Next message: Levent Irkilmez: "Re: [cisco-ttl] Merhaba"
Selamlar.
Cisco VPN Client ile ilgili bir problemim var. Kullanıcıya kurduğum VPN Client 4.0.1 ile Dial-up bağlanmaya çalıştığımda sorunsuz bağlanıyorum. "Tunnel-splitting" de aktif ve dial-up bağlantıda istediğim gibi LANa giden paketler Tünelden, internete giden paketler de şifresiz olarak gidiyor.
Ancak kullanıcının evinde, router arkasından bağlantı yapılırken (NAT var) VPN Client "bağlanmış" gibi gözükse de hatta PIX te tanımladığım "IP havuzundan" lokal IP sini almasına rağmen (?!) kullanıcı interneti kullanabiliyor fakat LAN'ı pingleyemiyor.
Şu ana kadar denediğim adımları yazayım
1) Cisco VPN Client yazılımında "Enable Transparent Tunneling" ve "IPsec over UDP (NAT/PAT)" "Enable Local LAN Access" seçeneklerini ve bilimum kombinasyonlarını denedim bi sonuç alamadım.
2) Oradaki Router konfigurasyonunda dışarı çıkışa izin mi verilmiyor diye baktım ancak pek bir şey göremedim. Accesslistte PIX ten alacağı IP için geçiş izni yazdım ama yararı olmadı
3) Zaten ilginç bir şekilde MSClient kullanarak bağlanıldığında LAN'a sorunsuz bağlanılıyor hem de aynı IP grubundan alınan bir IPyle. Dolayısıyla oradaki router da bir ksıtlama yokmuş gibi gözüküyor (yanlış mı düşünüyorum ?)
4) Acaba Cisco-VPN client ile tunnel-splitting kullanarak bağlanırken "NAT" ile ilgili PIX te başka bir ayar mı yapmak gerekiyor ? (Ya da aklıma gelmeyen; MSclient bağlanırken VPN Client ın LAN ı pingleyememesinin başka bir sebebi olabilir mi ?)
5) Acaba oradaki routera VPN ile ilgili bir geçiş izni mi vermek gerekiyor?
6) PIX e bağlantı kurulup IP alınmasına rağmen bağlantının başka fazlarında bir sorun oluşmuş olabilir mi? Olabilirse bunu nasıl kontrol edebilirim?
Uzun oldu biraz ama hakkaten takılmış durumdayım. Aşağıya PIX'in ve karşı tarafın router konfiglerini ekledim.
Herkese İyi çalışmalar
Bahadır Girtten
------------------------------------------------------------------------------------------------------------------------------
ROUTER:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password encryption
!
hostname SBBB
!
eneable secret 5 $1$6qbu$1CI0KANSINPXhpf79VAxe/
!
ip subnet-zero
!
ip dhcp pool murat
network 192.168.10.0
default-router 192.168.10.1
dns-server 212.156.4.6
lease infinite
!
!
!
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip nat outside
!
ip nat inside source list 1 interface Ethernet1 overload
ip classless
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255 / Bizim networkten alacağı IP
!
line con 0
exec time-out 120 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 120 0
password 7 *********
login
!
scheduler max-task-time 5000
end
----------------------------------------------------------------------------------------------------------------------------
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security50
enable password 3NMclkdOUiRVjKPH encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname thpix
domain-name teknoloji
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 213.74.42.35 mail.th.out
name 10.1.1.4 mail.th.in
name 10.1.1.9 ftp-web-ts
name 10.1.1.8 gold-ts
name 10.1.1.12 Ziya
name 10.1.1.11 Mehmet
name 10.1.1.202 Tansel
name 213.74.42.38 murattestip
name 10.6.0.202 ukhweb
name 10.1.1.157 CRM
name 10.6.0.27 IPS
name 213.161.154.146 Planet
name 10.1.1.137 murattest
name 10.1.1.179 devrim
name 10.1.1.136 gmsdisbank
name 172.16.32.12 disbanklocal
name 172.16.32.0 DISBANK
name 172.16.32.30 dibankalpar
object-group service Mail-Srv tcp
port-object eq pop3
port-object eq www
port-object eq smtp
object-group service ftp-web-ts-Srv tcp
port-object eq ftp
port-object eq ftp-data
port-object range 3389 3389
port-object eq https
port-object eq www
port-object range 8080 8080
port-object range 1433 1433
object-group network Admin
network-object Mehmet 255.255.255.255
network-object Ziya 255.255.255.255
network-object Tansel 255.255.255.255
object-group service http-https tcp
port-object eq www
port-object eq https
object-group service CRM tcp
description CRM
port-object eq www
port-object range 3389 3389
port-object eq https
port-object range 6401 6401
object-group service murtatest tcp
port-object range 8080 8080
object-group service ftp tcp
description disbankgms
port-object eq ftp-data
port-object eq ftp
access-list outside_access_in permit tcp any host mail.th.out object-group Mail-
Srv
access-list outside_access_in permit tcp any host 213.74.42.37 object-group ftp-
web-ts-Srv
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host murattestip object-group CRM
access-list outside_access_in permit tcp any host 213.74.42.36 eq 3389
access-list outside_access_in permit tcp any host 213.74.42.43 object-group http
-https
access-list outside_access_in permit ip host Planet host 213.74.42.45
access-list inside_outbound_nat0_acl permit ip any 10.1.1.128 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 10.1.0.0 255.255.0.0 DISBANK 255.
255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.1.3.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list outside_cryptomap_20 permit ip 10.1.0.0 255.255.0.0 DISBANK 255.255.
255.0
access-list outside_cryptomap_20 permit icmp host gmsdisbank host disbanklocal
access-list outside_cryptomap_20 permit icmp host gmsdisbank host dibankalpar
access-list Cisco_VPN_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any
access-list outside_cryptomap_dyn_20 permit ip any 10.1.3.0 255.255.255.0
pager lines 24
logging on
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 213.74.42.34 255.255.255.240
ip address inside 10.1.1.2 255.255.0.0
ip address intf2 10.10.1.1 255.255.0.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm drop
ip local pool teknoloji 10.1.1.190-10.1.1.192
ip local pool Teknoloji_Yeni 10.1.3.1-10.1.3.254
pdm location Mehmet 255.255.255.255 inside
pdm location Ziya 255.255.255.255 inside
pdm location mail.th.in 255.255.255.255 inside
pdm location mail.th.out 255.255.255.255 outside
pdm location ftp-web-ts 255.255.255.255 inside
pdm location gold-ts 255.255.255.255 inside
pdm location Tansel 255.255.255.255 inside
pdm location murattestip 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.6.0.0 255.255.255.0 inside
pdm location ukhweb 255.255.255.255 inside
pdm location 10.1.1.121 255.255.255.255 inside
pdm location 10.1.1.128 255.255.255.128 outside
pdm location 10.1.1.118 255.255.255.255 inside
pdm location 10.1.1.118 255.255.255.255 outside
pdm location CRM 255.255.255.255 inside
pdm location IPS 255.255.255.255 inside
pdm location Planet 255.255.255.255 outside
pdm location murattest 255.255.255.255 inside
pdm location 10.1.0.0 255.255.0.0 inside
pdm location devrim 255.255.255.255 outside
pdm location gmsdisbank 255.255.255.255 inside
pdm location disbanklocal 255.255.255.255 outside
pdm location DISBANK 255.255.255.0 outside
pdm location dibankalpar 255.255.255.255 outside
pdm location 10.1.3.0 255.255.255.0 outside
pdm group Admin inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) mail.th.out mail.th.in netmask 255.255.255.255 0 0
static (inside,outside) 213.74.42.37 ftp-web-ts netmask 255.255.255.255 0 0
static (inside,outside) 213.74.42.36 gold-ts netmask 255.255.255.255 0 0
static (inside,outside) murattestip CRM netmask 255.255.255.255 0 0
static (inside,outside) 213.74.42.43 ukhweb netmask 255.255.255.255 0 0
static (inside,outside) 213.74.42.45 IPS netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.74.42.33 1
route inside 10.6.0.0 255.255.255.0 10.1.1.1 1
route inside 192.168.1.0 255.255.255.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 10.1.1.118 timeout 30 protocol TCP vers
ion 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http Mehmet 255.255.255.255 inside
http Ziya 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 213.243.63.129
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 213.243.63.129 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Cisco_VPN address-pool Teknoloji_Yeni
vpngroup Cisco_VPN dns-server 10.1.1.7
vpngroup Cisco_VPN default-domain teknoloji.local
vpngroup Cisco_VPN split-tunnel Cisco_VPN_splitTunnelAcl
vpngroup Cisco_VPN idle-time 1800
vpngroup Cisco_VPN password ********
telnet Mehmet 255.255.255.255 inside
telnet Ziya 255.255.255.255 inside
telnet 10.1.1.121 255.255.255.255 inside
telnet timeout 5
ssh Mehmet 255.255.255.255 inside
ssh Ziya 255.255.255.255 inside
ssh 10.1.1.121 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP client configuration address local teknoloji
vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.7 213.74.4.131
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username ttronics password *********
vpdn enable outside
username ttronics password NxE.zqnXeufc60NG encrypted privilege 3
username omer password 2YWQbIURhlsZiSEv encrypted privilege 15
username bahadir password tUyjU1jkmzRjDAXW encrypted privilege 3
username bgirtten password X6p0gNgTORjgLlyO encrypted privilege 15
username suat password iFYviUGOXgYSawtL encrypted privilege 15
username cuneyt password O2p.xbNzv8SbFFt4 encrypted privilege 3
username ersin password 0tFwfHNn4.l.DSBo encrypted privilege 15
username emin password poOfvGRGbu.aXoiy encrypted privilege 15
username mehmet password IqgmOjuZetR2QZy. encrypted privilege 15
username hakan password oMB1ORmpWnV6s/b8 encrypted privilege 15
url-block url-mempool 5000
url-block url-size 4
terminal width 80
Cryptochecksum:5bda006ae5aea871dc48334c971a1adb
: end
---------------------------------
Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com
This archive was generated by hypermail 2.1.5
: Mon Nov 08 2004 - 15:37:14 GMT