RE: [cisco-ttl] bir cisco pix sorusu

From: YAVUZ TEMIZKAN (ytemizkan_at_inteltek.com.tr)
Date: Fri Nov 05 2004 - 12:00:20 GMT

  • Next message: sustundag_at_secura.com.tr: "YNT: [cisco-ttl] bir cisco pix sorusu"

    iki ayr覺 irkete ait iki ayr覺 CPde sonland覺r覺yorum. Yaln覺z versiyonlar覺 farkl覺. Oradaki config'de enc.schemes ayarlar覺 yok. Ancak subnetler ve enc.domainler ayn覺. Cisco.com'da verilen hata da enc.domain mismatch ile ilgili..
    Config aa覺da:
     
    access-list 101 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
    access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.0.0
    access-list nonat permit ip y.y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
    access-list 130 permit ip y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
    nat (inside) 0 access-list nonat
    nat (intf2) 0 access-list nonat
    traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set aaa esp-des esp-md5-hmac
    crypto ipsec transform-set bbb esp-des esp-md5-hmac
    crypto map bbb 10 ipsec-isakmp
    crypto map bbb 10 match address 101
    crypto map bbb 10 set pfs group2
    crypto map bbb 10 set peer x.x.x.x
    crypto map bbb 10 set transform-set rtptac
    crypto map bbb 30 ipsec-isakmp
    crypto map bbb 30 match address 130
    crypto map bbb 30 set peer y.y.y.y
    crypto map bbb 30 set transform-set tempotac
    crypto map bbb interface outside
    isakmp enable outside
    isakmp enable intf3
    isakmp key ******** address x.x.x.x netmask 255.255.255.0 no-xauth no-confi
    isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-c
    isakmp keepalive 60 10
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 2 authentication pre-share
    isakmp policy 2 encryption des
    isakmp policy 2 hash sha
    isakmp policy 2 group 1
    isakmp policy 2 lifetime 86400
    isakmp policy 3 authentication pre-share
    isakmp policy 3 encryption des
    isakmp policy 3 hash sha
    isakmp policy 3 group 2
    isakmp policy 3 lifetime 86400
    isakmp policy 4 authentication pre-share
    isakmp policy 4 encryption des
    isakmp policy 4 hash md5
    isakmp policy 4 group 1
    isakmp policy 4 lifetime 86400
     
    Ekte debug 癟覺kt覺s覺 da var...
     
     
     

     

     

     

            -----Original Message-----
            From: Serkan Ustundag - (G羹venlik ve Ag M羹hendisi -Tepum Secura) [mailto:sustundag_at_secura.com.tr]
            Sent: 05 Kas覺m 2004 Cuma 14:35
            To: cisco-ttl_at_yahoogroups.com
            Subject: YNT: [cisco-ttl] bir cisco pix sorusu
            
            
            ?
            Hay簣r gerekmiyor elbette ayni interface'de 2 ayri tunel olusturabilirsin
            sen karsida iki ayri checkpointte mi sonlandiriyorsun yoksa tek cp mi var
            aslinda access-listler dahil tum vpn configurasyonunu gonderirsen daha iyi yardimci olabiliriz

      _____

            Kimden: YAVUZ TEMIZKAN [mailto:ytemizkan_at_inteltek.com.tr]
            G繞nderilmi顫: Cum 05.11.2004 14:10
            Kime: cisco-ttl_at_yahoogroups.com
            Konu: [cisco-ttl] bir cisco pix sorusu
            
            
             

                     Merhaba,
                     
                    Bir pix'te ayni interfaceden 2 ayri t?urabiliyor muyuz? cisco.com sayfasini check ettim ve ?k bir konf. buldum ve bunu fw'umuza uyguladim.
                     
                    crypto ipsec transform-set aaa esp-des esp-md5-hmac
                    crypto ipsec transform-set bbb esp-des esp-md5-hmac
                    crypto map bbbrules 10 ipsec-isakmp
                    crypto map bbbrules 10 match address 101
                    crypto map bbbrules 10 set pfs group2
                    crypto map bbbrules 10 set peer xxx.xxx.xxx.xxx
                    crypto map bbbrules 10 set transform-set aaa
                    crypto map bbbrules 30 ipsec-isakmp
                    crypto map bbbrules 30 match address 130
                    crypto map bbbrules 30 set peer yyy.yyy.yyy.yyy
                    crypto map bbbrules 30 set transform-set bbb
                    crypto map bbbrules interface outside
                     
                    Ancak bu konf'u yaptiktan sonra 10 no'lu y?privilege'li vpn 癟癒竅ismaya devam etti ancak digerini 癟癒竅istiramadik. Dahasi makineyi restart ettigimizde bu sefer ilk vpn de down oldu. 2. vpn ile ilgili tanimlari silince d?..
                    karsidaki cihaz Checkpoint bir FW. Ayni interfaceden t?urarken transform-set'lerin farkli mi olmasi gerekir?
                     
                    pix'in sh ver 癟穢竄tisini da veriyorum:
                     
                    EApixAnkara# sh ver

                    Cisco PIX Firewall Version 6.3(1)

                    Cisco PIX Device Manager Version 3.0(1)

                    

                    Compiled on Wed 19-Mar-03 11:49 by morlee

                    EApixAnkara up 42 mins 39 secs

                    

                    Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

                    Flash E28F128J3 @ 0x300, 16MB

                    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

                    Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

                    0: ethernet0: address is 000d.bd3c.035f, irq 10

                    1: ethernet1: address is 000d.bd3c.0360, irq 11

                    2: ethernet2: address is 0005.5d18.37dc, irq 11

                    3: ethernet3: address is 0005.5d18.37dd, irq 10

                    4: ethernet4: address is 0005.5d18.37de, irq 9

                    5: ethernet5: address is 0005.5d18.37df, irq 5

                    Licensed Features:

                    Failover: Enabled

                    VPN-DES: Enabled

                    VPN-3DES-AES: Disabled

                    Maximum Interfaces: 6

                    Cut-through Proxy: Enabled

                    Guards: Enabled

                    URL-filtering: Enabled

                    Inside Hosts: Unlimited

                    Throughput: Unlimited

                     IKE peers: Unlimited

                     This PIX has an Unrestricted (UR) license.

                     Serial Number: 807320295 (0x301ebae7)

                    Configuration last modified by enable_15 at 12:53:09.597 Turkey Fri Nov 5 2004

                     

                     

                     
                     



            Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
            
            Listeden cikmak i癟穢簧 cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta g?rebilirsiniz.
            
            
            
    Yahoo! Groups Sponsor
    ADVERTISEMENT
    click here <http://us.ard.yahoo.com/SIG=129hue9rk/M=315388.5543473.6613715.3001176/D=groups/S=1705004726:HM/EXP=1099742990/A=2372354/R=0/SIG=12id813k2/*https://www.orchardbank.com/hcs/hcsapplication?pf=PLApply&media=EMYHNL40F21004SS
            

            
      _____

            Yahoo! Groups Links
            

            * To visit your group on the web, go to:
                    http://groups.yahoo.com/group/cisco-ttl/
                      
            * To unsubscribe from this group, send an email to:
                    cisco-ttl-unsubscribe_at_yahoogroups.com <mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
                      
            * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .


    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    ISADB: reaper checking SA 0xfb0364, conn_id = 0

    ISADB: reaper checking SA 0xfad32c, conn_id = 0

    ISADB: reaper checking SA 0x11d4c44, conn_id = 0 DELETE IT!

     

    VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:0 Total VPN Peers:3

    VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.x/500 Total VPN peers:2

    ISADB: reaper checking SA 0xfb0364, conn_id = 0

    ISADB: reaper checking SA 0xfad32c, conn_id = 0

     

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    OAK_MM exchange

    ISAKMP (0): processing SA payload. message ID = 0

     

    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

    ISAKMP: encryption AES-CBC

    ISAKMP: hash SHA

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP: keylength of 256

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

    ISAKMP: encryption AES-CBC

    ISAKMP: hash MD5

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP: keylength of 256

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

    ISAKMP: encryption 3DES-CBC

    ISAKMP: hash SHA

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

    ISAKMP: encryption 3DES-CBC

    ISAKMP: hash MD5

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy

    ISAKMP: encryption DES-CBC

    ISAKMP: hash SHA

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy

    ISAKMP: encryption DES-CBC

    ISAKMP: hash MD5

    ISAKMP: auth pre-share

    ISAKMP: default group 2

    ISAKMP: life type in seconds

    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

    ISAKMP (0): atts are acceptable. Next payload is 0

    ISAKMP (0): processing vendor id payload

     

    ISAKMP (0): processing vendor id payload

     

    ISAKMP (0:0): vendor ID is NAT-T

    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

    return status is IKMP_NO_ERROR

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    OAK_MM exchange

    ISAKMP (0): processing KE payload. message ID = 0

     

    ISAKMP (0): processing NONCE payload. message ID = 0

     

    return status is IKMP_NO_ERROR

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    OAK_MM exchange

    ISAKMP (0): processing ID payload. message ID = 0

    ISAKMP (0): processing HASH payload. message ID = 0

    ISAKMP (0): SA has been authenticated

     

    ISAKMP (0): ID payload

          next-payload : 8

          type : 2

          protocol : 17

          port : 500

          length : 35

    ISAKMP (0): Total payload length: 39

    return status is IKMP_NO_ERROR

    ISAKMP (0): sending INITIAL_CONTACT notify

    ISAKMP (0): sending NOTIFY message 24578 protocol 1

    VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/500 Total VPN Peers:3

    VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:1 Total VPN Peers:3

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    OAK_QM exchange

    oakley_process_quick_mode:

    OAK_QM_IDLE

    ISAKMP (0): processing SA payload. message ID = 2975269246

     

    ISAKMP : Checking IPSec proposal 1

     

    ISAKMP: transform 1, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-SHA

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 2, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 3, ESP_DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-SHA

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 4, ESP_DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP: encaps is 1

    ISAKMP (0): atts are acceptable.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    OAK_QM exchange

    oakley_process_quick_mode:

    OAK_QM_IDLE

    ISAKMP (0): processing SA payload. message ID = 1439012485

     

    ISAKMP : Checking IPSec proposal 1

     

    ISAKMP: transform 1, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-SHA

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 2, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 3, ESP_DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-SHA

    ISAKMP: encaps is 1

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 4, ESP_DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP: encaps is 1

    ISAKMP (0): atts are acceptable.

    ISAKMP: IPSec policy invalidated proposal

    ISAKMP : Checking IPSec proposal 2

     

    ISAKMP: transform 1, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-SHA

    ISAKMP: encaps is 61440

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 2, ESP_3DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    ISAKMP: authenticator is HMAC-MD5

    ISAKMP: encaps is 61440

    ISAKMP (0): atts not acceptable. Next payload is 3

    ISAKMP: transform 3, ESP_DES

    ISAKMP: attributes in transform:

    ISAKMP: SA life type in seconds

    ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.

    crypto_isakmp_process_block:src:x.x.x.x, dest:PIX spt:500 dpt:500

    ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.ua_ _ all

     

     

    EApixAnkara#

     

     

    EApixAnkara# sh isa sa

     

    Total : 3

     

    Embryonic : 0

     

            dst src state pending created

     

       PIX Checkpoint1 QM_IDLE 0 3

     

      Checkpoint3 PIX QM_IDLE 0 6

     

       PIX x.x.x.x QM_IDLE 0 0

     



    This archive was generated by hypermail 2.1.5 : Fri Nov 05 2004 - 16:01:40 GMT