Доброго времени суток!Был закуплен простенький роутер для филиала Zyxel 334, умеющий прокидывать IPSec туннель только к одному IP адресу.
Попытался настроить cisco на такой туннель - столкнулся с тем, что туннель по логам на Zyxel и Cisco устанавливается, но пинги до нужного хопа не идут. Может быть для peer - site туннеля нужны другие настройки?
Локальная сеть - 192.168.0/24
Удалёная - 192.168.3/24, хост с которым должен быть туннель - 192.168.3.99
sh ru
!
! Last configuration change at 22:42:14 UTC Tue Aug 14 2007 by root
! NVRAM config last updated at 22:51:23 UTC Mon Aug 6 2007 by root
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoOffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxx
!
username root secret 5 xxxxx
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login admins local
aaa session-id common
ip subnet-zero
!
!
ip domain name cisco.e.local
ip host corp.e.ru 192.168.0.82
ip name-server xxx
!
ip cef
ip inspect name lan-out tcp timeout 3600
ip inspect name lan-out udp timeout 15
ip inspect name lan-out ftp timeout 3600
ip inspect name lan-out smtp timeout 3600
ip inspect name lan-out icmp timeout 15
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key ltI04uBQ4o address aaa.aaa.aaa.aaa
crypto isakmp keepalive 380 10
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-sha-hmac
!
!
crypto map cm-goldentelecom local-address Ethernet1/0
crypto map cm-goldentelecom 4 ipsec-isakmp
set peer aaa.aaa.aaa.aaa
set transform-set cm-transformset-1
match address vpn_storage_main
!
!
interface FastEthernet0/0
description LAN
ip address 192.168.0.21 255.255.255.0
ip nat inside
ip flow ingress
ip inspect lan-out in
speed auto
no cdp enable
!
interface Ethernet1/0
description Goldentelecom
ip address bbb.bbb.bbb.bbb 255.255.255.252
ip access-group wan-in in
ip nat outside
full-duplex
fair-queue
no cdp enable
crypto map cm-goldentelecom
!
ip nat inside source list NAT_TO_ISP_GOLDEN interface Ethernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ccc.ccc.ccc.ccc
no ip http server
no ip http secure-server
!
ip dns server
!
!
ip access-list extended NAT_TO_ISP_GOLDEN
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 212.12.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip any any log
ip access-list extended vpn_storage_main
permit ip 192.168.0.0 0.0.0.255 host 192.168.3.99
ip access-list extended wan-in
permit icmp any any
permit esp any any
permit udp any any eq isakmp
deny ip any any log
logging trap debugging
logging facility local1
logging 192.168.0.151
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
session-timeout 15
exec-timeout 0 0
login authentication admins
transport input ssh
!
end