|
|
[cisco-ttl] PIX 506e VPN ve Port Forwarding Problemi
From: ta2le <haluk.yetkin_at_....>
Date: Sat Mar 10 2007 - 22:56:12 CET
Kisitli PIX bilgisi ile saatler suren calismalar sonunda bayagi bir yol aldim :) Fakat daha hala bir kac konuyu cozemedim.
Son olarak affiniza siginarak sormak istiyorum; VPN Client ile baglanan user'lara user bazinda yetki verebilirmiyim. Ornegin; User ahmet ; sadece ic networkteki 192.168.2.4 www portu ve 192.168.2.6 2536 tcp portuna erisebilsin. User hasan ; networke tum hostlara tum portlardan sinirsiz erisebilisin gibi.... Bu konularda degerli tecrubelerinizi ve yardimlarinizi rica ediyorum. Herkese iyi calismalar, Haluk YETKIN
Building configuration...
passwd XXXXXXXXXXXXXXXX encrypted hostname gw domain-name XXXXXXXXXXXX fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.2.4 ultra object-group service rdp tcp-udp port-object range 3389 3389 access-list inside_outbound_nat0_acl permit ip any 192.168.3.0255.255.255.224 access-list outside_cryptomap_dyn_20 permit ip any 192.168.3.0 255.255.255.224 access-list outside_access_in permit tcp any host 192.168.2.3 eq 3389 access-list outside_authentication_LOCAL permit tcp 192.168.2.192 255.255.255.224 interface inside access-list inside_access_in permit ip any any access-list RDP permit tcp any host 81.XXX.XXX.XXX eq 3389 access-list RDP_ACL permit tcp any eq 3389 interface outside eq 3389 access-list RDP_ACL permit tcp any eq www interface outside eq www access-list RDP_ACL permit ip 192.168.3.0 255.255.255.224 any access-list outside-inbound permit tcp any host 81.XXX.XXX.XXX eq3389 access-list outside-inbound permit tcp any host 81.XXX.XXX.XXX eq www access-list outside-inbound permit tcp any interface outside eq 3389 access-list vpncc_splitTunnelAcl permit ip any any access-list outside_cryptomap_dyn_40 permit ip any 192.168.3.0255.255.255.224 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside pppoe ip address inside 192.168.2.249 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 192.168.3.10-192.168.3.25 pdm location 0.0.0.0 255.255.255.0 inside pdm location 0.0.0.0 255.255.255.0 outside pdm location 0.0.0.0 255.255.255.255 outside pdm location 192.168.2.192 255.255.255.224 outside pdm location 192.168.2.3 255.255.255.255 insidepdm location ultra 255.255.255.255 inside pdm location 192.168.3.0 255.255.255.224 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 192.168.2.3 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www ultra www netmask 255.255.255.255 0 0 static (inside,outside) udp 81.XXX.XXX.XXX 3389 192.168.2.3 3389 netmask 255.255.255.255 0 0 access-group RDP_ACL in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication telnet console LOCAL aaa authentication match outside_authentication_LOCAL outside LOCAL http server enable http 0.0.0.0 0.0.0.0 outside http 192.168.2.0 255.255.255.0 inside http 192.168.2.249 255.255.255.255 insideno snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outsideisakmp enable outside isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpncc address-pool vpnpool vpngroup vpncc split-tunnel vpncc_splitTunnelAcl vpngroup vpncc idle-time 1800 vpngroup vpncc password ******** telnet 0.0.0.0 255.255.255.0 outside telnet 0.0.0.0 255.255.255.0 inside telnet timeout 60 ssh 0.0.0.0 255.255.255.255 outside ssh timeout 5 management-access outside console timeout 60 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname telcotechcc@ttnet vpdn group pppoe_group ppp authentication papvpdn username XXXXXXX@ttnet password ********* store-local dhcpd address 192.168.2.30-192.168.2.200 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside username XXXXXXXX password XXXXXX encrypted privilege 15 terminal width 80 Cryptochecksum:30df0f140f33bdefeec5c17fcafb36c0 : end [OK] Received on Wed Mar 14 11:46:11 2007 This archive was generated by hypermail 2.1.8 : Wed Mar 14 2007 - 11:46:11 CET |