Автор Тема: нужна помощь по 1941  (Прочитано 723 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн sarkai

  • Newbie
  • *
  • Сообщений: 1
  • Karma: +0/-0
нужна помощь по 1941
« : Мая 27, 2020, 09:56:46 am »
Доброго всем времени суток!
Есть 2 беды с 1941.
1 беда где то есть косяк в кфг 1941 что не выбрасывается домашняя страница https:\\****
2 беда есть у сотрудников проставлен клиент Vpn cisco там стоят обезличенные профиля, все работает цепляются, но нужно не меняя настроек (переустанавливая клиента) заставить их проходить авторизовываться на радиус серваке. Радиус сервак на Windows 16 развернул, работает с anyconnect - но ограничение там по лицензиям (2 только лицензии висит в асе).
TK2#sh runn
Building configuration...

Current configuration : 5870 bytes
!
! Last configuration change at 17:36:26 UTC Tue May 26 2020
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TTK2
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa group server radius NPS
server name S13-DC-AU2
!
aaa authentication login VPN_USERS local
aaa authentication login VPN group NPS
!
aaa attribute list VPN_ADMINS
attribute type user-vpn-group "VPN_ADMINS"
!
aaa attribute list VPN_USERS
attribute type user-vpn-group "VPN_USERS"
!
aaa session-id common

ip domain name moren.vlmrk.corp
ip name-server 10.13.1.10
ip name-server 10.64.1.11
ip name-server 10.64.1.12
ip name-server 10.13.16.6
ip inspect udp idle-time 3600
ip ddns update method sdm_ddns1
DDNS both
!
ip cef
ipv6 spd queue min-threshold 30
ipv6 spd queue max-threshold 31
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint ME_TRUSTPOINT
enrollment selfsigned
serial-number
ip-address 80.237.****.***
subject-name CN=firewallcx-certificate
revocation-check crl
rsakeypair TTK
!
!
crypto pki certificate chain ME_TRUSTPOINT
license udi pid CISCO1941/K9 sn FCZ1931C12N
!
!
username remoteuser secret
username remoteuser aaa attribute list VPN_USERS
username remoteusers secret
username remoteusers aaa attribute list VPN_USERS
username remoteadmin secret
username remoteadmin aaa attribute list VPN_USERS

redundancy

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.6.01103-webdeploy-k9.pkg sequence 1

interface Embedded-Service-Engine0/0
no ip address
shutdown

interface GigabitEthernet0/0
description Lan
ip address 10.13.0.24 255.255.255.128
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
history BPS
no cdp enable
hold-queue 32 in

interface GigabitEthernet0/1
ip address 192.168.9.3 255.255.255.248
ip access-group 101 in
ip access-group webvpn out
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
history BPS
no cdp enable

interface Virtual-Template1
ip unnumbered GigabitEthernet0/1

ip local pool WEBVPN_POOL 10.13.24.1 10.13.24.250
ip default-gateway 192.168.9.1
ip forward-protocol nd

no ip http server
ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.9.1
ip route 10.10.10.128 255.255.255.128 10.13.0.1
ip route 10.12.12.0 255.255.255.0 10.13.0.10
ip route 10.13.0.128 255.255.255.128 10.13.0.1
ip route 10.13.1.0 255.255.255.0 10.13.0.1
ip route 10.13.10.0 255.255.255.0 10.13.0.1
ip route 10.13.11.0 255.255.255.0 10.13.0.1
ip route 10.13.12.0 255.255.255.0 10.13.0.1
ip route 10.13.23.0 255.255.255.0 10.13.0.1
ip route 10.13.24.0 255.255.255.0 10.13.0.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2

ip access-list extended Administrator_ACL
permit ip any any
ip access-list extended NAT_to_world
permit tcp any host 193.110.91.19
permit tcp any host 94.198.55.155
deny tcp any host 94.198.55.91
deny tcp any host 178.20.235.48
deny tcp any host 213.252.177.122
deny tcp any host 188.127.241.30
deny tcp any host 185.12.241.63
deny ip any 192.168.7.0 0.0.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 10.13.0.0 0.0.255.255
deny ip any 10.13.15.0 0.0.0.255
deny ip any 10.64.0.0 0.0.255.255
deny ip any 10.13.23.0 0.0.0.255
permit ip 10.13.12.0 0.0.0.255 any
deny ip any any
ip access-list extended User_ACL
permit ip 172.23.40.0 0.0.0.255 10.13.24.0 0.0.0.255
permit ip 10.64.0.0 0.0.255.255 10.13.24.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 10.13.24.0 0.0.0.255
permit ip 10.13.10.0 0.0.0.255 10.13.24.0 0.0.0.255
permit ip 172.24.16.0 0.0.0.255 10.13.24.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 10.13.24.0 0.0.0.255
permit ip 10.13.203.0 0.0.0.255 10.13.24.0 0.0.0.255
deny ip any any

route-map SDM_RMAP_1 permit 1
match ip address NAT_to_world

radius server NPS
address ipv4 10.13.1.30 auth-port 1645 acct-port 1646
key *******

control-plane
!
!
banner login ^CCCCC

*********************************ATTENTION*********************************

Unapproved access is forbidden. Unapproved access is pursued under the LAW!

***************************************************************************

^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 30 0
privilege level 15
password 7 15350E05162832227967337340
logging synchronous level all
transport input ssh
line vty 5 113
access-class 23 in
privilege level 15
logging synchronous level all
transport input ssh
line vty 114 153
transport input ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway WEBVPN_GATEWAY
ip address 80.237.**.** (внешний белый адрес DMZ зоне проброшенный) port 443
http-redirect port 80
ssl trustpoint ME_TRUSTPOINT
inservice
!
webvpn context WEBVPN_CON
title "*** - ***"
login-message "we work here, not relax"
virtual-template 1
aaa authentication list VPN_USERS
max-users 5
!
ssl authenticate verify all
inservice
!
policy group WEBVPN_POLICY
functions svc-enabled
svc address-pool "WEBVPN_POOL" netmask 255.255.255.0
svc split include 10.13.24.0 255.255.255.0
default-group-policy WEBVPN_POLICY
!
end

TTK2#