Добрый день. Есть 881w роутер, раздающий инет по wifi. Дальше через nat в другую сеть и потом в интернет.
Клиенты wifi не могут поднять vpn (pptp) соединение куда угодно через nat.Вот настройки роутера:
!
! Last configuration change at 14:10:27 PCTime Thu Aug 11 2011
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-wifi
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$sicv$ImN7XErqdg6UOXP3O5vO..
enable password vfrhjljv
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 3
ip source-route
!
!
ip dhcp excluded-address 10.10.1.1 10.10.1.9
!
ip dhcp pool xxxxxx
import all
network 10.10.1.0 255.255.255.0
dns-server 10.10.1.1
domain-name xxxx.ru
default-router 10.10.1.1
!
!
ip cef
ip domain list xxxx
ip domain timeout 5
ip domain name xxxx
ip name-server 192.168.0.5
ip name-server 192.168.0.248
no ipv6 cef
!
!
!
!
license udi pid CISCO881W-GN-E-K9 sn FCZ14499061
!
!
username xxxxxx secret 5 $1$PToj$JdY4SwhjL7qax//m0LLpB/
!
!
ip ftp username cisco
ip ftp password cisco123
!
!
!
!
interface FastEthernet0
shutdown
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 192.168.3.240 255.255.240.0
ip access-group 101 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 20 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.0.248
!
access-list 20 remark INSIDE_IF=Vlan1
access-list 20 remark CCP_ACL Category=2
access-list 20 permit 10.10.1.0 0.0.0.255
access-list 101 remark block if no need
access-list 101 remark CCP_ACL Category=1
access-list 101 permit gre any any
access-list 101 permit ip any host 192.168.2.220 192.168.2.240
access-list 101 permit ip any host 192.168.0.5
access-list 101 permit ip any host 192.168.2.220
access-list 101 permit ip any host 192.168.1.194
access-list 101 deny ip any 192.168.0.0 0.0.3.255
access-list 101 permit ip any any
!
!
!
!
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password xxxxxx
login
transport input all
!
end
Конфиг wifi модуля:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$mc8C$W2TtUWgTIgt9PZEj01lRf/
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid xxx
vlan 1
authentication open
guest-mode
infrastructure-ssid
!
dot11 network-map
!
!
username xxxx privilege 15 secret 5 $1$h5Ox$459GyVsnKr.DZRA66Ee8M0
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid xxx
!
antenna gain 0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
banner login C
% Password change notice.
-----------------------------------------------------------------------
Default username/password setup on AP is cisco/cisco with privilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
-----------------------------------------------------------------------
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end
и tcpdump с компа подымающего pptp соединение с впн сервером 192.168.0.5
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [S], seq 2436291553, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 857316678 ecr 0,sackOK,eol], length 0
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [S.], seq 3464966955, ack 2436291554, win 16384, options [mss 1460,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [.], ack 1, win 65535, options [nop,nop,TS val 857316681 ecr 0], length 0
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [P.], seq 1:157, ack 1, win 65535, options [nop,nop,TS val 857316681 ecr 0], length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR()
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [P.], seq 1:157, ack 157, win 65379, options [nop,nop,TS val 100697246 ecr 857316681], length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(3790) HOSTNAME() VENDOR(Microsoft)
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [.], ack 157, win 65535, options [nop,nop,TS val 857316682 ecr 100697246], length 0
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [P.], seq 157:325, ack 157, win 65535, options [nop,nop,TS val 857316682 ecr 100697246], length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(699) CALL_SER_NUM(0) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [P.], seq 157:189, ack 325, win 65211, options [nop,nop,TS val 100697246 ecr 857316682], length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(5780) PEER_CALL_ID(699) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0)
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [.], ack 189, win 65535, options [nop,nop,TS val 857316684 ecr 100697246], length 0
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [P.], seq 325:349, ack 189, win 65535, options [nop,nop,TS val 857316684 ecr 100697246], length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(5780) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 1, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [P.], seq 325:349, ack 189, win 65535, options [nop,nop,TS val 857317012 ecr 100697246], length 24: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(5780) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [.], ack 349, win 65187, options [nop,nop,TS val 100697249 ecr 857316684], length 0
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [.], ack 349, win 65187, options [nop,nop,TS val 100697249 ecr 857316684], length 0
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 2, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 3, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 4, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 5, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 6, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 7, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [.], ack 189, win 65535, length 0
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [.], ack 349, win 65187, options [nop,nop,TS val 100697451 ecr 857316684], length 0
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 8, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 9, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14 > 192.168.0.5: GREv1, call 5780, seq 10, ack 0, length 40: LCP, Conf-Request (0x01), id 1, length 22
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [F.], seq 349, ack 189, win 65535, options [nop,nop,TS val 857346577 ecr 100697451], length 0
IP 192.168.0.5.1723 > 10.10.1.14.50434: Flags [F.], seq 189, ack 350, win 65187, options [nop,nop,TS val 100697545 ecr 857346577], length 0
IP 10.10.1.14.50434 > 192.168.0.5.1723: Flags [.], ack 190, win 65535, options [nop,nop,TS val 857346582 ecr 100697545], length 0
По сути можно даже сделать так что бы он мог соединяться только с ним, но не с ним не с другими vpn сервера соединиться не получается.
Заранее всем благодарен за помощь.
Вариант для распечатки
(ok) on 16-Авг-11, 17:18 
