Задача перевести внутренний интерфейс с 192.168.5.0 на 192.168.1.0, убрать DHCP и заменить его релеем.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****-c1811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $*************************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network EZVPN local
!
aaa session-id common
!
resource policy
!
clock timezone MSK 3
{надо бы исправить}clock summer-time SUM recurring last Sun Mar 2:00 last Sun Oct 2:00
{надо бы исправить}!
ip cef
!
no ip domain lookup
ip domain name фирма.ru
{это здесь захрена}ip ssh time-out 60
ip ssh logging events
ip ssh version 2
ip inspect name cbac tcp
ip inspect name cbac udp
ip inspect name cbac icmp
ip inspect name cbac http
ip inspect name cbac ftp
ip inspect name cbac pop3
ip inspect name cbac imap
ip inspect name cbac https
ip inspect name cbac isakmp
ip inspect name cbac pptp
ip rcmd rcp-enable
ip rcmd remote-host sdmR3a4fffc1 10.10.10.2 L3a4fffc1 enable
{не понимаю, это для чего}!
crypto pki trustpoint TP-self-signed-4059730182
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4059730182
revocation-check none
rsakeypair TP-self-signed-4059730182
!
crypto pki certificate chain TP-self-signed-4059730182
certificate self-signed 01
{выкушен сертификат} quit
username setup privilege 15 password 7 ************************
username test privilege 0 secret 5 ****************************
{выкушена толпа юзеров}!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN
!
crypto isakmp client configuration group EZVPN
key CISCO
pool EZVPN
acl SPLIT_TUNNEL
netmask 255.255.255.0
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
set transform-set 3DES_MD5
reverse-route
!
crypto map CMAP client authentication list EZVPN
crypto map CMAP isakmp authorization list EZVPN
crypto map CMAP client configuration address respond
crypto map CMAP 1000 ipsec-isakmp dynamic DYNAMIC
!
interface FastEthernet0
description Link to ISP
ip address 212.1**.140.115 255.255.255.248
ip access-group Outside in
ip nat outside
ip inspect cbac out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map CMAP
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description LAN
ip address 192.168.5.1 255.255.255.0
{сменить адрес интерфейса, ну тут проблем нет} ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip local pool EZVPN 192.168.5.100 192.168.5.149
{убить пул, и создать релей DHCP c VLAN1 вопросы есть но думаю справиться}ip route 0.0.0.0 0.0.0.0 212.1**.140.113
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NATusers interface FastEthernet0 overload
!
ip access-list extended NATusers
deny ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255
{откуда правится эта секция?} permit ip 192.168.5.0 0.0.0.255 any
{откуда правится эта секция?}ip access-list extended Outside
permit icmp any any
permit tcp any host 212.1**.140.115 eq 22
permit udp any host 212.1**.140.115 eq isakmp
permit udp any host 212.1**.140.115 eq non500-isakmp
permit esp any host 212.1**.140.115
ip access-list extended SPLIT_TUNNEL
permit ip 192.168.5.0 0.0.0.255 any
{откуда правится эта секция?}!
no cdp run
!
control-plane
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 40 0
transport input telnet ssh
line vty 5 15
exec-timeout 40 0
transport input telnet ssh
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Updated: 30 January 2013, 08:28:24
ip domain name фирма.ru {это здесь захрена}
Это так и не понял, для чего, писал всё это изначально не я поэтому не знаю и не понимаю.
ip rcmd remote-host sdmR3a4fffc1 10.10.10.2 L3a4fffc1 enable {не понимаю, это для чего}
то же самое
ip local pool EZVPN 192.168.5.100 192.168.5.149{убить пул, и создать релей DHCP c VLAN1 вопросы есть но думаю справиться}
туплю пока, но щас вычитаем. Насколько я понял, достаточно будет убрать DHCP, прибить ненужный более пул и дать для интерфейса VLAN1 ip helper-address.
ip access-list extended NATusers
deny ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255 {откуда правится эта секция?}
permit ip 192.168.5.0 0.0.0.255 any {откуда правится эта секция?}
ip access-list extended Outside
permit icmp any any
permit tcp any host 212.1**.140.115 eq 22
permit udp any host 212.1**.140.115 eq isakmp
permit udp any host 212.1**.140.115 eq non500-isakmp
permit esp any host 212.1**.140.115
ip access-list extended SPLIT_TUNNEL
permit ip 192.168.5.0 0.0.0.255 any {откуда правится эта секция?}
с этим разобрался.
Подскажите плиз хотя бы по
ip domain name и
ip rcmd remote-host
Updated: 30 January 2013, 09:02:02
По
ip domain name уяснил, что этот параметр требуется для генерации криптоключей, но опять возник вопрос, здесь не понимаю, можно ли менять произвольно в конфиге или придется перегенерить ключи? Меня смущает что использовано <фирма>.ru, не создаст ли это какого гемороя впоследствии.
ip rcmd remote-host
To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp, use the ip rcmd remote-host global configuration command. Use the no form of this command to remove an entry for a remote user from the local authentication database.
ip rcmd remote-host local-username {ip-address | host} remote-username [enable [level]]
no ip rcmd remote-host local-username {ip-address | host} remote-username [enable [level]]
Syntax Description
local-username
Name of the user on the local router. You can specify the router host name as the username. This name needs to be communicated to the network administrator or the user on the remote system. To be allowed to remotely execute commands on the router, the remote user must specify this value correctly.
ip-address
IP address of the remote host from which the local router will accept remotely executed commands. Either the IP address or the host name is required.
host
Name of the remote host from which the local router will accept remotely executed commands. Either the host name or the IP address is required.
remote-username
Name of the user on the remote host from which the router will accept remotely executed commands.
enable level
(Optional) Enables the remote user to execute privileged EXEC commands using rsh or to copy files to the router using rcp. The range is 1 to 15. The default is 15. For information on the enable level, refer to the privilege level global configuration command in the Security Command Reference.
Default
There are no entries in the local authentication database.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the ip rcmd rsh-enable command. To enable the router to act as an rcp server, issue the ip rcmd rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX .rhost file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file does not need to include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
Вроде всё черным по белому, но откуда адрес 10.10.10.2
