cisco841MJ-LANからWANへ通信ができません

この質問は 進行中です
11月 19th, 2015
User Badges:

基本的な質問となり大変恐縮ですが、ご回答の程よろしくお願い致します。

 

LANポートへ接続したPCとWANポートへ接続したPC間で通信が行えません。

LANポートからWANポートへ通信を行えるようにしたいのですが、

原因として考えられるものは何でしょうか?

 

構成は下記のようになっています。

LAN側PC:192.168.10.100/24 GW:192.168.10.254

Cisco_LAN(VLAN10):192.168.10.254/24

Cisco_WAN:172.20.33.10

WAN側PC:172.20.33.100/16

 

・試したこと

1.LAN側PCよりWAN側PCへpingの送信

 →失敗

2.ルータよりWAN側PCへのpingの送信

 →成功

以上の結果を踏まえ、LAN側からWAN側へのスタティックルーティングを

追加してみたのですが、現象は解決されませんでした。

 

上記の点に他に考えられる原因などはありますでしょうか?

 

configを記載します。

sh run
Building configuration...


Current configuration : 10215 bytes
!
! Last configuration change at 10:13:32 UTC Thu Nov 19 2015
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authorization network local-group-author-list local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
crypto pki trustpoint TP-self-signed-4120595476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4120595476
revocation-check none
rsakeypair TP-self-signed-4120595476
!
!
crypto pki certificate chain TP-self-signed-4120595476
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313230 35393534 3736301E 170D3135 31313139 30383138
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323035
39353437 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C9B3 99F996BD E34DB215 A4AB2211 1C2FE65F 96CECB90 D0E9FCFF F77C765A
E1841C4A 41A73EE8 D9C29CA2 25B4B641 6ED10EA8 4842A0BA E6B5D52E A109C227
25B502CE 2283141E 6387D3E4 E044B494 B31F5E06 C5590152 CDE6C6F9 AC6BE4B4
F4F1EBA8 61C8A9D0 22603EC5 A9565AB5 527EA45A B112DBE6 F51194B7 A54ABB59
DF570203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C231F9 52319FD0 8BEEFE61 89707E26 115B17CA 4B301D06
03551D0E 04160414 C231F952 319FD08B EEFE6189 707E2611 5B17CA4B 300D0609
2A864886 F70D0101 05050003 8181006D 2D03873C C571C2E9 C7EDDC33 BC12C461
20B585ED EFFC1A24 4383EBAF 73AABA88 A8AAD131 1E8B13FD C1F1B8E8 6DF2B572
7DC4A7A4 951393A4 DC2FD96C F4B69062 49246B48 9464AD40 E2A90B86 B540F1E3
058D0C2C C7F8FA67 06665C65 2F470DAA 477D2F58 757A6DA7 5BD65B74 F3AE726C
9026929A C96247E9 07269B90 9E851B
quit
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
!
license udi pid C841M-4X-JAIS/K9 sn FGL1935219D
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network lan-vpn_dst_net
any
!
object-group network lan-vpn_src_net
any
!
object-group service lan-vpn_svc
ip
!
object-group network lan-wan_dst_net
any
!
object-group network lan-wan_src_net
any
!
object-group service lan-wan_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.10.0 255.255.255.0
!
object-group network vpn-lan_dst_net
any
!
object-group network vpn-lan_src_net
any
!
object-group service vpn-lan_svc
ip
!
object-group network vpn_remote_subnets
192.168.20.0 255.255.255.0
!
username cisco privilege 15 secret 5 $1$eUrC$4yoyGW8ogJAmI9brbhAPV1
!
redundancy
!
crypto ikev2 authorization policy authpolicy1
route set interface GigabitEthernet0/0
route set interface Vlan10
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 5 2
!
crypto ikev2 policy default
match fvrf any
proposal default
!
crypto ikev2 keyring key
peer SITE-KEY
address 172.20.33.20
identity address 172.20.33.20
pre-shared-key 8chi9lin
!
!
!
crypto ikev2 profile prof
match identity remote address 172.20.33.20 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local key
aaa authorization group psk list local-group-author-list authpolicy1
!
crypto ikev2 dpd 10 2 periodic
!
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-all lan-vpn
match access-group name lan-vpn_acl
class-map type inspect match-all vpn-lan
match access-group name vpn-lan_acl
class-map type inspect match-all lan-wan
match access-group name lan-wan_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect lan-wan
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect LAN-VPN-POLICY
class type inspect lan-vpn
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect VPN-LAN-POLICY
class type inspect vpn-lan
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security LAN-VPN source LAN destination VPN
service-policy type inspect LAN-VPN-POLICY
zone-pair security VPN-LAN source VPN destination LAN
service-policy type inspect VPN-LAN-POLICY
!
crypto keyring isakmp-keyring
pre-shared-key address 172.20.33.20 key 8chi9lin
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp identity dn
crypto isakmp keepalive 10 periodic
crypto isakmp profile isakmp-profile
keyring isakmp-keyring
self-identity address
match identity address 172.20.33.20 255.255.255.255
!
!
crypto ipsec transform-set trans esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set test_trans esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-profile
set transform-set trans
set isakmp-profile isakmp-profile
!
crypto ipsec profile test_profile
set transform-set test_trans
set ikev2-profile prof
!
!
!
!
!
!
interface Tunnel0
ip address 172.20.33.10 255.255.0.0
zone-member security VPN
tunnel source GigabitEthernet0/4
tunnel mode ipsec ipv4
tunnel destination 172.20.33.20
tunnel protection ipsec profile test_profile
!
interface GigabitEthernet0/0
switchport access vlan 10
no ip address
zone-member security LAN
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface GigabitEthernet0/3
no ip address
!
interface GigabitEthernet0/4
description PrimaryWANDesc_
ip address 172.20.33.10 255.255.0.0
zone-member security WAN
duplex auto
speed auto
!
interface GigabitEthernet0/5
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.128
no ip redirects
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no ip redirects
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
zone-member security LAN
load-interval 30
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface GigabitEthernet0/4 overload
ip route 0.0.0.0 0.0.0.0 172.20.0.1
ip route 192.168.20.0 255.255.255.0 Tunnel0
!
ip access-list extended INTRANET-WHITELIST
permit ip any 192.168.20.0 0.0.0.255
ip access-list extended lan-vpn_acl
permit object-group lan-vpn_svc object-group lan-vpn_src_net object-group lan-vpn_dst_net
ip access-list extended lan-wan_acl
permit object-group lan-wan_svc object-group lan-wan_src_net object-group lan-wan_dst_net
ip access-list extended nat-list
deny ip object-group local_lan_subnets object-group vpn_remote_subnets
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended vpn-lan_acl
permit object-group vpn-lan_svc object-group vpn-lan_src_net object-group vpn-lan_dst_net
!
!
!
access-list 23 permit 10.10.10.0 0.0.0.127
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

yourname#

Loading.
snakashima0625 2015/11/19 - 16:36
User Badges:

本件、事故解決致しました。


1日たって再度検証してみたところ疎通確認が取れました。


しかし、解決した原因がよく分かっていないので今回の起こった事象について

前例などあれば教えていただきたいです。

アクション

このディスカッションについて