отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
Объявления
Добро пожаловать в Сообщество Технической поддержки Cisco. Мы рады получить обратную связь .
New Member

ASA 5505 один ip много pptp/gre

Доброго времени суток.

Задача.

Нужно настроить через asa 5505 к серверам заказчика по протоколу pptp/gre с одного ип адресса множественое подключение.

мой конфиг

ASA Version 8.4(1)

!

hostname ASA

domain-name infsys.ru

enable password fWqbPfJsij encrypted

passwd ююю encrypted

names

dns-guard

!

interface Vlan4

description --- DeMilitary Zone

nameif DMZ

security-level 50

ip address 10.3.2.251 255.255.255.0

!

interface Vlan11

description --- Internet

nameif WAN

security-level 0

ip address х.х.х.х 255.255.255.240

!

interface Vlan21

description --- Local network

nameif LAN

security-level 100

ip address 10.4.2.67 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 11

!

interface Ethernet0/3

switchport access vlan 11

!

interface Ethernet0/4

switchport access vlan 4

!

interface Ethernet0/5

switchport access vlan 4

!

interface Ethernet0/6

switchport access vlan 21

!

interface Ethernet0/7

switchport access vlan 21

!

boot system disk0:/asa844-k8.bin

ftp mode passive

clock timezone MSK/MSD 3

dns domain-lookup DMZ

dns domain-lookup WAN

dns domain-lookup LAN

dns server-group DefaultDNS

name-server х.х.х.х

name-server х.х.х.х

name-server 8.8.4.4

domain-name infsys.ru

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LAN_ISS

subnet 10.4.2.0 255.255.255.0

object network NET_DMZ_01

host 10.10.10.10

object network NET_GRE

host 10.4.2.93

object network NET_WAN

host х.х.х.х

object network NET_DMZ_80

host 10.10.10.10

object network NET_WAN_80

host 89.175.170.74

object network NET_GRE_SMB

host 10.4.2.199

object network NET_GRE_ADM

host 10.4.2.202

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service TCP_DMZ_01 tcp

description --- Ports listening by SRV_01 on WAN

port-object eq 3389

object-group-search access-control

access-list ACL_LAN_IN extended permit icmp any any

access-list ACL_LAN_IN extended permit ip any any

access-list ACL_LAN_IN extended permit object-group TCPUDP any any

access-list ACL_WAN_IN extended permit icmp any any

access-list ACL_WAN_IN extended permit ip any any

access-list ACL_WAN_IN extended permit object-group TCPUDP any any

access-list ACL_WAN_IN extended permit gre any any

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit object-group TCPUDP any any

pager lines 24

logging enable

logging console informational

logging monitor informational

logging trap emergencies

logging asdm debugging

logging class vpdn asdm debugging

mtu DMZ 1500

mtu WAN 1500

mtu LAN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DMZ

icmp permit any echo-reply DMZ

icmp permit any unreachable DMZ

icmp permit any echo WAN

icmp permit any echo-reply WAN

icmp permit any unreachable WAN

icmp permit any WAN

icmp permit any echo LAN

icmp permit any echo-reply LAN

icmp permit any unreachable LAN

asdm image disk0:/asdm-649.bin

asdm history enable

arp timeout 14400

nat (LAN,WAN) source static NET_GRE_SMB interface dns

!

object network LAN_ISS

nat (LAN,WAN) static interface dns

object network NET_GRE_SMB

nat (any,WAN) static interface dns

object network NET_GRE_ADM

nat (any,WAN) static interface dns

access-group DMZ_access_in in interface DMZ

access-group ACL_WAN_IN in interface WAN

access-group ACL_LAN_IN in interface LAN per-user-override

route WAN 0.0.0.0 0.0.0.0 х.х.х.х1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.4.2.0 255.255.255.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection timewait

service resetinbound interface DMZ

service resetinbound interface WAN

service resetinbound interface LAN

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ASA5505

crl configure

no crypto isakmp nat-traversal

telnet timeout 5

ssh ххх.ххх.х.хх 255.255.255.255 WAN

ssh 10.4.2.0 255.255.255.0 LAN

ssh timeout 45

console timeout 0

management-access LAN

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter enable

dynamic-filter enable interface DMZ

dynamic-filter enable interface WAN

dynamic-filter enable interface LAN

ntp server 93.180.6.3 source WAN prefer

ntp server 85.21.78.8 source WAN

webvpn

username fedorov password 2о9zc encrypted

username admin password дзsoT6HHRslbuoh3 encrypted privilege 15

!

class-map global-class

match precedence 0  1  6  7

class-map inspection_default

match default-inspection-traffic

class-map global-class1

match dscp 47

!

!

policy-map global_policy

class inspection_default

  inspect pptp

  inspect icmp

  inspect ftp

  inspect icmp error

!

service-policy global_policy global

prompt hostname

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:7962f288e6f878aca5fb847388b8ca0f

: end

asdm image disk0:/asdm-649.bin

asdm history enable

Теги (4)
3 ОТВЕТ.

ASA 5505 один ip много pptp/gre

ASA не поддерживает GRE и PPTP туннели.

New Member

ASA 5505 один ip много pptp/gre

Вы не много не поняли мне нужно пропускать через асу vpn pptp\gre от неё требуется только пропустить трафик от пользователей в локальной сети в один ип адресс в интернете

Cisco Employee

ASA 5505 один ip много pptp/gre

Должно вроде работать:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

но не в 8.4.1:

CSCts54522 Inspect PPTP does not change CALL-id for inbound Set-Link-Info Packet

Попробуйте 8.4.3, если не заработает, то соберите syslog и sniffer trace командой capture одновременно на внутреннем и внешнем интерфейсах.

1532
Просмотры
0
Полезный материал
3
Ответы
СоздатьДля создания публикации, пожалуйста в систему