Добрый день! Проблема в следующем.. Есть pix515 в качестве vpn сервера и cisco871 в качестве клиента. Нужно сделать так что бы при обращении к корпоративной сети пакеты шли в туннель без ната.А если к внешним ресурсам, то соответвенно через нат во внешний интерфейс.
Делал как в примерах на cisco.com типа вот этого http://www.cisco.com/en/US/tech/tk583/tk372/technologies_con...... не выходит каменный цветок.вот куски конфигов:
с871
ip dhcp excluded-address 172.16.160.1
!
ip dhcp pool dhcp-pool
network 172.16.160.0 255.255.255.0
default-router 172.16.160.1
dns-server 192.168.18.34 192.168.18.16 192.168.18.18
lease 2
!
!
no ip domain lookup
ip domain name msk.msk
ip name-server 192.168.18.18
ip name-server 192.168.18.34
ip name-server 192.168.18.16
crypto ipsec client ezvpn vpn
connect auto
group vpnadmingroup key ccdadminkey
mode network-extension
peer yyy.yyy.yyy.94
username test password test
xauth userid mode interactive
interface FastEthernet4
description to ISP
ip address xx.xxx.xxx.100 255.255.255.224
ip access-group 101 in
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn vpn
interface BVI1
ip address 172.16.160.1 255.255.255.0
ip access-group 100 out
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn vpn inside
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.97
ip nat inside source route-map ezvpn interface FastEthernet4 overload
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 192 permit ip 172.16.160.0 0.0.0.255 any
route-map ezvpn permit 1
match ip address 192
pix515
interface Ethernet0
nameif outside
security-level 0
ip address yyy.yyy.yyy.94 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.16.28.1 255.255.255.248
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 172.16.28.0 255.255.255.248
172.16.160.0 255.255.255.0
access-list Split_Tunnel_List_160 remark The corporate network behind the PIX
access-list Split_Tunnel_List_160 extended permit ip 172.16.28.0 255.255.255.248
172.16.160.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 yyy.yyy.yyy.81 1
group-policy vpnadmingroup internal
group-policy vpnadmingroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List_160
nem enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group vpnadmingroup type ipsec-ra
tunnel-group vpnadmingroup general-attributes
default-group-policy vpnadmingroup
tunnel-group vpnadmingroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
Вариант для распечатки
Маршрутизаторы CISCO и др. оборудование. (Public)
(??) on 15-Сен-09, 14:01 
