RTXシリーズでのIPSECパススルー
条件:フレッツ光ネクストでPPPOEでインターネットに接続し、LANのPCから外部に対してIPSECを接続する。
インターネットからLANに対してのFilterが必要
ESPはプロトコル番号50番だがお客さんの指定でTCP50も追加
ほか、AHやもろもろも追加
RouterA# show config
# RTX1100 Rev.8.03.24 (Thu Oct 27 11:06:13 2005)
# MAC Address :
# Memory 32Mbytes, 3LAN, 1BRI
# main: RTX1100 ver=e0
login password *
administrator password *
security class 1 on on
console character sjis
console lines 24
console prompt RouterA
ip route default gateway pp 1
ip lan1 address 192.168.100.1/24
pp select 1
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname xxxxx@fip.plala.or.jp xxx-xxx-xxx
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp address xxx.xxx.xxx.x/32
ip pp mtu 1454
ip pp secure filter in 1 2 3 4 5 10 11 12 20 21 22 23 24 25 30 31 32 33 34 35
ip pp secure filter out 20 21 22 23 24 25 50 51 52 99
ip pp nat descriptor 1
pp enable 1
ip filter 1 pass xxx.xxx.xxx.xxx 192.168.100.1 tcp * telnet
ip filter 2 pass * 192.168.100.0/24 udp 500 *
ip filter 3 pass * 192.168.100.0/24 udp 4500 *
ip filter 4 pass * 192.168.100.0/24 udp 51 *
ip filter 5 pass * 192.168.100.0/24 udp 50 *
ip filter 10 reject 10.0.0.0/8 * * * *
ip filter 11 reject 172.16.0.0/12 * * * *
ip filter 12 reject 192.168.0.0/16 * * * *
ip filter 20 reject * * udp,tcp 135 *
ip filter 21 reject * * udp,tcp * 135
ip filter 22 reject * * udp,tcp netbios_ns-netbios_ssn *
ip filter 23 reject * * udp,tcp * netbios_ns-netbios_ssn
ip filter 24 reject * * udp,tcp 445 *
ip filter 25 reject * * udp,tcp * 445
ip filter 30 pass * * icmp * *
ip filter 31 pass * * established * *
ip filter 32 pass * * tcp * ident
ip filter 33 pass * * tcp ftpdata *
ip filter 34 pass * * udp domain *
ip filter 35 pass * * udp * 33434-33500
ip filter 50 reject * 10.0.0.0/8 * * *
ip filter 51 reject * 172.16.0.0/12 * * *
ip filter 52 reject * 192.168.0.0/16 * * *
ip filter 99 pass * * * * *
nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.100.1 udp 500
nat descriptor masquerade static 1 2 192.168.100.1 esp
nat descriptor masquerade static 1 3 192.168.100.1 udp 51
nat descriptor masquerade static 1 4 192.168.100.1 tcp 50
nat descriptor masquerade static 1 5 192.168.100.1 tcp telnet
dhcp service server
dhcp scope 1 192.168.100.10-192.168.100.64/24
dns server xxx.xxx.xxx.1 xxx.xxx.xxx.9
dns server pp 1
dns private address spoof on
schedule at 1 */* 12:00 * ntpdate ntp1.xxx.or.jp
0 件のコメント:
コメントを投稿