Конфигурация ESR CLI для устройства Spoke

hostname spoke

 

username admin

  password encrypted $6$qvJ4ibaP9kP34W0F$HyuYroGstHEg8sLYIe5bwcY9.PwpRu5oepCGP/Q05LEyIUVhOl.To4q3/mjLpFYmv4jPB/gdmURF1oTGZliAk0

exit

username cscons

  password encrypted $6$FHGi1zzLNt6vcPJ5$BL5rHycBbnj5gR2RENb21hL1.nHUk0tKJ.POiX7UB.kNdHK18bmDxxRbwuBULyNAPf6guwbjQGqce/xKyhncw/

exit

 

security zone trusted

exit

security zone untrusted

exit

 

object-group service SSH

  port-range 22

exit

object-group service IKE500

  port-range 500

exit

object-group service IKE4500

  port-range 4500

exit

 

object-group network LAN_HUB

  ip prefix 192.168.20.0/24

exit

object-group network LAN_SPOKE

  ip prefix 192.168.1.0/24

exit

 

 

bridge 1

  vlan 1

  security-zone trusted

  ip address 192.168.1.1/24

  enable

exit

 

interface gigabitethernet 1/0/1

  security-zone untrusted

  ip address 172.16.10.2/24

exit

interface gigabitethernet 1/0/2

  shutdown

exit

interface gigabitethernet 1/0/3

  shutdown

exit

interface gigabitethernet 1/0/4

  shutdown

exit

interface gigabitethernet 1/0/5

  switchport

exit

interface gigabitethernet 1/0/6

  switchport

exit

interface gigabitethernet 1/0/7

  switchport

exit

interface gigabitethernet 1/0/8

  switchport

exit

security zone-pair trusted untrusted

  rule 10

    action permit

    match protocol any

    match source-address any

    match destination-address any

    enable

  exit

exit

security zone-pair trusted trusted

  rule 10

    action permit

    match protocol any

    match source-address any

    match destination-address any

    enable

  exit

exit

security zone-pair untrusted trusted

  rule 10

    action permit

    match protocol any

    match source-address any

    match destination-address any

    match ipsec-decrypted

    enable

  exit

exit

security zone-pair trusted self

  rule 10

    action permit

    match protocol tcp

    match source-address any

    match destination-address any

    match source-port any

    match destination-port SSH

    enable

  exit

  rule 20

    action permit

    match protocol icmp

    match source-address any

    match destination-address any

    enable

  exit

exit

security zone-pair untrusted self

  rule 10

    action permit

    match protocol icmp

    match source-address any

    match destination-address any

    enable

  exit

  rule 20

    action permit

    match protocol any

    match source-address any

    match destination-address any

    match ipsec-decrypted

    enable

  exit

  rule 30

    action permit

    match protocol udp

    match source-address any

    match destination-address any

    match source-port any

    match destination-port IKE500

    enable

  exit

  rule 40

    action permit

    match protocol udp

    match source-address any

    match destination-address any

    match source-port any

    match destination-port IKE4500

    enable

  exit

exit

 

nat source

  ruleset SNAT_ON_GI101

    to interface gigabitethernet 1/0/1

    rule 10

      match source-address any

      match destination-address any

      match ike-local

      action source-nat off

      enable

    exit

    rule 20

      match protocol any

      match source-address LAN_SPOKE

      match destination-address LAN_HUB

      action source-nat off

      enable

    exit

    rule 30

      match protocol any

      match source-address any

      match destination-address any

      action source-nat netmap 172.16.10.2/32

      enable

    exit

  exit

exit

 

ip route 0.0.0.0/0 172.16.10.1

 

ip ssh server