Можете просмотреть конфигурацию. Не пойму, почему не работает маршрутизация до сети 172.31.0.0/16. Если прописать на ПК, то нормально. Может будут и другие замечания или предложения. До этого не работал с такими железками.
Код: Выделить всё
esr-200# show running-config
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ntp
port-range 123
exit
object-group service DNS
description "DNS"
port-range 53
exit
object-group service HTTP
description "HTTP/2"
port-range 80
port-range 443
exit
object-group service MAIL
description "EMAIL"
port-range 25
port-range 465
port-range 110
port-range 995
port-range 143
port-range 993
exit
object-group service SBIS
description "SBIS 2.4"
port-range 7777
exit
object-group service PSBank
description "PromsvyazBank"
port-range 9943
exit
object-group service TRACEROUTE
description "TRACEROUTE"
port-range 33434-33529
exit
object-group service AUSI_WEB
description "TCP web ports for HTTPS AUSI"
port-range 80
port-range 443
exit
object-group service AUSI_DATA
description "TCP web ports for data AUSI"
port-range 8005
exit
object-group service OPEN_VPN
description "TCP web ports for data AUSI"
port-range 48777
exit
object-group network LAN
description "LAN"
ip prefix 10.130.32.0/24
exit
object-group network EXTERNAL_IP
description "External IP address"
ip address-range 62.220.xxx.xxx
ip address-range 213.80.xxx.xxx
exit
object-group network LOCAL_AUSI_SERVER_IP
description "Local IP address WEB-server"
ip address-range 10.130.32.47
exit
object-group network LOCAL_OPEN_VPN_IP
description "Local OpenVPN server"
ip address-range 10.130.32.74
exit
syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default info
username admin
password encrypted ************
exit
boot host auto-config
vlan 2
exit
security zone trusted
exit
security zone untrusted
exit
security zone LAN
description "Localnet"
exit
security zone INET
description "Internet"
exit
wan load-balance target-list google
target 1
ip address 8.8.8.8
enable
exit
exit
bridge 1
vlan 1
security-zone trusted
ip address 192.168.1.1/24
enable
exit
bridge 2
vlan 2
security-zone INET
ip address dhcp
enable
exit
cellular profile 1
APN internet
number *99#
exit
interface gigabitethernet 1/0/1
mode switchport
switchport forbidden default-vlan
switchport access vlan 2
exit
interface gigabitethernet 1/0/2
security-zone INET
ip address 213.80.xxx.xxx/30
wan load-balance nexthop 213.80.xxx.xxx
wan load-balance target-list google
wan load-balance enable
exit
interface gigabitethernet 1/0/3
description "Localnet"
security-zone LAN
ip address 10.130.32.1/24
exit
interface gigabitethernet 1/0/4
mode switchport
exit
interface gigabitethernet 1/0/5
mode switchport
exit
interface gigabitethernet 1/0/6
mode switchport
exit
interface gigabitethernet 1/0/7
mode switchport
exit
interface gigabitethernet 1/0/8
mode switchport
exit
cellular modem 1
wan load-balance nexthop tunnel enable
wan load-balance target-list google
wan load-balance enable
device 3-1
security-zone INET
profile 1
enable
exit
tunnel pppoe 1
interface bridge 2
security-zone INET
username epcs********* password ascii-text encrypted ***********
enable
wan load-balance nexthop tunnel enable
wan load-balance target-list google
wan load-balance enable
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted self
rule 10
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 40
action permit
match protocol udp
match destination-port ntp
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair INET self
rule 1
description "ICMP"
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN self
rule 1
description "DHCP"
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
description "ICMP"
action permit
match protocol icmp
enable
exit
exit
security zone-pair LAN INET
rule 1
description "HTTP"
action permit
match protocol tcp
match destination-port HTTP
enable
exit
rule 2
description "HTTP"
action permit
match protocol udp
match destination-port HTTP
enable
exit
rule 3
description "MAIL"
action permit
match protocol tcp
match destination-port MAIL
enable
exit
rule 4
description "DNS"
action permit
match protocol udp
match destination-port DNS
enable
exit
rule 5
description "DNS"
action permit
match protocol udp
match destination-port DNS
enable
exit
rule 6
description "PSBank"
action permit
match protocol udp
match destination-port PSBank
enable
exit
rule 7
description "SBIS 2.4"
action permit
match protocol udp
match destination-port SBIS
enable
exit
rule 8
description "ICMP"
action permit
match protocol icmp
enable
exit
exit
security zone-pair INET LAN
rule 1
action permit
match protocol tcp
match destination-address LOCAL_AUSI_SERVER_IP
match destination-nat
match destination-port AUSI_WEB
enable
exit
rule 2
action permit
match protocol tcp
match destination-address LOCAL_AUSI_SERVER_IP
match destination-nat
match destination-port AUSI_DATA
enable
exit
rule 3
action permit
match protocol udp
match destination-address LOCAL_AUSI_SERVER_IP
match destination-nat
match destination-port AUSI_DATA
enable
exit
rule 4
action permit
match protocol udp
match destination-address LOCAL_OPEN_VPN_IP
match destination-nat
match destination-port OPEN_VPN
enable
exit
exit
security passwords default-expired
nat destination
pool WEB_SERVER_80
ip address 10.130.32.47
ip port 80
exit
pool WEB_SERVER_443
ip address 10.130.32.47
ip port 443
exit
pool WEB_SERVER_8005
ip address 10.130.32.47
ip port 8005
exit
pool OPEN_VPN_SERVER_48777
ip address 10.130.32.74
ip port 48777
exit
ruleset DNAT
from zone INET
rule 1
match protocol tcp
match destination-address EXTERNAL_IP
match destination-port AUSI_WEB
action destination-nat pool WEB_SERVER_443
enable
exit
rule 2
match protocol tcp
match destination-address EXTERNAL_IP
match destination-port AUSI_DATA
action destination-nat pool WEB_SERVER_8005
enable
exit
rule 3
match protocol udp
match destination-address EXTERNAL_IP
match destination-port AUSI_DATA
action destination-nat pool WEB_SERVER_8005
enable
exit
rule 4
match protocol udp
match destination-address EXTERNAL_IP
match destination-port OPEN_VPN
action destination-nat pool OPEN_VPN_SERVER_48777
enable
exit
rule 6
match protocol tcp
match destination-address EXTERNAL_IP
match destination-port AUSI_WEB
action destination-nat pool WEB_SERVER_443
enable
exit
exit
exit
nat source
ruleset factory
to zone untrusted
rule 10
description "replace 'source ip' by outgoing interface ip address"
action source-nat interface
enable
exit
exit
ruleset SNAT
to zone INET
rule 1
description "Access to Internet from LAN"
match source-address LAN
action source-nat interface
enable
exit
exit
exit
ip dhcp-server
ip dhcp-server pool lan-pool
network 192.168.1.0/24
address-range 192.168.1.2-192.168.1.254
default-router 192.168.1.1
exit
ip dhcp-server pool Local
network 10.130.32.0/24
default-lease-time 001:00:00
address-range 10.130.32.125-10.130.32.200
address 10.130.32.75 mac-address 50:e5:49:36:84:ff
default-router 10.130.32.1
dns-server 172.31.42.15,172.31.42.14
exit
ip route 0.0.0.0/0 wan load-balance rule 1
ip route 10.130.11.0/31 10.130.32.99
ip route 10.130.11.14/31 10.130.32.99
ip route 10.130.34.0/27 10.130.32.99
ip route 10.130.35.0/27 10.130.32.99
ip route 10.130.39.0/24 10.130.32.74
ip route 10.130.96.0/31 10.130.32.99
ip route 10.30.22.0/24 10.130.32.99
ip route 10.30.25.0/24 10.130.32.99
ip route 10.77.224.0/24 10.130.32.99
ip route 172.31.0.0/16 10.130.32.99
wan load-balance rule 1
failover
outbound tunnel pppoe 1 20
outbound interface gigabitethernet 1/0/2 2
outbound cellular modem 1
enable
exit
ip ssh server
ntp enable
ntp broadcast-client enable