I see this line, but there is no access-list 1:
! ip nat inside source list 1 interface FastEthernet1/0 overload
Ich versuche, eine gesicherte IAX2-Verbindung mit IPSec zwischen Routern einzurichten:
Wenn ich jedoch mit Wireshark einen Schnüffelangriff mache, werden alle Anrufinformationen angezeigt.
IPsec ist gut konfiguriert und funktioniert perfekt mit HTTP-Paketen, hat jedoch keine Auswirkungen auf IAX2.
R3-Konfiguration:
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco@123 address 100.100.100.101 ! ! crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac ! crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp set peer 100.100.100.101 set transform-set MY-SET match address VPN-TRAFFIC ! ! ! ! interface FastEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex half ! interface FastEthernet1/0 ip address 100.100.100.100 255.255.255.248 ip nat outside ip virtual-reassembly duplex half crypto map IPSEC-SITE-TO-SITE-VPN ! ip route 0.0.0.0 0.0.0.0 200.200.200.200 ip route 0.0.0.0 0.0.0.0 100.100.100.101 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet1/0 overload ip nat inside source list 101 interface FastEthernet1/0 overload ip nat inside source static tcp 192.168.10.2 4569 100.100.100.100 4569 extendable ip nat inside source static tcp 192.168.10.2 5060 100.100.100.100 5060 extendable ip nat inside source static tcp 192.168.10.2 5061 100.100.100.100 5061 extendable ! ! ip access-list extended VPN-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 permit ip 192.168.10.0 0.0.0.255 any no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end
R4-Konfiguration:
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco@123 address 100.100.100.100 ! ! crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac ! crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp set peer 100.100.100.100 set transform-set MY-SET match address VPN-TRAFFIC ! ! ! ! interface FastEthernet0/0 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex half ! interface FastEthernet1/0 ip address 100.100.100.101 255.255.255.248 ip nat outside ip virtual-reassembly duplex half crypto map IPSEC-SITE-TO-SITE-VPN ! ip route 0.0.0.0 0.0.0.0 100.100.100.100 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet1/0 overload ip nat inside source list 101 interface FastEthernet1/0 overload ip nat inside source static tcp 192.168.20.2 4569 100.100.100.101 4569 extendable ip nat inside source static tcp 192.168.20.2 5060 100.100.100.101 5060 extendable ip nat inside source static tcp 192.168.20.2 5061 100.100.100.101 5061 extendable ! ! ip access-list extended VPN-TRAFFIC permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 any no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end
I see this line, but there is no access-list 1:
! ip nat inside source list 1 interface FastEthernet1/0 overload