|
[cisco-ttl] Re: 878 Router - pix 515 vpn
Merhaba,
Evet PIX'i simdilik kaldirdim, 10.0.0.0 ve 10.1.1.0 her ikiside ic
network'de iki farkli ag yani routerin arkasinda. Sonradan fark
ettim, ki sende burda gormussun sorun routinglerde cikti :) insan
bazen gozunun onundeki problemi gormuyor vpn pool'una farkli bir
agdan ip verdim (daha once 10.1.1.0 'dan vermistim dolayisi ile
digerli ile ayni subnet icerisinde olduklarini kabul ettigi icin
icin ping paketlerine echo-reply alamiyordum) ve diger router'lara
uzerinde routingleri tanimladim simdi calisiyor. Yinede yardimlarin
icin cok tesekkur ederim sorunu bulamasaydim bu mesajindan
gorebilirdim tekar tesekkurler iyi calismalar
Halil Ergun KORKMAZ
- In cisco-ttl@yahoogroups.com, Serhat Uslay <serhat.uslay@...>
wrote:
>
>
> . Artik PIX i kaldirdin degilmi ? 10.0.0.0 nerede yoksa hala PIX
in
> arkasinda mi? 10.1.1.10 e ping calisiyormu ? Birde 10.0.0.0
networkundeki
> Pclerin default gateway leri nereye yonlendirilmis ? Icerdeki host
> demekten hangi IP adresini kastediyorsun ?
>
> Serhat
>
>
>
>
>
> Halil Ergun Korkmaz <halilergun.korkmaz@...>
> Sent by: cisco-ttl@yahoogroups.com
> 24/08/2006 10:54 PM
> Please respond to
> cisco-ttl@yahoogroups.com
>
>
> To
> cisco-ttl@yahoogroups.com
> cc
>
> Subject
> Re: [cisco-ttl] 878 Router - pix 515 vpn
>
>
>
>
>
>
> Merhaba,
>
> VPN client ile baglaniyorum ip pool dan ip de aliyorum routerin ic
> interace'ine de ping atabiliyorum ama icerideki hic bir host'a
> ulasamiyorum. Sanirim ic interface'deki ACL takiliyorum ama bir
turlu
> goremedim!!!!!!!! yardim ederseniz cok sevinirim simdiden tesekkur
ederim,
> yeni konfigurasyon asagida :
>
>
>
> !This is the running config of the router:
> !------------------------------------------------------------------
> !version 12.4
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname router
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 debugging
> logging console critical
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login sdm_vpn_xauth_ml_1 local
> aaa authorization exec default local
> aaa authorization network sdm_vpn_group_ml_1 local
> !
> aaa session-id common
> !
> resource policy
> !
> clock timezone PCTime 2
> clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
> no ip source-route
> ip cef
> !
> !
> ip inspect log drop-pkt
> ip inspect name DEFAULT100 cuseeme
> ip inspect name DEFAULT100 ftp
> ip inspect name DEFAULT100 h323
> ip inspect name DEFAULT100 icmp
> ip inspect name DEFAULT100 netshow
> ip inspect name DEFAULT100 rcmd
> ip inspect name DEFAULT100 realaudio
> ip inspect name DEFAULT100 rtsp
> ip inspect name DEFAULT100 esmtp
> ip inspect name DEFAULT100 sqlnet
> ip inspect name DEFAULT100 streamworks
> ip inspect name DEFAULT100 tftp
> ip inspect name DEFAULT100 tcp
> ip inspect name DEFAULT100 udp
> ip inspect name DEFAULT100 vdolive
> ip inspect name SDM_HIGH appfw SDM_HIGH
> ip inspect name SDM_HIGH icmp
> ip inspect name SDM_HIGH dns
> ip inspect name SDM_HIGH esmtp
> ip inspect name SDM_HIGH https
> ip inspect name SDM_HIGH imap reset
> ip inspect name SDM_HIGH pop3 reset
> ip inspect name SDM_HIGH tcp
> ip inspect name SDM_HIGH udp
> ip tcp synwait-time 10
> no ip bootp server
> ip domain name yourdomain.com
> ip name-server 10.1.1.1
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> appfw policy-name SDM_HIGH
> application im aol
> service default action reset alarm
> service text-chat action reset alarm
> server deny name login.oscar.aol.com
> server deny name toc.oscar.aol.com
> server deny name oam-d09a.blue.aol.com
> audit-trail on
> application im msn
> service default action reset alarm
> service text-chat action reset alarm
> server deny name messenger.hotmail.com
> server deny name gateway.messenger.hotmail.com
> server deny name webmessenger.msn.com
> audit-trail on
> application im yahoo
> service default action reset alarm
> service text-chat action reset alarm
> server deny name scs.msg.yahoo.com
> server deny name scsa.msg.yahoo.com
> server deny name scsb.msg.yahoo.com
> server deny name scsc.msg.yahoo.com
> server deny name scsd.msg.yahoo.com
> server deny name cs16.msg.dcn.yahoo.com
> server deny name cs19.msg.dcn.yahoo.com
> server deny name cs42.msg.dcn.yahoo.com
> server deny name cs53.msg.dcn.yahoo.com
> server deny name cs54.msg.dcn.yahoo.com
> server deny name ads1.vip.scd.yahoo.com
> server deny name radio1.launch.vip.dal.yahoo.com
> server deny name in1.msg.vip.re2.yahoo.com
> server deny name data1.my.vip.sc5.yahoo.com
> server deny name address1.pim.vip.mud.yahoo.com
> server deny name edit.messenger.yahoo.com
> server deny name messenger.yahoo.com
> server deny name http.pager.yahoo.com
> server deny name privacy.yahoo.com
> server deny name csa.yahoo.com
> server deny name csb.yahoo.com
> server deny name csc.yahoo.com
> audit-trail on
> !
> !
> !
> !
> controller DSL 0
> mode atm
> line-term cpe
> line-mode 2-wire line-zero
> dsl-mode shdsl symmetric annex B
> line-rate auto
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group grb
> key ****************
> dns 10.1.1.1 10.1.1.3
> domain domain.com.tr
> pool SDM_POOL_1
> max-users 2
> max-logins 2
> netmask 255.255.255.0
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto dynamic-map SDM_DYNMAP_1 1
> set security-association idle-time 900
> set transform-set ESP-3DES-SHA
> reverse-route
> !
> !
> crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
> crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> crypto map SDM_CMAP_1 client configuration address respond
> crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
> !
> !
> !
> interface Null0
> no ip unreachables
> !
> interface BRI0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> encapsulation hdlc
> ip route-cache flow
> shutdown
> !
> interface ATM0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> no atm ilmi-keepalive
> !
> interface ATM0.1 point-to-point
> description $ES_WAN$$FW_OUTSIDE$
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no snmp trap link-status
> pvc 8/35
> encapsulation aal5snap
> protocol ppp dialer
> dialer pool-member 1
> !
> !
> interface FastEthernet0
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface Vlan1
> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC
4ESW$$ES_LAN$$FW_INSIDE$
> ip address 10.1.1.250 255.255.255.0
> ip access-group 100 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> ip route-cache flow
> ip tcp adjust-mss 1452
> !
> interface Dialer0
> description $FW_OUTSIDE$
> ip address negotiated
> ip access-group 103 in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip inspect SDM_HIGH out
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip route-cache flow
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication pap callin
> ppp pap sent-username ******** password 7 *************
> crypto map SDM_CMAP_1
> !
> ip local pool SDM_POOL_1 10.1.1.200 10.1.1.202
> ip route 0.0.0.0 0.0.0.0 Dialer0
> ip route 10.0.0.0 255.255.255.0 10.1.1.10
> !
> ip http server
> ip http access-class 2
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source route-map SDM_RMAP_1 interface Dialer0
overload
> !
> logging trap debugging
> access-list 1 remark INSIDE_IF=Vlan1
> access-list 1 remark SDM_ACL Category=2
> access-list 1 permit 10.1.1.0 0.0.0.255
> access-list 2 remark HTTP Access-class list
> access-list 2 remark SDM_ACL Category=1
> access-list 2 permit 10.1.1.0 0.0.0.255
> access-list 2 deny any
> access-list 100 remark auto generated by Cisco SDM Express
firewall
> configuration
> access-list 100 remark SDM_ACL Category=1
> access-list 100 deny ip host 255.255.255.255 any
> access-list 100 deny ip 127.0.0.0 0.255.255.255 any
> access-list 100 permit ip any any
> access-list 101 remark auto generated by Cisco SDM Express
firewall
> configuration
> access-list 101 remark SDM_ACL Category=1
> access-list 101 permit ip host 10.1.1.200 any
> access-list 101 permit ip host 10.1.1.201 any
> access-list 101 permit ip host 10.1.1.202 any
> access-list 101 permit udp any any eq non500-isakmp
> access-list 101 permit udp any any eq isakmp
> access-list 101 permit esp any any
> access-list 101 permit ahp any any
> access-list 101 deny ip 10.1.1.0 0.0.0.255 any
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip host 255.255.255.255 any
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip any any
> access-list 102 remark SDM_ACL Category=2
> access-list 102 deny ip any host 10.1.1.200
> access-list 102 deny ip any host 10.1.1.201
> access-list 102 deny ip any host 10.1.1.202
> access-list 102 permit ip 10.1.1.0 0.0.0.255 any
> access-list 102 permit ip 10.0.0.0 0.0.0.255 any
> access-list 103 remark auto generated by SDM firewall configuration
> access-list 103 remark SDM_ACL Category=1
> access-list 103 permit ip host 10.1.1.200 any
> access-list 103 permit ip host 10.1.1.201 any
> access-list 103 permit ip host 10.1.1.202 any
> access-list 103 permit ahp any any
> access-list 103 permit esp any any
> access-list 103 permit udp any any eq isakmp
> access-list 103 permit udp any any eq non500-isakmp
> access-list 103 deny ip 10.1.1.0 0.0.0.255 any
> access-list 103 permit icmp any any echo-reply
> access-list 103 permit icmp any any time-exceeded
> access-list 103 permit icmp any any unreachable
> access-list 103 deny ip 10.0.0.0 0.255.255.255 any
> access-list 103 deny ip 172.16.0.0 0.15.255.255 any
> access-list 103 deny ip 192.168.0.0 0.0.255.255 any
> access-list 103 deny ip 127.0.0.0 0.255.255.255 any
> access-list 103 deny ip host 255.255.255.255 any
> access-list 103 deny ip host 0.0.0.0 any
> access-list 103 deny ip any any log
> access-list 104 remark VTY Access-class list
> access-list 104 remark SDM_ACL Category=1
> access-list 104 permit ip 10.1.1.0 0.0.0.255 any
> access-list 104 deny ip any any
> dialer-list 1 protocol ip permit
> no cdp run
> !
> !
> route-map SDM_RMAP_1 permit 1
> match ip address 102
> !
> !
> control-plane
> !
> banner login ^CCAuthorized access only!
> Disconnect IMMEDIATELY if you are not an authorized user!^C
> !
> line con 0
> no modem enable
> transport output telnet
> line aux 0
> transport output telnet
> line vty 0 4
> access-class 104 in
> transport input telnet ssh
> !
> scheduler max-task-time 5000
> scheduler allocate 4000 1000
> scheduler interval 500
> !
> webvpn context Default_context
> ssl authenticate verify all
> !
> no inservice
> !
> end
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Get on board. You're invited to try the new Yahoo! Mail.
>
> [Non-text portions of this message have been removed]
>
>
>
>
>
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum
sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste
uyeleri ya
> da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>
>
> ----
> This email is intended for the named recipient only. It may
contain information which is confidential, commercially sensitive,
or copyright. If you are not the intended recipient you must not
reproduce or distribute any part of the email, disclose its
contents, or take any action in reliance. If you have received this
email in error, please contact the sender and delete the message. It
is your responsibility to scan this email and any attachments for
viruses and other defects.
> To the extent permitted by law, Zurich and its associates will not
be liable for any loss or damage arising in any way from this
communication including any file attachments. We may monitor email
you send to us, either as a reply to this email or any email you
send to us, to confirm our systems are protected and for compliance
with company policies. Although we take reasonable precautions to
protect the confidentiality of our email systems, we do not warrant
the confidentiality or security of email or attachments we receive.
>
> [Non-text portions of this message have been removed]
>
--
Cisco Teknik Tartisma Listesi (Cisco-ttl)
Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/cisco-ttl/
<*> To unsubscribe from this group, send an email to:
cisco-ttl-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
Received on Mon Aug 28 14:16:02 2006
This archive was generated by hypermail 2.1.8
: Mon Aug 28 2006 - 14:16:16 EEST
|