отмена
Отображаются результаты для 
Вместо этого искать 
Вы имели в виду: 
cancel
530
Просмотры
5
Полезный материал
2
Ответы
UncleS
Beginner

ISR 4331 нет доступа к сайтам

Всем доброго дня.

Вопрос такой, настраиваю ISR по конфигурации 800 циски. Два провайдера, включаю в ЛВС. Пинги ходят до всех хостов в интернете, резолв идёт, сайты не открываются.

Пробовал менять MTU на WAN интерфейсах - то же самое. При попытке открыть любой сайт вываливается по таймауту.

 

Подскажите, где ошибка закралась?

 

 

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot system flash isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $XXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone BRN 7 0
!
!
ip name-server 8.8.8.8 93.91.172.2

ip domain name local.local
ip dhcp excluded-address 192.168.0.1 192.168.0.119
ip dhcp excluded-address 192.168.0.201 192.168.0.255
!
ip dhcp pool LAN
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 192.168.0.1
 domain-name local.local
 lease 10
 update arp
!
subscriber templating
multilink bundle-name authenticated
!
password encryption aes
!
license udi pid ISR4331/K9 sn XXXXXXXXX
!
spanning-tree extend system-id
!
redundancy
 mode none
!
no cdp run
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
interface Tunnel1
 description -= BRN-NKZ=-
 ip address 10.255.255.1 255.255.255.252
 tunnel source 109.XX.XX.X
 tunnel destination 158.XX.XX.X
!
!
interface GigabitEthernet0/0/0
 description -= WAN =-
 ip address 93.XX.XX.XX 255.255.255.224 secondary
 ip address 109.XX.XX.XX 255.255.255.192
 ip mtu 1400
 ip nat outside
 ip tcp adjust-mss 1360
 speed 100
 no negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description -= LAN =-
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/2
 description -= WAN 2 =-
 ip address 81.XX.XX.XX 255.255.255.252
 ip mtu 1460
 ip nat outside
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
ip local policy route-map RMAP
ip nat pool ISP1Pool 109.XX.XX.XX 109.XX.XX.X netmask 255.255.255.192
ip nat pool ISP2Pool 81.XX.XX.XX 81.XX.XX.XX netmask 255.255.255.252
ip nat inside source static tcp 192.168.0.110 20 81.XX.XX.XX 20 route-map NAT_STAT_ISP2 extendable
ip nat inside source static tcp 192.168.0.110 21 81.XX.XX.XX 21 route-map NAT_STAT_ISP2 extendable
ip nat inside source static tcp 192.168.0.110 3389 81.XX.XX.XX 3389 route-map NAT_STAT_ISP2 extendable
ip nat inside source static tcp 192.168.0.110 4899 81.XX.XX.XX 4899 route-map NAT_STAT_ISP2 extendable
ip nat inside source static tcp 192.168.0.110 20 109.XX.XX.X 20 route-map NAT_STAT_ISP1 extendable
ip nat inside source static tcp 192.168.0.110 21 109.XX.XX.X 21 route-map NAT_STAT_ISP1 extendable
ip nat inside source static tcp 192.168.0.110 3389 109.XX.XX.X 3389 route-map NAT_STAT_ISP1 extendable
ip nat inside source static tcp 192.168.0.110 4899 109.XX.XX.X 4899 route-map NAT_STAT_ISP1 extendable
ip nat inside source route-map ISP1_NAT pool ISP1Pool overload
ip nat inside source route-map ISP2_NAT pool ISP2Pool overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 109.XX.XX.XX 10 track 100
ip route 192.168.1.0 255.255.255.0 Tunnel1 track 100
ip route 0.0.0.0 0.0.0.0 81.XX.XX.XX 20 track 200
ip ssh version 2
!
ip access-list extended ACL_NAT
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended ACL_NAT_STAT_ISP1
 permit ip host 255.255.255.255 any
 permit tcp host 192.168.0.110 eq 3389 any
 permit tcp host 192.168.0.110 eq ftp any
 permit tcp host 192.168.0.110 eq ftp-data any
 permit tcp host 192.168.0.110 eq 4899 any
 permit tcp host 192.168.0.100 eq ftp-data any
 permit tcp host 192.168.0.100 eq ftp any
ip access-list extended ACL_NAT_STAT_ISP2
 permit ip host 255.255.255.255 any
 permit tcp host 192.168.0.110 eq 3389 any
 permit tcp host 192.168.0.110 eq 4899 any
 permit tcp host 192.168.0.110 eq ftp any
 permit tcp host 192.168.0.110 eq ftp-data any
ip access-list extended ACL_SLA_ISP1
 permit ip 109.XX.XX.0 0.0.0.255 any
ip access-list extended ACL_SLA_ISP2
 permit ip 81.XX.XX.XX.0 0.0.0.255 any
!
ip sla 100
 icmp-echo 109.XX.XX.1 source-ip 109.XX.XX.X
 frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
 icmp-echo 81.XX.XX.XX source-ip 81.XX.XX.XX
 frequency 5
ip sla schedule 200 life forever start-time now
logging host 192.168.0.7
access-list 22 permit any
!
route-map RMAP permit 10
 match ip address ACL_SLA_ISP1
 set ip next-hop 109.XX.XX.XX
!
route-map RMAP permit 20
 match ip address ACL_SLA_ISP2
 set ip next-hop 81.XX.XX.XX
!
route-map NAT_STAT_ISP2 permit 10
 match ip address ACL_NAT_STAT_ISP2
 match interface GigabitEthernet0/0/2
!
route-map NAT_STAT_ISP1 permit 10
 match ip address ACL_NAT_STAT_ISP1
 match interface GigabitEthernet0/0/0
!
route-map ISP2_NAT deny 50
 match ip address ACL_NAT_STAT_ISP2
!
route-map ISP2_NAT permit 100
 match ip address ACL_NAT
 match interface GigabitEthernet0/0/2
!
route-map ISP1_NAT deny 50
 match ip address ACL_NAT_STAT_ISP1
!
route-map ISP1_NAT permit 100
 match ip address ACL_NAT
 match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 22 in
 logging synchronous
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 20000
!
end

 Заранее спасибо!

2 ОТВЕТ 2
Sergey Lisitsin
Rising star

UncleS,

 

Для начала я бы попробовал убрать match interface GigabitEthernet0/0/0 из 

 

route-map ISP1_NAT permit 100
 match ip address ACL_NAT
 match interface GigabitEthernet0/0/0

 Попробуйте и опишите, что вышло.

Sergey Lisitsin
Rising star

Кстати, забыл уточнить - пинги ходят с маршрутизатора или с клиентов?