Добрый день всемситуация есть два девайса 2911 (центральный офис) (белый IP)
и 881 филиал (серый IP)
между ними подня тунель Easy VPN server/remote
локалки друг друга видят, тут все нормально
инет в обеих офисах есть, каждый от своего провайдера
как сделать чтоб филиал получал инет не через своего провайдера а через 2911 (из центрально офиса)
посдкажите куда копать ?
881
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco881W_ATP1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
clock timezone Riga 2 0
clock summer-time Riga date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-1580746166
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580746166
revocation-check none
rsakeypair TP-self-signed-1580746166
!
!
crypto pki certificate chain TP-self-signed-1580746166
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 37343631 3636301E 170D3132 31323134 31363436
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383037
34363136 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DB06 0D4AE154 26BC30C2 6F23DCCA 90309871 59F5C44C 00127DE8 28D8B378
AA2BB35C 736D0E00 27B84288 F799ED1E 1E50DA4A F8685889 36E46086 7A4D6E97
97DA4705 4FD23D15 31D2F786 CB32C8BE D35BB753 DB876566 F8022D0E 9C574F71
75D85481 DC58F10A 72FF32A7 0F3419ED C7D3C06D CAA00410 DCE83548 E71BB186
FA970203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14691D9F CD9DD617 C52FD16E DCBCCBF5 EC34D373 FA301D06
03551D0E 04160414 691D9FCD 9DD617C5 2FD16EDC BCCBF5EC 34D373FA 300D0609
2A864886 F70D0101 05050003 818100BF 55D35B2C CDDFB7AC 9E04822A 9E419831
068EB235 21211FA5 E047C3B4 E9A0DCBA 119614E9 24CC7E98 A2365F2B 35E97347
99ED7236 338EBB62 903AA091 247EE034 8E3BFED6 1EC5B6F4 9D5D66C3 D21C5490
203D3CC9 9F5088EC 82C90D3F 285125D9 F18FEB6D 953B332F F8EA2A51 5ADFA8A0
2FEA2F3A 3EBC4818 AB699552 0F3FEF
quit
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 10.5.3.1 10.5.3.20
!
ip dhcp pool ccp-pool
import all
network 10.5.3.0 255.255.255.0
default-router 10.5.1.1
dns-server 10.5.1.2 10.5.1.7
netbios-name-server 10.5.1.2 10.5.1.7
domain-name pzcu-mts.com.ua
lease 0 2
!
!
no ip domain lookup
ip domain name pzcu-mts.com.ua
ip cef
no ipv6 cef
!
!
license udi pid CISCO881W-GN-E-K9 sn FCZ1623C1NM
!
!
!
!
!
!
!
no ip ftp passive
!
crypto isakmp keepalive 20 4
!
!
!
!
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect auto
group MTS-ATP1 key XXXXXXXXXX
mode network-plus
peer 77.120.XXX.XXX
virtual-interface 1
xauth userid mode interactive
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address 10.0.1.200 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.5.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
ip default-gateway 10.0.1.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.0.1.1 2
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.5.3.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit any
no cdp run
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
2911
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MTS-DC
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$mPWG$BAi9HJytIMxP49hIBSHQO.
!
aaa new-model
!
!
aaa group server radius MTS-RADIUS
server 10.5.1.2 auth-port 1812 acct-port 1813
!
aaa group server radius sdm-vpn-server-group-1
server 10.5.1.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group MTS-RADIUS local
aaa authentication login ciscocp_vpn_xauth_ml_1 passwd-expiry group sdm-vpn-server-group-1
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.5.1.1 10.5.1.20
!
ip dhcp pool MTS-DC
import all
network 10.5.1.0 255.255.255.0
domain-name pzcu-mts.com.ua
dns-server 10.5.1.2 10.5.1.7
default-router 10.5.1.1
netbios-name-server 10.5.1.2 10.5.1.7
!
!
no ip domain lookup
ip domain name pzcu-mts.com.ua
ip name-server 77.120.XXX.XXX
ip name-server 82.144.XXX.XXX
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-492885932
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-492885932
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-492885932
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34393238 38353933 32301E17 0D313231 32313430 37303433
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3439 32383835
39333230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C5C4F6BD 8B757435 E226EB8E A47BC239 1F97AD10 75AEF5EC B7E076A5 4F40E091
6A971DB4 ED9ACD7F E01BB3C6 0A13E2FD 90A61528 69100146 BEAFA4BF 5E61FDB4
B1EA5280 06A9D72E C44809E0 512B7B7A 90517E37 1BEF3C4D 873F69EC 12389290
317E28AB CE16FE08 5754B63F 525C2B1F DE02E512 1F51F998 C7F9AA87 2E7CC211
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014AB 94305893 1E3F18FD 707AF261 C0C442C5 96AC5E30 1D060355
1D0E0416 0414AB94 3058931E 3F18FD70 7AF261C0 C442C596 AC5E300D 06092A86
4886F70D 01010405 00038181 004C841A EF2DDA1D B3DB1D57 4DE7A9F3 26473A73
652D4A04 68584178 865D00DC 5378166D FA4B1BC3 553E0191 51E86FDB E55967E3
1D9ED96C CAC0480B 0522213D CE040707 4462A3DF 6336BAA3 E7466652 0F990E2D
F86B4B16 5DAAB3F4 ACA1E6F0 49FF92E8 D3C18413 DCFA10BE 20912820 022111C5
DC386618 196CE4CA 0D1E193C 3B
quit
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2911/K9 sn FCZ1546717Q
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key XXXXX address 46.182.XXX.XXX
crypto isakmp key ZZZZZ address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group MTS-VPN
key QQQQQQ
dns 10.5.1.2 10.5.1.7
wins 10.5.1.2 10.5.1.7
domain pzcu-mts.com.ua
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
!
crypto isakmp client configuration group MTS-ATP1
key WWWWWW
dns 10.5.1.2 10.5.1.7
wins 10.5.1.2 10.5.1.7
domain pzcu-mts.com.ua
pool SDM_POOL_2
acl 103
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group MTS-VPN
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
match identity group MTS-ATP1
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set trans1 ah-sha-hmac esp-aes 256 esp-sha-hmac
crypto ipsec transform-set MTS-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MTS-Tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set MTS-VPN
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set MTS-Tunnel
set isakmp-profile ciscocp-ike-profile-2
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set MTS-Tunnel
match address 102
!
!
crypto map map1 10 ipsec-isakmp
set peer 46.182.XXX.XXX
set transform-set trans1
match address 100
crypto map map1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.252
ip mtu 1500
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 05030A0A231D1C4839
tunnel source GigabitEthernet0/0
tunnel destination 46.182.XXX.XXX
tunnel path-mtu-discovery
!
interface GigabitEthernet0/0
description WAN$ETH-WAN$
ip address 77.120.XXX.XXX 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map map1
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.5.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
!
router ospf 1
network 10.5.1.0 0.0.0.255 area 1
network 172.16.0.0 0.0.0.3 area 1
!
ip local pool SDM_POOL_1 10.5.2.1 10.5.2.254
ip local pool SDM_POOL_2 10.5.3.1 10.5.3.254
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 77.120.EEE.EEE
!
ip access-list extended NAT_USERS
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 10.5.0.0 0.0.0.255 192.168.1.0 0.0.0.255
remark IPSec Rule
deny ip 10.5.1.0 0.0.0.255 192.168.1.0 0.0.0.255
deny gre host 77.120.XXX.XXX host 46.182.XXX.XXX
permit ip 10.5.1.0 0.0.0.255 any
permit ip 10.5.3.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/2
logging esm config
access-list 100 permit gre host 77.120.XXX.XXX host 46.182.XXX.XXX
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 10.5.0.0 0.0.0.255 any
access-list 101 permit ip 10.5.1.0 0.0.0.255 any
access-list 101 permit ip 10.5.2.0 0.0.0.255 any
access-list 101 permit ip 10.5.3.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.5.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.5.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.5.0.0 0.0.0.255 any
access-list 103 permit ip 10.5.1.0 0.0.0.255 any
access-list 103 permit ip 10.5.2.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address NAT_USERS
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
rotary 3
transport input telnet ssh
transport output telnet ssh
line vty 5 1114
exec-timeout 0 0
privilege level 15
logging synchronous
rotary 3
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end