RE: [cisco-ttl] PIX 506e Vpn Routing Sorunu

Cisco vpn clientta varmidir bilmem ama microsoftun pptp connection settignlerinde tcp/ip altinda advanced sekmesinde use default gateway on remote network"secenegini kaldirirsaniz lokal routingleriniz calismaya devam eder.
Ancak bu durumda da karsi tarafta baglandiginiz networkte birden cok routing varsa (misal uzak ofisler icin ayri subnetler vs) bunlar calismayacaktir. Bencer bir ayar cisco vpn clientta da olmali diye dusunuyorum

-----Original Message-----
From: cisco-ttl@yahoogroups.com [mailto:cisco-ttl@yahoogroups.com] On Behalf Of Yücel BAŞOĞLU
Sent: Thursday, January 25, 2007 1:27 AM To: cisco-ttl@yahoogroups.com
Subject: [cisco-ttl] PIX 506e Vpn Routing Sorunu

Merhabalar,  

Pix 506e uzerinde disaridan Cisco VPN Client kullanarak locl areaya baglanilmasini saglamak icin bi konfiguration yaptim. Fekat nedenini bulamadigim bir sorun yuzunden sikintidayim.

Cisco VPN Client ile kullanıcı adi ve sifre araciligi ile baglaniyorum. Ama ayni zamanda default gateway aliyor bilgisayarim. Aldigindan dolayida kendi baglantim kopuyor. Sadece locale erisebilir durumda oluyorum.

Yani conftada goruldugu uzere 192.168.7.2 ip aliyosam vpnden default gateway.de 192.168.7.2 oluyor.Ve bi bilgisayarda iki gateway olamiyacagindan normal baglantim kopuyor ve butun paketleri 192.168.7.x den gondermeye calisiyor. Bu konuda dokumanda arastirdim ama bisey bulamadim. Lutfen troubleshooting arkadaslar J  

Conf asagidadir.  

Iyı Calismalar.  

Yucel BASOGLU  

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxx encrypted

passwd xxxxx.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name x.x.x.x Mail_Server

name 192.168.7.0 vpnpool

name 192.168.1.73 Selcuk

access-list inside_access_in permit ip any any

access-list inside_access_in permit icmp any any echo-reply

access-list outside_access_in permit tcp any host x.x.x.x eq smtp

access-list outside_access_in permit tcp any host x.x.x.x eq pop3

access-list outside_access_in permit tcp any host x.x.x.x eq www

access-list inside_nat0_outbound permit ip any vpnpool 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any vpnpool 255.255.255.0

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside y.y.y.y 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.7.1-192.168.7.254

pdm location Mail_Server 255.255.255.255 inside

pdm location vpnpool 255.255.255.0 outside

pdm location 84.17.81.195 255.255.255.255 outside

pdm location 85.108.253.150 255.255.255.255 outside

pdm location 192.168.1.5 255.255.255.255 inside

pdm location 85.100.34.254 255.255.255.255 outside

pdm location 88.234.92.14 255.255.255.255 outside

pdm location Selcuk 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp x.x.x.x smtp Mail_Server smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.x pop3 Mail_Server pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp x.x.x.x www Mail_Server www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 z.z.z.z 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 85.108.253.150 255.255.255.255 outside

http 85.100.34.254 255.255.255.255 outside

http 88.234.92.14 255.255.255.255 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn-group address-pool vpnpool

vpngroup vpn-group dns-server 213.144.97.12 213.144.97.13

vpngroup vpn-group idle-time 1800

vpngroup vpn-group password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:2497c3fcf886d0c6e865cf9e409ef94b

: end

[OK]

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links







--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links



<*> To visit your group on the web, go to:

    http://groups.yahoo.com/group/cisco-ttl/



<*> Your email settings:

    Individual Email | Traditional



<*> To change settings online go to:

    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)



<*> To change settings via email:

    mailto:cisco-ttl-digest@yahoogroups.com 
    mailto:cisco-ttl-fullfeatured@yahoogroups.com



<*> To unsubscribe from this group, send an email to:

    cisco-ttl-unsubscribe@yahoogroups.com



<*> Your use of Yahoo! Groups is subject to:

    http://docs.yahoo.com/info/terms/