|
|
RE: [cisco-ttl] VPN Client Problemi
From: Cumhur / Yahoo <yahoo_at_....>
Date: Fri Oct 14 2005 - 00:00:50 EEST
Bu birden fazla kullanici NAT'in arkadasinda ise " isakmp nat-traversal [natkeepalive] " tanimlaman problemini cozebilir.
Kolay Gelsin,
Enabling IPSec over NAT-T NAT-T lets IPSec peers establish a connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPSec traffic when necessary. This feature is disabled by default. •The security appliance can simultaneously support standard IPSec, IPSec over TCP, NAT-T, and IPSec over UDP, depending on the client with which it is exchanging data. •When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence. •When enabled, IPSec over TCP takes precedence over all other connection methods. •When you enable NAT-T, the security appliance automatically opens port 4500 on all IPSec enabled interfaces. The security appliance implementation of NAT-T supports IPSec peers behind a single NAT/PAT device as follows: •One LAN-to-LAN connection. •Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both. This restriction applies when you the IP address of the NAT device is the name of the tunnel group. This is because all peers behind that NAT device are likely to be associated with that same tunnel group. This may result in failed negotiations when connecting to multiple LAN-to-LAN peers behind the NAT device, or VPN clients being associated to a NAT device when there a mixture of remote access and LAN-to-LAN peers. Using NAT-T To use NAT-T you must perform three tasks:
To enable NAT-T globally on the security appliance, enter the following command: isakmp nat-traversal natkeepalive This example sets enables NAT-T and sets the keepalive to one hour. hostname(config)# isakmp nat-traversal 3600 Valid values for natkeepalive are 10 to 3600 seconds; the default is 20 seconds.
-----Original Message-----
Herkese selam. 11 şubeli bir ağın merkezinde PIX 506 kurduk. Şubelerin tamamı VPN Client yazılımı ile ADSL üzerinden merkeze bağlanıyor. Merkezdeki internet çıkışı ise LL. Sorunumuz ise tek kullanıcılı şubelerin saatlarce bağlanırken aynı şubedeki birden fazla kullanıcının birinin bağlanması durumunda diğerinin kopması. Konfigürasyon aşağıdaki gibidir. İlgilenen arkadaşlara şimdiden teşekkür ederim.
:
ip local pool magaza1 10.9.1.1-10.9.1.14 ip local pool magaza2 10.9.2.1-10.9.2.14 ip local pool magaza3 10.9.3.1-10.9.3.14 ip local pool magaza5 10.9.5.1-10.9.5.14 ip local pool magaza6 10.9.6.1-10.9.6.14 ip local pool magaza7 10.9.7.1-10.9.7.14 ip local pool magaza8 10.9.8.1-10.9.8.14 ip local pool magaza9 10.9.9.1-10.9.9.14 ip local pool magaza10 10.9.10.1-10.9.10.14 ip local pool magaza11 10.9.4.1-10.9.4.14 ip local pool magaza12 10.9.11.1-10.9.11.14 ip local pool magaza13 10.9.12.1-10.9.12.14ip local pool magaza14 10.9.13.1-10.9.13.14 pdm location 10.8.0.0 255.255.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list 101 nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.8.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set vpntransform esp-des esp-md5-hmac crypto dynamic-map vpndmap 10 set transform-set elet crypto map vpnmap 10 ipsec-isakmp dynamic elektrolet crypto map vpnmap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup group1 address-pool magaza1 vpngroup group1 dns-server 10.8.1.15 vpngroup group1 default-domain cisco.com vpngroup group1 split-tunnel 101 vpngroup group1 idle-time 1800 vpngroup group1 password ******** vpngroup group2 address-pool magaza2 vpngroup group2 dns-server 10.8.1.15 vpngroup group2 default-domain cisco.com vpngroup group2 split-tunnel 101 vpngroup group2 idle-time 1800 vpngroup group2 password ******** vpngroup group3 address-pool magaza3 vpngroup group3 dns-server 10.8.1.15 vpngroup group3 split-tunnel 101 vpngroup group3 idle-time 1800 vpngroup group3 password ******** vpngroup group4 address-pool magaza4 vpngroup group4 dns-server 10.8.1.15 vpngroup group4 split-tunnel 101 vpngroup group4 password ******** vpngroup group5 address-pool magaza5 vpngroup group5 dns-server 10.8.1.15 vpngroup group5 split-tunnel 101 vpngroup group5 idle-time 1800 vpngroup group5 password ******** vpngroup group6 address-pool magaza6 vpngroup group6 dns-server 10.8.1.15 vpngroup group6 split-tunnel 101 vpngroup group6 idle-time 1800 vpngroup group6 password ******** vpngroup group7 address-pool magaza7 vpngroup group7 dns-server 10.8.1.15 vpngroup group7 split-tunnel 101 vpngroup group7 idle-time 1800 vpngroup group7 password ******** vpngroup group8 address-pool magaza8 vpngroup group8 dns-server 10.8.1.15 vpngroup group8 split-tunnel 101 vpngroup group8 idle-time 1800 vpngroup group8 password ******** vpngroup group9 address-pool magaza9 vpngroup group9 dns-server 10.8.1.15 vpngroup group9 split-tunnel 101 vpngroup group9 idle-time 1800 vpngroup group9 password ******** vpngroup group10 address-pool magaza10 vpngroup group10 dns-server 10.8.1.15 vpngroup group10 split-tunnel 101 vpngroup group10 idle-time 1800 vpngroup group10 password ******** vpngroup group11 address-pool magaza11 vpngroup group11 dns-server 10.8.1.15 vpngroup group11 split-tunnel 101 vpngroup group11 idle-time 1800 vpngroup group11 password ******** telnet 10.8.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:xxxxxxxxxx : end pix(config)# Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ -- Cisco Teknik Tartisma Listesi (Cisco-ttl) Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. Yahoo! Groups Links ------------------------ Yahoo! Groups Sponsor --------------------~--> Most low income households are not online. Help bridge the digital divide today! http://us.click.yahoo.com/cd_AJB/QnQLAA/TtwFAA/26EolB/TMReceived on Fri Oct 14 00:02:13 2005 This archive was generated by hypermail 2.1.8 : Fri Oct 14 2005 - 00:02:13 EEST |