Auxilium
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Добрый день Есть 2 подсети друг друга не видят (10.1.10.0 и 10.1.12.0) Суть проблемы На одной стороне сеть 10,1,10,0 - на другой 10,1,12,0 Соединены между собой по VPN каналу через шлюз 10,1,10,15 если прописать на компе, допустим 10.1.10.5, роут на этот шлюз, вторая подсеть пингуется (10.1.12.1) Задача прописать роут, что бы весь трафик на 10,1,12,0 шел через шлюз 10,1,10,15. //------------------ PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 domain-name xxxxx fixup protocol dns maximum-length 512 no fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 no fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list out_acl permit icmp any any access-list out_acl permit tcp any eq domain any eq domain access-list out_acl permit tcp any eq smtp any eq smtp access-list out_acl permit tcp any eq www any eq www access-list out_acl permit tcp any eq ssh any eq ssh access-list out_acl permit tcp any interface outside eq smtp access-list out_acl permit tcp any interface outside eq domain access-list out_acl permit udp any interface outside eq domain access-list out_acl permit tcp any interface outside eq www access-list out_acl permit tcp any interface outside eq ftp access-list out_acl permit tcp any interface outside eq ftp-data access-list out_acl permit tcp any interface outside eq 3389 access-list out_acl permit tcp any interface outside eq ssh access-list out_acl permit tcp any interface outside eq pptp access-list out_acl permit udp any interface outside eq 1723 access-list in_acl permit ip host 10.1.10.140 any access-list in_acl permit ip host 10.1.10.225 any access-list in_acl permit ip host 10.1.10.233 any access-list in_acl permit ip host 10.1.10.194 any access-list in_acl permit ip host 10.1.10.124 any access-list in_acl permit ip host 10.1.10.150 any access-list in_acl permit ip host 10.1.10.13 any access-list in_acl permit ip 10.1.10.0 255.255.255.0 198.7.0.0 255.255.255.0 access-list in_acl permit ip any any access-list in_http remark Block direct http access access-list in_http permit ip host 10.1.10.227 any access-list in_http permit ip host 10.1.10.233 any access-list in_http permit ip host 10.1.10.158 any access-list in_http permit ip host 10.1.10.13 any access-list in_http permit ip host 10.1.10.150 any access-list in_http permit ip host 10.1.10.250 any access-list in_http permit tcp any host 10.1.10.20 eq domain access-list in_http permit udp any host 10.1.10.20 eq domain access-list in_http permit ip host 10.1.10.15 any access-list in_http permit ip host 10.1.10.16 any access-list in_http permit ip host 10.1.10.17 any access-list in_http permit ip host 10.1.10.18 any access-list in_http permit ip host 10.1.10.19 any access-list in_http permit ip host 10.1.10.20 any access-list in_http permit ip host 10.1.10.21 any access-list in_http permit ip host 10.1.10.22 any access-list in_http permit ip host 10.1.10.23 any access-list in_http permit ip host 10.1.10.24 any access-list in_http permit ip host 10.1.10.25 any access-list in_http permit ip host 10.1.10.26 any access-list in_http permit ip host 10.1.10.27 any access-list in_http permit ip host 10.1.10.28 any access-list in_http permit ip host 10.1.10.29 any access-list in_http permit ip host 10.1.10.66 any access-list in_http permit tcp any host 10.1.10.20 eq www access-list in_http permit tcp any host 10.1.10.20 eq pptp access-list in_http permit udp any host 10.1.10.20 eq 1723 access-list in_http deny tcp any any eq www access-list in_http deny tcp any any eq https access-list in_http deny tcp any any eq 8080 access-list in_http deny tcp any any eq ftp access-list in_http deny tcp any any eq telnet access-list in_http deny tcp any any eq ftp-data access-list in_http deny udp any any eq 20 access-list in_http deny udp any any eq 21 access-list in_http deny tcp any any eq 82 access-list in_http deny tcp any any eq 107 access-list in_http deny udp any any eq 107 access-list in_http deny tcp any any eq 115 access-list in_http deny udp any any eq 115 access-list in_http deny udp any any eq netbios-ns access-list in_http deny tcp any any eq 137 access-list in_http deny tcp any any eq 138 access-list in_http deny udp any any eq netbios-dgm access-list in_http deny tcp any any eq netbios-ssn access-list in_http deny udp any any eq 139 access-list in_http deny udp any any eq 25 access-list in_http deny tcp any any eq pptp access-list deb permit ip host 80.71.33.2 any pager lines 24 icmp permit any outside icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside 192.168.11.2 255.255.255.0 ip address inside 10.1.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 192.168.11.2 smtp 10.1.10.13 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 192.168.11.2 3389 10.1.10.233 3389 netmask 255.255.255.255 0 0 static (inside,outside) udp 192.168.11.2 domain 10.1.10.250 domain netmask 255.255.255.255 0 0 static (inside,outside) tcp 192.168.11.2 domain 10.1.10.250 domain netmask 255.255.255.255 0 0 access-group out_acl in interface outside access-group in_http in interface inside routing interface inside route outside 0.0.0.0 0.0.0.0 192.168.11.1 1 route inside 10.1.12.0 255.255.255.0 10.1.10.15 1 route inside 198.7.0.0 255.255.0.0 10.1.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.1.10.5-10.1.10.200 inside dhcpd dns *.*.*.* *.*.*.*.* dhcpd lease 3600 dhcpd ping_timeout 750 : end |