0010anonymous@fusianasan2022/06/13(月) 16:14:43.06ID:??? 見落としてるとしたらここはVPNの質問スレではないって事かな どうせ後出しで揉めるんだからコンフィグ全部張りなよ 0011anonymous@fusianasan2022/06/13(月) 17:24:06.88ID:??? PC2のデフォゲとファイヤウォールの設定を再確認 0012anonymous@fusianasan2022/06/14(火) 01:07:40.97ID:???>>9のConfigです。すこし長くなりますが、まずはix2106(固定IP)側から ip ufs-cache max-entries 20000 ip ufs-cache enable ip route default Tunnel0.0 ip route 192.168.1.0/24 Tunnel1.0 ip dhcp enable ip access-list web-http-acl permit ip src any dest 192.168.0.254/32 ip access-list web_vpnlist permit ip src any dest any ipv6 ufs-cache max-entries 10000 ipv6 ufs-cache enable ipv6 dhcp enable ipv6 access-list block-list deny ip src any dest any ipv6 access-list permit-list permit ip src any dest any ipv6 access-list web-permit-list permit udp src any sport any dest any dport eq 546 ipv6 access-list web-permit-list permit udp src any sport any dest any dport eq 547 ipv6 access-list web-permit-list permit icmp src any dest any ipv6 access-list web-permit-list permit 4 src any dest any ipv6 access-list dynamic cache 65535 ipv6 access-list dynamic dflt-list access permit-list ike nat-traversal ike proposal web_vpn2ikeprop encryption aes-256 hash sha2-256 group 2048-bit ike policy web_vpn2ikepolicy peer any key **************** mode aggressive web_vpn2ikeprop ike remote-id web_vpn2ikepolicy fqdn satellite1 ipsec autokey-proposal web_vpn2secprop esp-aes-256 esp-sha2-256 ipsec dynamic-map web_vpn2secpolicy web_vpnlist web_vpn2secprop ike-binding web_vpn2ikepolicy ipsec remote-id web_vpn2secpolicy 192.168.1.0/24 proxy-dns ip enable proxy-dns ip request both ddns enable 0013anonymous@fusianasan2022/06/14(火) 01:08:46.71ID:??? ip dhcp profile lan100 assignable-range 192.168.1.2 192.168.1.250 default-gateway 192.168.1.254 dns-server 192.168.1.254 lease-time 7200 ip dhcp profile web-dhcp-gigaethernet1.0 dns-server 192.168.0.254 ipv6 dhcp client-profile dhcpv6-cl option-request dns-servers ia-pd subscriber GigaEthernet1.0 ::/64 eui-64 ipv6 dhcp server-profile dhcpv6-sv dns-server dhcp ddns profile v6plus-update url http://***.******.ne.jp/ query user=**********&pass=******** transport ipv6 source-interface GigaEthernet1.0 update-interval 10 interface GigaEthernet0.0 no ip address ip napt static GigaEthernet0.0 50 ip napt static GigaEthernet0.0 udp 500 ip napt static GigaEthernet0.0 udp 4500 ipv6 enable ipv6 autoselect enable ipv6 autoselect ra-delay 0 ipv6 dhcp client dhcpv6-cl ipv6 nd proxy GigaEthernet1.0 ipv6 filter web-permit-list 51 in ipv6 filter block-list 200 in ipv6 filter web-permit-list 51 out ipv6 filter dflt-list 200 out 0014anonymous@fusianasan2022/06/14(火) 01:09:37.87ID:??? no shutdown
interface GigaEthernet1.0 ip address 192.168.0.254/24 ipv6 enable ipv6 interface-identifier **:**:**:**:**:**:**:** ipv6 dhcp server dhcpv6-sv ipv6 nd ra enable ipv6 nd ra other-config-flag no shutdown interface Tunnel0.0 tunnel mode 4-over-6 tunnel destination xxxx:xxxx:xxxx:xxxx::xx tunnel source GigaEthernet1.0 ip address xxx.xxx.xxx.xxx/32 ip tcp adjust-mss auto ip napt enable ip napt static Tunnel0.0 50 ip napt static Tunnel0.0 udp 500 ip napt static Tunnel0.0 udp 4500 no shutdown interface Tunnel1.0 description testVPN tunnel mode ipsec ip unnumbered GigaEthernet1.0 ip tcp adjust-mss auto ipsec policy tunnel web_vpn2secpolicy out no shutdown 0015anonymous@fusianasan2022/06/14(火) 01:11:00.37ID:???>>9次にix2105(動的IP)側 ip ufs-cache enable ip route default GigaEthernet0.1 ip route 192.168.0.0/24 Tunnel0.0 ip dhcp enable ip access-list web-http-acl permit ip src any dest 192.168.1.254/32 ip access-list web_vpnlist permit ip src any dest any arp auto-refresh ike nat-traversal ike proposal web_vpn1ikeprop encryption aes-256 hash sha2-256 group 2048-bit ike policy web_vpn1ikepolicy peer ***.***.***.*** key **************** mode aggressive web_vpn1ikeprop ike keepalive web_vpn1ikepolicy 30 6 ike local-id web_vpn1ikepolicy fqdn satellite1 ike suppress-dangling web_vpn1ikepolicy ipsec autokey-proposal web_vpn1secprop esp-aes-256 esp-sha2-256 ipsec autokey-map web_vpn1secpolicy web_vpnlist peer ***.***.***.*** web_vpn1secprop ipsec local-id web_vpn1secpolicy 192.168.1.0/24 proxy-dns ip enable proxy-dns interface GigaEthernet0.1 priority 254 ppp profile web-ppp-gigaethernet0.1 authentication myname ********@*************.ne.jp authentication password ********@*************.ne.jp ******** ip dhcp profile lan100 assignable-range 192.168.1.2 192.168.1.250 default-gateway 192.168.1.254 dns-server 192.168.1.254 lease-time 7200 interface GigaEthernet0.0 no ip address shutdown 0016anonymous@fusianasan2022/06/14(火) 01:11:34.03ID:??? interface GigaEthernet1.0 description LAN1 ip address 192.168.1.254/24 ip dhcp binding lan100 linkmgr enable no shutdown interface GigaEthernet0.1 description WAN1 encapsulation pppoe auto-connect ppp binding web-ppp-gigaethernet0.1 ip address ipcp ip tcp adjust-mss auto ip napt enable ip napt hairpinning ip napt static GigaEthernet0.1 50 ip napt static GigaEthernet0.1 udp 500 ip napt static GigaEthernet0.1 udp 4500 no shutdown interface Tunnel0.0 description testVPN tunnel mode ipsec ip unnumbered GigaEthernet1.0 ip tcp adjust-mss auto ipsec policy tunnel web_vpn1secpolicy out no shutdown 0017anonymous@fusianasan2022/06/14(火) 01:19:42.83ID:??? 長くて失礼しました。
先日の連日の徹夜で体調不良が続いており一切IXを触っていなかったのですが、明日から何とかIX弄れそうです 設定完了後に、またご報告させて頂きます。 ありがとうござます 0078anonymous@fusianasan2022/07/11(月) 09:34:48.36ID:???>>77 拠点Bのコンフィグ修正箇所 interface GigaEthernet2:1.0 ip filter b 10 out bridge-group 1 no shutdown interface BVI5 bridge-group 1 no shutdown interface Tunnel2.0 bridge-group 1 no shutdown A拠点とB拠点のDHCPサーバ(プロトコル67〜68)、DHCPv6(プロトコル546〜547) を分割する場合 ip access-list dhcp-sec deny udp src any sport range 67 68 dest any dport range 67 68 ip access-list dhcpv6-sec deny udp src any sport range 546 547 dest any dport range 546 547 ip access-list dhcp-pass permit ip src any dest any interface Tunnel2.0 ip filter dhcp-sec 1 in ip filter dhcpv6-sec 2 in ip filter dhcp-pass 100 in no shutdown
以下のB拠点のコンフィグにて、 自局のPPPOE接続からでていく構成、IPアクセスリストにて、UDP500、ESPパケットのみ の通信が出来る構成を採用されているようです。 ip route default GigaEthernet0.1 ip access-list flt-list1 permit udp src 111.222.333.444/32 sport eq 500 dest any dport eq 500 ip access-list flt-list1 permit 50 src 111.222.333.444/32 dest any interface GigaEthernet0.1 encapsulation pppoe auto-connect ppp binding plala ip address ipcp ip napt enable ip napt static GigaEthernet0.1 udp 500 ip napt static GigaEthernet0.1 50 ip filter flt-list1 1 in 0084anonymous@fusianasan2022/07/14(木) 01:16:23.37ID:???>>81 >>83
続きです。 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 80 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 443 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 25 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 587 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 143 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 993 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 995 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 8080 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 80 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 443 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 25 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 587 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 143 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 993 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 995 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 8080
route-map r-map permit 10 match ip address access-list etherip-isp1 set ip next-hop 192.168.101.253
ip route default GigaEthernet0.1 ip route default 192.168.101.253 distance 50 0086anonymous@fusianasan2022/07/14(木) 01:23:51.62ID:???>>81 >>83
ip access-list flt-list1 permit udp src any sport eq 4500 dest any dport eq 4500 ip access-list flt-list1 permit udp src any sport eq 1701 dest any dport eq 1701
interface GigaEthernet0.1 ip napt static GigaEthernet0.1 udp 4500 ip napt static GigaEthernet0.1 udp 1701
あとまた質問で申し訳ございませんが、 ..>>83 に書かれてある、ip filter flt-list1 1 in は削除で宜しいでしょうか?? >>88 で書かれてある ip access-list flt-list1 permit udp src any sport eq 4500 dest any dport eq 4500 ip access-list flt-list1 permit udp src any sport eq 1701 dest any dport eq 1701
interface GigaEthernet0.1 ip napt static GigaEthernet0.1 udp 4500 ip napt static GigaEthernet0.1 udp 1701 を入れても、interface GigaEthernet0.1 から ip filter flt-list1 1 in を削除しない限り、B拠点の端末はインタ-ネット側へ出ていけない様です。
ids ip type all action discard ids ip type ip-header action detect ids ip type icmp action detect ids ip type udp action detect ids ip type tcp action detect ids ip type ftp action detect ids logging-interval 10 0103anonymous@fusianasan2022/07/17(日) 14:47:19.30ID:???>>99 >>102
ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport 22 dest any dport eq 50000 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport 22 dest any dport eq 50000 0104anonymous@fusianasan2022/07/17(日) 16:37:00.59ID:???>>100 >>101 IXルーターと配下のL3スイッチにてVLANを構成し、IXルーター側にてDHCP機能を 配信する場合には、 IXルーターのGE2.0-I/Fに物理IPアドレスを設定(10.1.1.254/23) でしょうか、複合サブネットになっていますので、運用方法によりBVIの機能を併用する形になってしまいますが、 GE2.0-I/Fに物理IPアドレス配下にサブインターフェイスとして、タグVLANのインターフェイスを追加して、そのタグVLANのインターフェイスに 個別のDHCP機能を紐付ける形になりますが、宜しいでしょうか? 以下設定例です。 ip dhcp profile dhcp1 assignable-range 10.1.0.100 10.1.0.109 default-gateway 10.1.1.254 dns-server 10.1.1.254 ip dhcp profile dhcp2 assignable-range 10.1.11.1-10.1.11.99 default-gateway 10.1.11.254 dns-server 10.1.11.254 ip dhcp profile dhcp3 assignable-range 10.1.13.1-10.1.13.99 default-gateway 10.1.13.254 dns-server 10.1.13.254 ip dhcp profile dhcp4 assignable-range 10.1.21.1 10.1.21.99 default-gateway 10.1.21.254 dns-server 94.140.14.14 94.140.15.15 ip dhcp profile dhcp5 assignable-range 10.1.31.1 10.1.31.99 default-gateway 10.1.31.254 dns-server 94.140.14.14 94.140.15.15 interface GigaEthernet2.0 description LAN1 ip address 10.1.1.254/23 no shutdown 0105anonymous@fusianasan2022/07/17(日) 16:38:34.09ID:???>>100 >>104 続きです。 interface GigaEthernet2:1.0 description VLAN1 encapsulation dot1q vlan1 ip address 10.1.11.254/23 ip proxy-arp ip dhcp binding dhcp1 ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:2.0 description VLAN2 encapsulation dot1q vlan2 ip address 10.1.21.254/23 ip dhcp binding dhcp2 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown 0106anonymous@fusianasan2022/07/17(日) 16:39:26.88ID:???>>100 >>105 続きです。 interface GigaEthernet2:3.0 description VLAN3 encapsulation dot1q vlan3 ip address 10.1.13.254/23 ip dhcp binding dhcp3 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:4.0 description VLAN4 encapsulation dot1q vlan 4 ip address 10.1.21.254/23 ip dhcp binding dhcp4 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:5.0 description VLAN5 encapsulation dot1q vlan 5 ip address 10.1.31.254/23 ip dhcp binding dhcp5 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown 0107anonymous@fusianasan2022/07/17(日) 16:40:33.56ID:???>>100 >>106 続きです。 ntp ip enable ntp server 10.1.1.9 priority 254 ntp master 10 ntp retry 3 ntp interval 3600 ip access-list all-forward permit ip src any dest any 0108anonymous@fusianasan2022/07/17(日) 16:45:34.45ID:??? 長々とここに貼るなよ。 0109anonymous@fusianasan2022/07/17(日) 16:46:35.45ID:???>>100 >>107