|
[cisco-ttl] Re: PIX 506e Vpn Routing Sorunu
> VPN client ipsec calistiginda PC üzerindeki
tüm network trafigi vpn
> driver üzerinden cikar. Bu nedenle tum trafik tunel uzerinden
akar.
> Yani tum trafik ilk PC'den PIX'e gider. PIX uzerinden PC'nin
> görulmesi icin PIX uzerinde reverse route injection olup bunun
PIX'in
> bagli oldugu cihazlara dagitimi
gerekir.
> tesekkurler.
>
- In cisco-ttl@yahoogroups.com, Yücel BAÞOÐLU <ybasoglu@...> wrote:
>
> Merhabalar,
>
>
>
> Pix 506e uzerinde disaridan Cisco VPN Client kullanarak locl areaya
> baglanilmasini saglamak icin bi konfiguration yaptim. Fekat nedenini
> bulamadigim bir sorun yuzunden sikintidayim.
>
> Cisco VPN Client ile kullanýcý adi ve sifre araciligi ile
baglaniyorum. Ama
> ayni zamanda default gateway aliyor bilgisayarim. Aldigindan
dolayida kendi
> baglantim kopuyor. Sadece locale erisebilir durumda oluyorum.
>
> Yani conftada goruldugu uzere 192.168.7.2 ip aliyosam vpnden default
> gateway.de 192.168.7.2 oluyor.Ve bi bilgisayarda iki gateway
olamiyacagindan
> normal baglantim kopuyor ve butun paketleri 192.168.7.x den
gondermeye
> calisiyor. Bu konuda dokumanda arastirdim ama bisey bulamadim.
Lutfen
> troubleshooting arkadaslar J
>
>
>
> Conf asagidadir.
>
>
>
> Iyý Calismalar.
>
>
>
> Yucel BASOGLU
>
>
>
> PIX Version 6.3(5)
>
> interface ethernet0 auto
>
> interface ethernet1 auto
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> enable password xxxxx encrypted
>
> passwd xxxxx.2KYOU encrypted
>
> hostname pixfirewall
>
> domain-name ciscopix.com
>
> fixup protocol dns maximum-length 512
>
> fixup protocol ftp 21
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol http 80
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol sip 5060
>
> fixup protocol sip udp 5060
>
> fixup protocol skinny 2000
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> fixup protocol tftp 69
>
> names
>
> name x.x.x.x Mail_Server
>
> name 192.168.7.0 vpnpool
>
> name 192.168.1.73 Selcuk
>
> access-list inside_access_in permit ip any any
>
> access-list inside_access_in permit icmp any any echo-reply
>
> access-list outside_access_in permit tcp any host x.x.x.x eq smtp
>
> access-list outside_access_in permit tcp any host x.x.x.x eq pop3
>
> access-list outside_access_in permit tcp any host x.x.x.x eq www
>
> access-list inside_nat0_outbound permit ip any vpnpool
255.255.255.0
>
> access-list outside_cryptomap_dyn_20 permit ip any vpnpool
255.255.255.0
>
> pager lines 24
>
> icmp permit any outside
>
> icmp permit any inside
>
> mtu outside 1500
>
> mtu inside 1500
>
> ip address outside y.y.y.y 255.255.255.248
>
> ip address inside 192.168.1.1 255.255.255.0
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool vpnpool 192.168.7.1-192.168.7.254
>
> pdm location Mail_Server 255.255.255.255 inside
>
> pdm location vpnpool 255.255.255.0 outside
>
> pdm location 84.17.81.195 255.255.255.255 outside
>
> pdm location 85.108.253.150 255.255.255.255 outside
>
> pdm location 192.168.1.5 255.255.255.255 inside
>
> pdm location 85.100.34.254 255.255.255.255 outside
>
> pdm location 88.234.92.14 255.255.255.255 outside
>
> pdm location Selcuk 255.255.255.255 inside
>
> pdm logging informational 100
>
> pdm history enable
>
> arp timeout 14400
>
> global (outside) 1 interface
>
> nat (inside) 0 access-list inside_nat0_outbound
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> static (inside,outside) tcp x.x.x.x smtp Mail_Server smtp netmask
> 255.255.255.255 0 0
>
> static (inside,outside) tcp x.x.x.x pop3 Mail_Server pop3 netmask
> 255.255.255.255 0 0
>
> static (inside,outside) tcp x.x.x.x www Mail_Server www netmask
> 255.255.255.255 0 0
>
> access-group outside_access_in in interface outside
>
> access-group inside_access_in in interface inside
>
> route outside 0.0.0.0 0.0.0.0 z.z.z.z 1
>
> timeout xlate 0:05:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225
> 1:00:00
>
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server TACACS+ max-failed-attempts 3
>
> aaa-server TACACS+ deadtime 10
>
> aaa-server RADIUS protocol radius
>
> aaa-server RADIUS max-failed-attempts 3
>
> aaa-server RADIUS deadtime 10
>
> aaa-server LOCAL protocol local
>
> http server enable
>
> http 85.108.253.150 255.255.255.255 outside
>
> http 85.100.34.254 255.255.255.255 outside
>
> http 88.234.92.14 255.255.255.255 outside
>
> http 192.168.1.0 255.255.255.0 inside
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> no floodguard enable
>
> sysopt connection permit-ipsec
>
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>
> crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
>
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
>
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>
> crypto map outside_map interface outside
>
> isakmp enable outside
>
> isakmp policy 20 authentication pre-share
>
> isakmp policy 20 encryption 3des
>
> isakmp policy 20 hash md5
>
> isakmp policy 20 group 2
>
> isakmp policy 20 lifetime 86400
>
> vpngroup vpn-group address-pool vpnpool
>
> vpngroup vpn-group dns-server 213.144.97.12 213.144.97.13
>
> vpngroup vpn-group idle-time 1800
>
> vpngroup vpn-group password ********
>
> telnet timeout 5
>
> ssh timeout 5
>
> console timeout 0
>
> terminal width 80
>
> Cryptochecksum:2497c3fcf886d0c6e865cf9e409ef94b
>
> : end
>
> [OK]
>
>
>
> [Non-text portions of this message have been removed]
>
Received on Tue Jan 30 11:22:37 2007
This archive was generated by hypermail 2.1.8
: Tue Jan 30 2007 - 11:22:37 CET
|