dhcp設定
- サーバー側
dhcp service server #ルーターをdhcpのサーバーとして機能させる
dhcp server rfc2131 compliant on #リソース情報を持たないDHCPクライアント
dhcp scope 1 192.168.1.2-192.168.1.191/24
- クライアント側
ip lan2 address dhcp
natの設定(静的NAT)
ip lan2 nat descriptor 1000
nat descriptor type 1000 masquerade★natの変換方式を定義
nat descriptor address outer 1000 primary★NATの外側アドレスを定義
nat descriptor masquerade static 1000 1 192.168.1.1 udp 500
nat descriptor masquerade static 1000 2 192.168.1.1 esp
nat descriptor masquerade static 1000 3 192.168.1.1 udp 4500
#natの設定(動的NAT)
ip lan2 nat descriptor 1001
nat descriptor type 1001 masquerade
nat descriptor address outer 1001 222.222.222.1
VPNの設定(バックアップ経路)
ネットワーク構成
PC --- (LAN1)RT_1(LAN2) --- (LAN)NVR_Closed(閉域網)(WAN) --- (LAN2)RT_2(LAN1) --- PC
(LAN3) --- (LAN)NVR_Net(Internet)(WAN) --- (LAN3)
コンフィグ
RT_1
ip routing process normal
ip route default gateway 111.111.111.1
ip route 22.22.22.0/30 gateway 11.11.11.1
ip route 192.168.2.0/24 gateway tunnel 2 hide gateway tunnel 1 weight 0
ip keepalive 1 icmp-echo 3 3 192.168.2.1
ip lan1 address 192.168.1.1/24
ip lan1 proxyarp on
ip lan2 address 11.11.11.2/30
ip lan2 nat descriptor 1000
ip lan3 address dhcp
ip lan3 secure filter in 200100 200101 200102 200030
ip lan3 secure filter out 200099 dynamic 200080 200081 200082 200083 200085 200099
ip lan3 nat descriptor 1000
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 on
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike local name 1 site1 key-id
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text yamaha
ipsec ike remote address 1 222.222.222.2
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes-cbc sha-hmac
ipsec ike keepalive log 2 on
ipsec ike keepalive use 2 on
ipsec ike local address 2 192.168.1.1
ipsec ike local name 2 site2 key-id
ipsec ike nat-traversal 2 on
ipsec ike pre-shared-key 2 text yamaha
ipsec ike remote address 2 22.22.22.2
tunnel enable 2
ip filter 200030 pass-log * * icmp * *
ip filter 200099 pass-log * * * * *
ip filter 200100 pass * 192.168.1.1 udp * 500
ip filter 200101 pass * 192.168.1.1 esp
ip filter 200102 pass * 111.111.111.2 udp * 4500
ip filter 500000 restrict * * * * *
ip filter dynamic 200080 * * ftp
ip filter dynamic 200081 * * domain
ip filter dynamic 200082 * * www
ip filter dynamic 200083 * * smtp
ip filter dynamic 200084 * * pop3
ip filter dynamic 200085 * * submission
ip filter dynamic 200098 * * tcp
ip filter dynamic 200099 * * udp
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 primary
nat descriptor masquerade static 1000 1 192.168.1.1 udp 500
nat descriptor masquerade static 1000 2 192.168.1.1 esp
nat descriptor masquerade static 1000 3 192.168.1.1 udp 4500
ipsec auto refresh on
syslog notice on
tftp host any
telnetd host any
dhcp service server
dhcp server rfc2131 compliant on
dhcp scope 1 192.168.1.2-192.168.1.191/24
httpd host any
statistics traffic on
RT_2
ip route default gateway 222.222.222.1
ip route 11.11.11.0/30 gateway 22.22.22.1
ip route 192.168.1.0/24 gateway tunnel 2 hide gateway tunnel 1 weight 0
ip keepalive 1 icmp-echo 3 3 192.168.1.1
ip lan1 address 192.168.2.1/24
ip lan1 proxyarp on
ip lan2 address 22.22.22.2/30
ip lan2 secure filter in 200100 200101 200102 200030
ip lan2 secure filter out 200099 dynamic 200080 200081 200082 200083 200085 200099
ip lan2 nat descriptor 1000
ip lan3 address 222.222.222.2/24
ip lan3 secure filter in 200100 200101 200102 200030
ip lan3 secure filter out 200099 dynamic 200080 200081 200082 200083 200085 200099
ip lan3 nat descriptor 1000
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 on
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.2.1
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text yamaha
ipsec ike remote address 1 any
ipsec ike remote name 1 site1 key-id
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select 2
ipsec tunnel 2
ipsec sa policy 2 2 esp aes-cbc sha-hmac
ipsec ike keepalive log 2 on
ipsec ike keepalive use 2 on
ipsec ike local address 2 192.168.2.1
ipsec ike local name 2 site2 key-id
ipsec ike nat-traversal 2 on
ipsec ike pre-shared-key 2 text yamaha
ipsec ike remote address 2 11.11.11.2
ipsec ike remote name 2 site2 key-id
tunnel enable 2
ip filter 200030 pass-log * * icmp * *
ip filter 200099 pass * * * * *
ip filter 200100 pass * 192.168.2.1 udp * 500
ip filter 200101 pass * 192.168.2.1 esp
ip filter 200102 pass * 192.168.2.1 udp * 4500
ip filter 500000 restrict * * * * *
ip filter dynamic 200080 * * ftp
ip filter dynamic 200081 * * domain
ip filter dynamic 200082 * * www
ip filter dynamic 200083 * * smtp
ip filter dynamic 200084 * * pop3
ip filter dynamic 200085 * * submission
ip filter dynamic 200098 * * tcp
ip filter dynamic 200099 * * udp
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor type 1000 masquerade
nat descriptor address outer 1000 primary
nat descriptor masquerade static 1000 1 192.168.2.1 udp 500
nat descriptor masquerade static 1000 2 192.168.2.1 esp
nat descriptor masquerade static 1000 3 192.168.2.1 udp 4500
ipsec auto refresh on
syslog notice on
syslog debug off
telnetd host any
dhcp service server
dhcp server rfc2131 compliant on
dhcp scope 1 192.168.2.2-192.168.2.191/24
httpd host any
NVR_NET(priority low)
ip lan1 address 111.111.111.1/24
ip lan2 address 222.222.222.1/24
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant on
dhcp scope 1 111.111.111.2-111.111.111.254/24
NVR_Closed(priority high)
ip lan1 address 11.11.11.1/30
ip lan2 address 22.22.22.1/30
telnetd host lan
"PCだけにpingが届かない", "PC1->|->PC2はpingが届く"
の問題がある場合は
- PC(Windows)を
ipconfig /renew, - Wi-fi or イーサネットケーブルのどちらかだけの接続状態にする
静的経路情報設定
ip route network gateway gateway1 [parameter] [gateway gateway2 [parameter]...]
hide : 出力インタフェースが LAN インタフェース、または WAN インタフェース、PP インタフェース、TUNNEL インタフェースの場合のみ有効なオプションで、相手先が接続されている場合だけ経路が有効になることを意味する
参考