YNT: [cisco-ttl] bir cisco pix sorusu

From: sustundag_at_secura.com.tr
Date: Fri Nov 05 2004 - 12:16:57 GMT

  • Next message: Gültekin Erdem: "Re: [cisco-ttl] adsl"

    ?
    dbug ekte gelmemis
    ayrica soylemek istedigim bir sey var 101 access-list'inin birebir aynisinin mutlaka karsidaki cp de tanimli olmasi lazim
     
    Karsi taraf 4.1 ise sunu..
     
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml
     
    NG ise sunu temel alirmisin ben cok yaptim sorun da yasamadim ama soyle birsey yasamamistim tunel up oldugu halde trafik gecmiyordu
    ben benim tarafta sadece denemeyaptigim makineyi acl'ye eklemistim Fransa tarafinda butun subnet'e verilmisti ve de bu yuzden o tarafa ulasamiyordum kendi tarafimdaki acl'yi tum network olarak verince sorun duzelmisti
     
     
    Ancak subnetler ve enc.domainler ayni lafini bir acarmisin yani senin subetten iki ayri yere vpn yapmakistiyorsun ve karsi tarafdakiiki networkde ayni subnet'i mi kullaniyor eger boyleyse acl hep ilk map'e match edecek ve digerine hic bir zaman gecmeyecek

    ________________________________

    Kimden: YAVUZ TEMIZKAN [mailto:ytemizkan_at_inteltek.com.tr]
    GönderilmiÅY: Cum 05.11.2004 16:00
    Kime: cisco-ttl_at_yahoogroups.com
    Konu: RE: [cisco-ttl] bir cisco pix sorusu

    iki ayri sirkete ait iki ayri CPde sonlandiriyorum. Yalniz versiyonlari farkli. Oradaki config'de enc.schemes ayarlari yok. Ancak subnetler ve enc.domainler ayni. Cisco.com'da verilen hata da enc.domain mismatch ile ilgili..
    Config asagida:
     
    access-list 101 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
    access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.0.0
    access-list nonat permit ip y.y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
    access-list 130 permit ip y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
    nat (inside) 0 access-list nonat
    nat (intf2) 0 access-list nonat
    traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set aaa esp-des esp-md5-hmac
    crypto ipsec transform-set bbb esp-des esp-md5-hmac
    crypto map bbb 10 ipsec-isakmp
    crypto map bbb 10 match address 101
    crypto map bbb 10 set pfs group2
    crypto map bbb 10 set peer x.x.x.x
    crypto map bbb 10 set transform-set rtptac
    crypto map bbb 30 ipsec-isakmp
    crypto map bbb 30 match address 130
    crypto map bbb 30 set peer y.y.y.y
    crypto map bbb 30 set transform-set tempotac
    crypto map bbb interface outside
    isakmp enable outside
    isakmp enable intf3
    isakmp key ******** address x.x.x.x netmask 255.255.255.0 no-xauth no-confi
    isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-c
    isakmp keepalive 60 10
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 2 authentication pre-share
    isakmp policy 2 encryption des
    isakmp policy 2 hash sha
    isakmp policy 2 group 1
    isakmp policy 2 lifetime 86400
    isakmp policy 3 authentication pre-share
    isakmp policy 3 encryption des
    isakmp policy 3 hash sha
    isakmp policy 3 group 2
    isakmp policy 3 lifetime 86400
    isakmp policy 4 authentication pre-share
    isakmp policy 4 encryption des
    isakmp policy 4 hash md5
    isakmp policy 4 group 1
    isakmp policy 4 lifetime 86400
     
    Ekte debug ç©«tisi da var...
     
     
     

     

     

     

            -----Original Message-----
            From: Serkan Ustundag - (G?k ve Ag M?si -Tepum Secura) [mailto:sustundag_at_secura.com.tr]
            Sent: 05 Kasim 2004 Cuma 14:35
            To: cisco-ttl_at_yahoogroups.com
            Subject: YNT: [cisco-ttl] bir cisco pix sorusu
            
            
            ?
            Hayır gerekmiyor elbette ayni interface'de 2 ayri tunel olusturabilirsin
            sen karsida iki ayri checkpointte mi sonlandiriyorsun yoksa tek cp mi var
            aslinda access-listler dahil tum vpn configurasyonunu gonderirsen daha iyi yardimci olabiliriz

    ________________________________

            Kimden: YAVUZ TEMIZKAN [mailto:ytemizkan_at_inteltek.com.tr]
            GönderilmiÅY: Cum 05.11.2004 14:10
            Kime: cisco-ttl_at_yahoogroups.com
            Konu: [cisco-ttl] bir cisco pix sorusu
            
            
             

                     Merhaba,
                     
                    Bir pix'te ayni interfaceden 2 ayri t?urabiliyor muyuz? cisco.com sayfasini check ettim ve ?k bir konf. buldum ve bunu fw'umuza uyguladim.
                     
                    crypto ipsec transform-set aaa esp-des esp-md5-hmac
                    crypto ipsec transform-set bbb esp-des esp-md5-hmac
                    crypto map bbbrules 10 ipsec-isakmp
                    crypto map bbbrules 10 match address 101
                    crypto map bbbrules 10 set pfs group2
                    crypto map bbbrules 10 set peer xxx.xxx.xxx.xxx
                    crypto map bbbrules 10 set transform-set aaa
                    crypto map bbbrules 30 ipsec-isakmp
                    crypto map bbbrules 30 match address 130
                    crypto map bbbrules 30 set peer yyy.yyy.yyy.yyy
                    crypto map bbbrules 30 set transform-set bbb
                    crypto map bbbrules interface outside
                     
                    Ancak bu konf'u yaptiktan sonra 10 no'lu y?privilege'li vpn 硬ismaya devam etti ancak digerini 硬istiramadik. Dahasi makineyi restart ettigimizde bu sefer ilk vpn de down oldu. 2. vpn ile ilgili tanimlari silince d?..
                    karsidaki cihaz Checkpoint bir FW. Ayni interfaceden t?urarken transform-set'lerin farkli mi olmasi gerekir?
                     
                    pix'in sh ver ç©«tisini da veriyorum:
                     
                    EApixAnkara# sh ver

                    Cisco PIX Firewall Version 6.3(1)

                    Cisco PIX Device Manager Version 3.0(1)

                    

                    Compiled on Wed 19-Mar-03 11:49 by morlee

                    EApixAnkara up 42 mins 39 secs

                    

                    Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

                    Flash E28F128J3 @ 0x300, 16MB

                    BIOS Flash AM29F400B @ 0xfffd8000, 32KB

                    Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

                    0: ethernet0: address is 000d.bd3c.035f, irq 10

                    1: ethernet1: address is 000d.bd3c.0360, irq 11

                    2: ethernet2: address is 0005.5d18.37dc, irq 11

                    3: ethernet3: address is 0005.5d18.37dd, irq 10

                    4: ethernet4: address is 0005.5d18.37de, irq 9

                    5: ethernet5: address is 0005.5d18.37df, irq 5

                    Licensed Features:

                    Failover: Enabled

                    VPN-DES: Enabled

                    VPN-3DES-AES: Disabled

                    Maximum Interfaces: 6

                    Cut-through Proxy: Enabled

                    Guards: Enabled

                    URL-filtering: Enabled

                    Inside Hosts: Unlimited

                    Throughput: Unlimited

                     IKE peers: Unlimited

                     This PIX has an Unrestricted (UR) license.

                     Serial Number: 807320295 (0x301ebae7)

                    Configuration last modified by enable_15 at 12:53:09.597 Turkey Fri Nov 5 2004

                     

                     

                     
                     

            Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.
            
            Listeden cikmak iç©® cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta g?rebilirsiniz.
            
            
            
    Yahoo! Groups Sponsor
    ADVERTISEMENT
    click here <http://us.ard.yahoo.com/SIG=129hue9rk/M=315388.5543473.6613715.3001176/D=groups/S=1705004726:HM/EXP=1099742990/A=2372354/R=0/SIG=12id813k2/*https://www.orchardbank.com/hcs/hcsapplication?pf=PLApply&media=EMYHNL40F21004SS
            

            
    ________________________________

            Yahoo! Groups Links
            

            * To visit your group on the web, go to:
                    http://groups.yahoo.com/group/cisco-ttl/
                      
            * To unsubscribe from this group, send an email to:
                    cisco-ttl-unsubscribe_at_yahoogroups.com <mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
                      
            * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak iin cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gnderebilirsiniz.

    Yahoo! Groups Sponsor
     <http://us.ard.yahoo.com/SIG=129oaqjku/M=281955.5530326.6602771.3001176/D=groups/S=1705004726:HM/EXP=1099749670/A=2343726/R=0/SIG=12i4dlg5a/*http://clk.atdmt.com/VON/go/yhxxxvon01900091von/direct/01/&time=1099663270421100http://us.ard.yahoo.com/SIG=129oaqjku/M=281955.5530326.6602771.3001176/D=groups/S=1705004726:HM/EXP=1099749670/A=2343726/R=1/SIG=12i4dlg5a/*http://clk.atdmt.com/VON/go/yhxxxvon01900091von/direct/01/&time=1099663270421100

    Get unlimited calls to

    U.S./Canada

            

    ________________________________

    Yahoo! Groups Links

    * To visit your group on the web, go to:
            http://groups.yahoo.com/group/cisco-ttl/
              
    * To unsubscribe from this group, send an email to:
            cisco-ttl-unsubscribe_at_yahoogroups.com <mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
              
    * Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .

    ------------------------ Yahoo! Groups Sponsor --------------------~-->
    $9.95 domain names from Yahoo!. Register anything.
    http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/26EolB/TM
    --------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
    Yahoo! Groups Links

    <*> To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/

    <*> To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com

    <*> Your use of Yahoo! Groups is subject to:
        http://docs.yahoo.com/info/terms/
     





    This archive was generated by hypermail 2.1.5 : Fri Nov 05 2004 - 16:25:58 GMT