拓扑如下:http://bbs.net130.com/attachment.php?attachmentid=21740&stc=1
公司使用cisco1721 ROUTER连接中国电信网络,在ROUTER上配置了一条连接美国总部的VPN接入的地址x.x.x.202并做了地址复用,VPN对端地址是10.20.0.0 这个网段2950交换机连接ROUTER的INSIDE端口。公司的邮件是通过INTERNET连接到贵公司总部www.caaextra.net上的EXCHANGE PROXY通过客户端来收发邮件。
router配置信息如下:
Building configuration...
Current configuration : 2832 bytes
!
version 12.3
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname kunshan
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
enable secret 5 $1$LG/z$kE4oRDH.vuS/5D07rWPHi/
!
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key AuburnKunshan address x.x.x.4
!
!
crypto ipsec transform-set SET_ONE esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map MAP_ONE 1 ipsec-isakmp
description TUNNEL TO x.x.x.4
set peer x.x.x.4
set transform-set SET_ONE
match address interesting
!
!
!
!
interface Ethernet0
description inside
ip address 10.162.0.1 255.255.240.0
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat inside
ip inspect DEFAULT100 in
half-duplex
!
interface FastEthernet0
description outsdie
ip address x.x.x.202 255.255.255.248
ip access-group inbound in
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat outside
speed auto
crypto map MAP_ONE
!
ip default-gateway 10.162.0.1
ip nat inside source list nat interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.201
no ip http server
no ip http secure-server
!
!
!
ip access-list extended inbound
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit tcp any any eq telnet
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any unreachable
permit icmp any any administratively-prohibited
permit ip 10.20.0.0 0.0.15.255 10.162.0.0 0.0.15.255
deny ip any any log
permit esp host x.xx.4 host x.x.x.202
permit udp host x.x.x.4 host x.x.x.202
ip access-list extended interesting
permit ip 10.162.0.0 0.0.15.255 10.20.0.0 0.0.15.255
ip access-list extended nat
deny ip 10.162.0.0 0.0.15.255 10.20.0.0 0.0.15.255
permit ip 10.162.0.0 0.0.15.255 any
!
banner login ^C
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
line aux 0
line vty 0 4
password 12rt_qw
login
!
!
end
现在的状况是每周有2-3不能访问总部x.net不能收发mail,本人针对以上的情况做了3次测试,现在把测试过程给大家描述一下,A(本人)B(朋友的公司)C(朋友的公司)同一城市的电信的网络,第一次测试本人直接连接电信网络IPx.x.x.202,不能访问x.net,把地址改为x.x.x.204是可以访问x.net,B和C都可以访问我和访问x.net,本人202和204地址做了到美国的路由跟踪,
第二次测试和第一次一样,出现了奇怪的现象,B不可以访问我也不可以访问x.net但是C是完全可以的,B在第2次测试之前是完全可以的。彼此做了路由跟踪,
第3次测试本把内网出去的NAT地址改为了204,还是不能解决当前的问题,最终的结论是电信和INTERNET路由带宽问题,
以上问题让小弟绞尽脑汁仍不得其法,所以小弟把拓扑和配置贴出来希望各位大虾出谋献,小弟感激不尽在线等候。
[ 关闭窗口 ]