! version 12.3 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 $1$1Lqd$1a1 ! aaa new-model ! ! aaa authentication login default local aaa authentication login vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone JST 9 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ! ! no ip dhcp use vrf connected ! ! ip cef no ip domain lookup ip domain name XXX.ocn.ne.jp ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name dmzinspect tcp ip inspect name dmzinspect udp no ip ips deny-action ips-interface ip ssh time-out 60 ip ssh authentication-retries 2 ! vpdn enable vpdn ip udp ignore checksum ! vpdn-group pppoe request-dialin protocol pppoe ! no ftp-server write-enable ! ! crypto pki trustpoint TP-self-signed-3893421634 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3893421634 revocation-check none rsakeypair TP-self-signed-3893421634 ! ! crypto pki certificate chain TP-self-signed-3893421634 certificate self-signed 01 30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 ※長いので省略 quit username test password 7 122D1713211B ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn key XXX pool VPN_POOL_1 acl 120 save-password netmask 255.255.255.0 crypto isakmp profile VPNPROFILE match identity group vpn client authentication list vpn_xauth_ml_1 isakmp authorization list vpn_group_ml_1 client configuration address respond local-address Loopback0 ! ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac mode transport ! crypto dynamic-map DYNMAP_1 1 set transform-set ESP-3DES-MD5 set isakmp-profile VPNPROFILE reverse-route ! ! crypto map CMAP_1 1 ipsec-isakmp dynamic DYNMAP_1 ! ! ! interface Loopback0 ip address 1.1.1.2 255.255.255.248 ! interface BRI0 no ip address shutdown ! interface FastEthernet0 no ip address ip virtual-reassembly duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 switchport access vlan 30 no ip address ! interface Vlan1 ip address 192.168.10.1 255.255.255.0 ip nat inside ip inspect SDM_LOW in ip virtual-reassembly ! interface Vlan10 description $FW_INSIDE$ ip address 192.168.20.1 255.255.255.0 ip access-group 100 in ip nat inside ip inspect SDM_LOW in ip virtual-reassembly ip tcp adjust-mss 1414 shutdown ! interface Vlan30 description $FW_DMZ$ ip address 192.168.100.1 255.255.255.0 ip access-group 102 in ip nat inside ip inspect dmzinspect out ip virtual-reassembly ! interface Dialer1 description $FW_OUTSIDE$ ip unnumbered Loopback0 ip access-group 103 in ip mtu 1454 ip nat outside ip virtual-reassembly encapsulation ppp no ip route-cache cef no ip route-cache ip tcp adjust-mss 1414 no ip mroute-cache dialer pool 1 dialer idle-timeout 0 dialer-group 1 ppp authentication chap callin ppp chap hostname XXX.ocn.ne.jp ppp chap password 7 XXX crypto map CMAP_1 ! ip local pool VPN_POOL_1 10.1.1.1 10.1.1.254 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! logging trap debugging access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 100 permit tcp 192.168.20.0 0.0.0.255 any eq www access-list 100 permit tcp 192.168.20.0 0.0.0.255 any eq domain access-list 100 permit udp 192.168.20.0 0.0.0.255 any eq domain access-list 100 deny ip 192.168.100.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip any any log access-list 102 permit tcp host 192.168.100.10 192.168.20.0 0.0.0.255 eq www access-list 102 deny ip any any log access-list 103 deny ip 192.168.20.0 0.0.0.255 any access-list 103 deny ip 192.168.100.0 0.0.0.255 any access-list 103 permit icmp any any echo-reply access-list 103 permit icmp any any time-exceeded access-list 103 permit icmp any any unreachable access-list 103 permit udp any any eq isakmp access-list 103 permit udp any any eq non500-isakmp access-list 103 permit udp host 5.5.5.5 eq ntp any eq ntp access-list 103 permit tcp any host 1.1.1.1 eq www access-list 103 permit tcp any host 1.1.1.1 eq domain access-list 103 permit udp any host 1.1.1.1 eq domain access-list 103 permit tcp any host 1.1.1.1 eq 1978 access-list 103 permit udp any host 1.1.1.1 eq 1978 access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log access-list 105 permit icmp any any access-list 105 deny ip 192.168.10.0 0.0.0.255 10.50.1.0 0.0.0.255 access-list 105 permit ip 192.168.10.0 0.0.0.255 any access-list 120 permit ip 192.168.10.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server community XXX snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps syslog snmp-server enable traps pppoe no cdp run ! ! control-plane ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 no exec line vty 0 4 access-class 110 in transport input ssh ! ntp clock-period 17179866 ntp server XXX end 以上よろしくお願いします。 [ メッセージ編集済み編集者: だん編集日時 2009-03-17 00:03 ]

投稿者

投稿内容

だん: 会議室デビュー日: 2008/07/06; 投稿数: 3

投稿日時: 2009-03-17 00:01

よろしくお願いします。
Cisco1712ルータ(IOS12.3)にてeasyVPNサーバの設定をおこない、リモートPCからはCisco VPN Clientにて接続ができるようになりました。
しかし、リモートPCからVPNサーバに接続されているInternal LANへの接続ができません。

リモートPC ---- Cisco1712(VPNサーバ) ---- Internal LAN(VLAN1:192.168.10.0/24)

・Cisco1712 Fa1にVLAN1(192.168.10.1)をaccess portとして割り当てています。
・リモートPCにてVPNに接続し、10.1.1.XのIPアドレスが割り当てられた後、192.168.10.1にpingできますが、192.168.10.10にpingできません。
・VPN接続後、リモートPC側では192.168.10.0/24のルーティングを持っており、ルータ側では10.1.1.Xに対するスタティックrouteを持っています。

リモートVPN PCからInternal LAN(192.168.10.X)へアクセスさせるためにはどうすればよろしいでしょうか。
下記がconfigです。
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$1Lqd$1a1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone JST 9
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
ip domain name XXX.ocn.ne.jp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
no ip ips deny-action ips-interface
ip ssh time-out 60
ip ssh authentication-retries 2
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-3893421634
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3893421634
revocation-check none
rsakeypair TP-self-signed-3893421634
!
!
crypto pki certificate chain TP-self-signed-3893421634
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
※長いので省略

quit
username test password 7 122D1713211B
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key XXX
pool VPN_POOL_1
acl 120
save-password
netmask 255.255.255.0
crypto isakmp profile VPNPROFILE
match identity group vpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
local-address Loopback0
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map DYNMAP_1 1
set transform-set ESP-3DES-MD5
set isakmp-profile VPNPROFILE
reverse-route
!
!
crypto map CMAP_1 1 ipsec-isakmp dynamic DYNMAP_1
!
!
!
interface Loopback0
ip address 1.1.1.2 255.255.255.248
!
interface BRI0
no ip address
shutdown
!
interface FastEthernet0
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
switchport access vlan 30
no ip address
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect SDM_LOW in
ip virtual-reassembly
ip tcp adjust-mss 1414
shutdown
!
interface Vlan30
description $FW_DMZ$
ip address 192.168.100.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip inspect dmzinspect out
ip virtual-reassembly
!
interface Dialer1
description $FW_OUTSIDE$
ip unnumbered Loopback0
ip access-group 103 in
ip mtu 1454
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1414
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX.ocn.ne.jp
ppp chap password 7 XXX
crypto map CMAP_1
!
ip local pool VPN_POOL_1 10.1.1.1 10.1.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
logging trap debugging
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit tcp 192.168.20.0 0.0.0.255 any eq www
access-list 100 permit tcp 192.168.20.0 0.0.0.255 any eq domain
access-list 100 permit udp 192.168.20.0 0.0.0.255 any eq domain
access-list 100 deny ip 192.168.100.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any any log
access-list 102 permit tcp host 192.168.100.10 192.168.20.0 0.0.0.255 eq www
access-list 102 deny ip any any log
access-list 103 deny ip 192.168.20.0 0.0.0.255 any
access-list 103 deny ip 192.168.100.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp host 5.5.5.5 eq ntp any eq ntp
access-list 103 permit tcp any host 1.1.1.1 eq www
access-list 103 permit tcp any host 1.1.1.1 eq domain
access-list 103 permit udp any host 1.1.1.1 eq domain
access-list 103 permit tcp any host 1.1.1.1 eq 1978
access-list 103 permit udp any host 1.1.1.1 eq 1978
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 105 permit icmp any any
access-list 105 deny ip 192.168.10.0 0.0.0.255 10.50.1.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 120 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community XXX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps syslog
snmp-server enable traps pppoe
no cdp run
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
no exec
line vty 0 4
access-class 110 in
transport input ssh
!
ntp clock-period 17179866
ntp server XXX
end

以上よろしくお願いします。

[ メッセージ編集済み編集者: だん編集日時 2009-03-17 00:03 ]

＠IT SpecialPR

Cisco1712ルータ上でのeasyVPNサーバ設定について

スキルアップ／キャリアアップ（JOB@IT）