делаю как написанно в инструкции.
username Administrator privilege 8 password 0 123456
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host Administrator 169.254.253.2 netup enable
interface Ethernet 1/0
ip access-group 105 in
ip access-group 106 out
access-list 105 dynamic test1 permit ip any any
access-list 106 dynamic test2 permit ip any any
делаю tcpdump -nXli eth0 -s 65000 port 514
Info : Jan 28 17:13:29 UTM5 Logger: New `?Debug : ' stream: log\rfw-debug.log
Notice: Jan 28 17:13:29 RFW Config: SSL is disabled. All data is transmitted to/from utm5_core unencrypted!
Info : Jan 28 17:13:29 StreamConnection: Connection thread started. Peer 127.0.0.1:12758
?Debug : Jan 28 17:13:29 StreamConnection: Connection using TCP socket
?Debug : Jan 28 17:13:29 StreamConnection: System message recived
?Debug : Jan 28 17:13:29 StreamConnection: Challenge response sent
?Debug : Jan 28 17:13:29 StreamConnection: System message recived
Info : Jan 28 17:13:29 StreamConnection: Connection successfully authorized, user id <-1>
?Debug : Jan 28 17:13:29 StreamFirewall: Sending name: 127.0.0.1
Info : Jan 28 17:13:55 UTM5 Logger: New `?Debug : ' stream: log\rfw-debug.log
Notice: Jan 28 17:13:55 RFW Config: SSL is disabled. All data is transmitted to/from utm5_core unencrypted!
Info : Jan 28 17:13:55 StreamConnection: Connection thread started. Peer 127.0.0.1:12758
?Debug : Jan 28 17:13:55 StreamConnection: Connection using TCP socket
?Debug : Jan 28 17:13:55 StreamConnection: System message recived
?Debug : Jan 28 17:13:55 StreamConnection: Challenge response sent
?Debug : Jan 28 17:13:55 StreamConnection: System message recived
Info : Jan 28 17:13:55 StreamConnection: Connection successfully authorized, user id <-1>
?Debug : Jan 28 17:13:55 StreamFirewall: Sending name: 127.0.0.1
ERROR : Jan 28 17:13:55 StreamFirewall: Error occured: Firewall with same name is alive
?Debug : Jan 28 17:13:59 StreamFirewall: Got ping from core. Sending reply...
Info : Jan 28 17:14:00 RFW Config: Terminating firewall: Firewall with same name is alive
-Stats : Jan 28 17:14:00 StreamManager: Stats: Uptime: 00:00:05. Events: 0; Errors: 0
В чем может быть дело.
Cisco + rfw
Пороблемма в cisco нет соединения, делаю rsh 169.254.253.1 -l Administrator sh ver
Вподключении отказано. rsh: не удается установить подключение.
Что я ни правильно сделал.
Вподключении отказано. rsh: не удается установить подключение.
Что я ни правильно сделал.
Последний раз редактировалось KSkostja Чт янв 29, 2009 00:41, всего редактировалось 1 раз.
модель 2610.
Router#debug ip tcp rcmd
RCMD transactions debugging is on
Router#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 32 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 37 message lines logged
Router#debug ip tcp rcmd
RCMD transactions debugging is on
Router#sh log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 32 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: disabled, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 37 message lines logged
ставлю на циске
Router#terminal monitor
Router#debug ip tcp rcmd
делаю rsh 169.254.253.1 -l Admin sh ver
Ответ
*Mar 1 15:21:34.682: RCMD: [514 <- 169.254.253.2:1023] recv 1022\0
*Mar 1 15:21:34.875: RCMD: [514 <- 169.254.253.2:1023] recv Admin\0Admin\0sh ver\0
*Mar 1 15:21:34.875: RCMD: [514 <- 169.254.253.2:1023] recv -- Admin 169.254.253.2 Admin not in trusted hosts database
*Mar 1 15:21:34.879: RCMD: [514 -> 169.254.253.2:1023] send <BAD,Permission ! n
conf cisco
username Admin privilege 15 password 0 Admin
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host Admin 169.254.253.2 netup enable
ip rcmd remote-username Admin
access-list 105 dynamic test1 permit ip any any
access-list 105 permit ip host 169.254.253.2 any
access-list 106 dynamic test2 permit ip any any
access-list 106 permit ip any host 169.254.253.2
privilege exec level 8 access-enable
privilege exec level 8 access-template
privilege exec level 8 access-profile
privilege exec level 8 clear access-template
privilege exec level 8 clear
line vty 0 4
transport input telnet
Что не так.
Router#terminal monitor
Router#debug ip tcp rcmd
делаю rsh 169.254.253.1 -l Admin sh ver
Ответ
*Mar 1 15:21:34.682: RCMD: [514 <- 169.254.253.2:1023] recv 1022\0
*Mar 1 15:21:34.875: RCMD: [514 <- 169.254.253.2:1023] recv Admin\0Admin\0sh ver\0
*Mar 1 15:21:34.875: RCMD: [514 <- 169.254.253.2:1023] recv -- Admin 169.254.253.2 Admin not in trusted hosts database
*Mar 1 15:21:34.879: RCMD: [514 -> 169.254.253.2:1023] send <BAD,Permission ! n
conf cisco
username Admin privilege 15 password 0 Admin
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host Admin 169.254.253.2 netup enable
ip rcmd remote-username Admin
access-list 105 dynamic test1 permit ip any any
access-list 105 permit ip host 169.254.253.2 any
access-list 106 dynamic test2 permit ip any any
access-list 106 permit ip any host 169.254.253.2
privilege exec level 8 access-enable
privilege exec level 8 access-template
privilege exec level 8 access-profile
privilege exec level 8 clear access-template
privilege exec level 8 clear
line vty 0 4
transport input telnet
Что не так.
Нашел в чем причина позже выложу на www.winnetup.ru
Кроме всего этого я нащел еще одну проблемму. У меня на циске поднят Nat и VPN. Пытаюсь прикрутить еще Firewall.
И вроде все зароботало, но появился другой косяк. Абоненты у кого нет, предоплачивомого трафика те работают без проблем дошли до минуса доступ прекрылся. А вот у кого есть предоплаченый траф те абонеты после расхода пред.траф хоть и нет минуса прекращ работать. Вот тут я не в доумении пока что стало не хватать.
вот конф как я делаю
username Admin privilege 8 password 0 123456
aaa new-model
!
!
aaa authentication password-prompt password:
aaa authentication username-prompt login:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update newinfo periodic 1
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host Admin 169.254.253.2 Admin enable
ip flow-cache timeout active 1
ip cef
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface Loopback0
ip address 192.168.0.1 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface Loopback1
ip address 192.168.254.254 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface Ethernet0/0
description WAN
ip address 172.16.159.2 255.255.255.0
ip nat outside
ip route-cache policy
ip route-cache flow
ip policy route-map NETUP_MAP
half-duplex
interface Ethernet1/0
description LAN
ip address 169.254.185.1 255.255.255.0
ip route-cache policy
ip route-cache flow
half-duplex
interface Ethernet1/2
description Radius-Server
ip address 169.254.253.1 255.255.255.0
half-duplex
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
ip route-cache policy
ip route-cache flow
ip access-group 105 in
ip access-group 106 out
ip tcp header-compression
ip mroute-cache
no peer default ip address
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip flow-export version 5
ip flow-export destination 169.254.253.2 9996
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.159.1
ip dns server
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 105 dynamic test1 permit ip any any
access-list 106 dynamic test2 permit ip any any
access-list 108 permit ip any 192.168.2.0 0.0.0.255
access-list 109 permit ip any 169.254.185.0 0.0.0.255
route-map NETUP_MAP permit 10
match ip address 108 109
set interface Loopback0 Ethernet1/0 Virtual-Template1
!
radius-server host 169.254.253.2 auth-port 1812 acct-port 1813
radius-server key 123456
radius-server vsa send accounting
radius-server vsa se
privilege exec level 8 access-enable
privilege exec level 8 access-template
privilege exec level 8 access-profile
privilege exec level 8 clear access-template
privilege exec level 8 clearnd authentication
И вроде все зароботало, но появился другой косяк. Абоненты у кого нет, предоплачивомого трафика те работают без проблем дошли до минуса доступ прекрылся. А вот у кого есть предоплаченый траф те абонеты после расхода пред.траф хоть и нет минуса прекращ работать. Вот тут я не в доумении пока что стало не хватать.
вот конф как я делаю
username Admin privilege 8 password 0 123456
aaa new-model
!
!
aaa authentication password-prompt password:
aaa authentication username-prompt login:
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update newinfo periodic 1
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host Admin 169.254.253.2 Admin enable
ip flow-cache timeout active 1
ip cef
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface Loopback0
ip address 192.168.0.1 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface Loopback1
ip address 192.168.254.254 255.255.255.0
ip route-cache policy
ip route-cache flow
!
interface Ethernet0/0
description WAN
ip address 172.16.159.2 255.255.255.0
ip nat outside
ip route-cache policy
ip route-cache flow
ip policy route-map NETUP_MAP
half-duplex
interface Ethernet1/0
description LAN
ip address 169.254.185.1 255.255.255.0
ip route-cache policy
ip route-cache flow
half-duplex
interface Ethernet1/2
description Radius-Server
ip address 169.254.253.1 255.255.255.0
half-duplex
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
ip route-cache policy
ip route-cache flow
ip access-group 105 in
ip access-group 106 out
ip tcp header-compression
ip mroute-cache
no peer default ip address
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip flow-export version 5
ip flow-export destination 169.254.253.2 9996
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.159.1
ip dns server
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 105 dynamic test1 permit ip any any
access-list 106 dynamic test2 permit ip any any
access-list 108 permit ip any 192.168.2.0 0.0.0.255
access-list 109 permit ip any 169.254.185.0 0.0.0.255
route-map NETUP_MAP permit 10
match ip address 108 109
set interface Loopback0 Ethernet1/0 Virtual-Template1
!
radius-server host 169.254.253.2 auth-port 1812 acct-port 1813
radius-server key 123456
radius-server vsa send accounting
radius-server vsa se
privilege exec level 8 access-enable
privilege exec level 8 access-template
privilege exec level 8 access-profile
privilege exec level 8 clear access-template
privilege exec level 8 clearnd authentication