Добрый день
Не работает NAT думаю дело в access листах. Куда копать ?

Сеть
====================       =======================          =====================
| Локальная сеть                |       |    Cisco                                       |          |        Corbina Telecom       |
|                                           | <->|      fe0/0 10.0.205.1                    |<--> |         vpn-85.21.151.186      |
| 10.0.205.0 / 24                  |       |     fe0/1 - dhcp corbina              |         |      router-10.198.32.1         |
|                                           |       |     virpp - vpn                             |         |                                             |
====================       =======================        =====================
        |
        |
-------------------
|  WiFI точка   |
|                        |
|  10.0.205.3     |
-------------------
        |
        |
-------------------
|  Клиент         |
|                        |
|  10.0.205.42   |
-------------------
На циске все поднимается отлично.

Translating "google.com"...domain server (213.234.192.8) [OK]
Type escape sequence to abort.
Tracing the route to google.com (64.233.167.99)
  1 vpn30-l0.msk.corbina.net (85.21.0.30) 4 msec 4 msec 4 msec
  2 k9-bb-giga1-22.msk.corbina.net (85.21.151.185) 4 msec 4 msec 4 msec
  3 ko-bb-teng12-1.msk.corbina.net (195.14.54.124) 28 msec 24 msec 24 msec
  4 tc-bb-po1.sto.corbina.net (195.14.54.102) 24 msec 24 msec 24 msec
  5 bankrost-lgw.Moscow.gldn.net (195.239.10.57) 24 msec 24 msec 24 msec
  6 cat01.Frankfurt.gldn.net (194.186.80.233) 52 msec 104 msec 56 msec
  7 de-cix10.net.google.com (80.81.192.108) 52 msec 52 msec 52 msec
  8 209.85.255.172 56 msec
    209.85.255.170 52 msec 52 msec
  9 72.14.232.105 60 msec 60 msec
    72.14.233.104 60 msec
10 72.14.236.220 136 msec 184 msec 132 msec
11 209.85.248.216 132 msec 132 msec 132 msec
12 216.239.46.224 148 msec 156 msec 156 msec
13 72.14.238.90 144 msec 148 msec
    72.14.238.89 152 msec
14 72.14.232.70 172 msec
    64.233.175.42 148 msec
    64.233.175.26 156 msec
15 google.com (64.233.167.99) 160 msec 160 msec
    72.14.232.70 164 msec
А вот на самом клиенте в сети c 10.0.205.42:
Трассировка маршрута к 64.233.167.99 с максимальным числом прыжков 30
  1     1 ms     1 ms     1 ms  10.0.205.1
  2     *        *        *     Превышен интервал ожидания для запроса.
  3     *        *        *     Превышен интервал ожидания для запроса.
  4     *        *        *     Превышен интервал ожидания для запроса.

Дебаг лог:
395945: *Jun 25 06:27:43.949 PCTime: NAT: expiring 89.179.241.## (10.0.205.3) udp 1900 (1900)
395946: *Jun 25 06:27:43.949 PCTime: NAT: expiring 89.179.241.## (10.0.205.3) udp 1900 (1900)
395947: *Jun 25 06:27:43.949 PCTime: NAT: expiring 89.179.241.## (10.0.205.3) udp 1900 (1900)
395948: *Jun 25 06:27:43.949 PCTime: NAT: expiring 89.179.241.## (10.0.205.3) udp 1900 (1900)
395949: *Jun 25 06:27:43.949 PCTime: NAT: expiring 89.179.241.## (10.0.205.3) udp 1900 (1900)
395950: *Jun 25 06:27:47.737 PCTime: NAT*: s=85.21.151.186, d=10.198.38.##->10.0.205.1 [52409]
395951: *Jun 25 06:27:48.737 PCTime: NAT: s=10.0.205.1->10.198.38.###, d=85.21.151.186 [42526]
395952: *Jun 25 06:27:48.737 PCTime: NAT*: s=85.21.151.186, d=10.198.38.##->10.0.205.1 [59680]
395953: *Jun 25 06:27:54.700 PCTime: NAT: expiring 89.179.241.## (10.0.205.42) tcp 27766 (27766)
395954: *Jun 25 06:27:57.756 PCTime: NAT*: s=85.21.151.186, d=10.198.38.##->10.0.205.1 [58413]
395955: *Jun 25 06:27:58.976 PCTime: NAT: s=10.0.205.1->10.198.38.##, d=85.21.151.186 [42539]
395956: *Jun 25 06:27:58.976 PCTime: NAT*: s=85.21.151.186, d=10.198.38.##->10.0.205.1 [1652]
Сама конфигурация:
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console warnings
enable secret 5 ########
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network default none
!
aaa session-id common
clock timezone PCTime 3
ip cef
!
!
!
!
no ip bootp server
ip domain name corbina.net
ip multicast-routing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
l2tp-class corbina
!
!
!
crypto pki trustpoint TP-self-signed-2601463677
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2601463677
revocation-check none
rsakeypair TP-self-signed-2601463677
!
!
crypto pki certificate chain TP-self-signed-2601463677
certificate self-signed 01 nvram:IOS-Self-Sig#3737.cer
username username privilege 15 secret 5 #########/
!
!
pseudowire-class class1
encapsulation l2tpv2
protocol l2tpv2 corbina
ip local interface FastEthernet0/0
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
ip address 10.0.205.1 255.255.255.0
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly max-reassemblies 512
duplex auto
speed auto
!
interface Virtual-PPP1
ip address negotiated
ip nat outside
ip virtual-reassembly
no cdp enable
ppp authentication chap callin
ppp chap hostname <login for vpn>
ppp chap password 7 <pass for vpn>
pseudowire 85.21.151.186 10 pw-class class1
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 10.0.0.0 255.0.0.0 10.198.32.1
ip route 10.198.0.0 255.255.0.0 10.198.32.1
ip route 85.21.151.186 255.255.255.255 10.198.32.1
ip route 195.14.50.0 255.255.255.0 10.198.32.1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source list 101 interface Virtual-PPP1 overload
!
logging trap debugging
!
access-list 100 permit ip host 10.0.205.1 any
access-list 100 permit ip any host 10.0.205.1
access-list 101 permit ip 10.0.205.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet
!
scheduler allocate 4000 1000
ntp clock-period 17178234
ntp update-calendar
ntp server 194.149.67.130 source FastEthernet0/1 prefer
end

Ответить | Сообщить модератору