Cisco Teknik Tartisma Listesi Arsivi: [cisco-ttl] ASA vpn client

From: TOLGA SAHAN CELTIK <t_celtik_at_....>
Date: Thu Oct 12 2006 - 18:40:37 EEST

Merhaba,
Elimizde checkpoint arkasinda calisan bir ASA var.ASA da vpn tanimi yaptim ve baglanabiliyorum.VPN isteginde checkpointteki log lara bakiyoruz ve bir probleme rastlamiyoruz.(Checkpoint any any acik durumda) VPN le tanimladigim ip pool dan bir ip aliyorum ama bu ip den ASA nin inside bacagi(bu local) ulasamiyorum. Yapi su sekilde..

Bizim taraf-----internet---------Checpoint-----ASA-----Lokal VPN clientla baglandigim zaman hicbir paketin encrypt edilmedigini ayrica secured network un 0.0.0.0 0.0.0.0 seklinde oldugunu goruyorum.Confýg te hýc býr problem gormezken...neden oluyor, yardimci olursaniz sevinirim..

Config ekte

ASA Version 7.0(2)
names
name... ......
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.19.60.0 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1
management-only
!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0 
access-list deneme_splitTunnelAcl standard permit any 
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0 
access-list deneme1_splitTunnelAcl standard permit any 
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0 
access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0 
access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0 
access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0 
access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

group-policy deneme internal
group-policy deneme attributes
split-tunnel-policy tunnelspecif deneme_splitTunnelAcl webvpn
group-policy deneme1 internal
group-policy deneme1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value deneme1_splitTunnelAcl webvpn
ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255

username tolga password 5mhYTi9IjTkulMAX encrypted privilege 0 aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL aaa authentication telnet console LOCAL http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

ssh 172.19.0.91 255.255.255.255 outside
ssh 172.19.0.71 255.255.255.255 outside
ssh 172.19.0.61 255.255.255.255 outside
ssh 172.19.0.78 255.255.255.255 outside

ssh 172.19.0.212 255.255.255.255 outside

ssh 172.19.0.243 255.255.255.255 outside ssh 172.19.60.170 255.255.255.255 outside ssh timeout 5
console time deneme type ipsec-ra
tunnel-group deneme general-attributes
default-group-policy deneme
tunnel-group deneme ipsec-attributes
pre-shared-key *
tunnel-group deneme1 type ipsec-ra
tunnel-group deneme1 general-attributes
address-pool POOLVPN
default-group-policy deneme1
tunnel-group deneme1 ipsec-attributes
pre-shared-key *

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links



<*> To visit your group on the web, go to:

    http://groups.yahoo.com/group/cisco-ttl/



<*> Your email settings:

    Individual Email | Traditional



<*> To change settings online go to:

    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)



<*> To change settings via email:

    mailto:cisco-ttl-digest@yahoogroups.com 
    mailto:cisco-ttl-fullfeatured@yahoogroups.com



<*> To unsubscribe from this group, send an email to:

    cisco-ttl-unsubscribe@yahoogroups.com



<*> Your use of Yahoo! Groups is subject to:

    http://docs.yahoo.com/info/terms/

Received on Fri Oct 13 20:02:17 2006

This archive was generated by hypermail 2.1.8 : Fri Oct 13 2006 - 20:02:24 EEST

[cisco-ttl] ASA vpn client problem