[cisco-ttl] Cisco VPN Client, Router arkasından LAN a Bağlanamıyor???

From: Bahadÿfffffdr (bgirtten_at_yahoo.com)
Date: Mon Nov 08 2004 - 11:36:24 GMT

  • Next message: Levent Irkilmez: "Re: [cisco-ttl] Merhaba"

    Selamlar.

    Cisco VPN Client ile ilgili bir problemim var. Kullanıcıya kurduğum VPN Client 4.0.1 ile Dial-up bağlanmaya çalıştığımda sorunsuz bağlanıyorum. "Tunnel-splitting" de aktif ve dial-up bağlantıda istediğim gibi LANa giden paketler Tünelden, internete giden paketler de şifresiz olarak gidiyor.

    Ancak kullanıcının evinde, router arkasından bağlantı yapılırken (NAT var) VPN Client "bağlanmış" gibi gözükse de hatta PIX te tanımladığım "IP havuzundan" lokal IP sini almasına rağmen (?!) kullanıcı interneti kullanabiliyor fakat LAN'ı pingleyemiyor.

    Şu ana kadar denediğim adımları yazayım

    1) Cisco VPN Client yazılımında "Enable Transparent Tunneling" ve "IPsec over UDP (NAT/PAT)" "Enable Local LAN Access" seçeneklerini ve bilimum kombinasyonlarını denedim bi sonuç alamadım.

    2) Oradaki Router konfigurasyonunda dışarı çıkışa izin mi verilmiyor diye baktım ancak pek bir şey göremedim. Accesslistte PIX ten alacağı IP için geçiş izni yazdım ama yararı olmadı

    3) Zaten ilginç bir şekilde MSClient kullanarak bağlanıldığında LAN'a sorunsuz bağlanılıyor hem de aynı IP grubundan alınan bir IPyle. Dolayısıyla oradaki router da bir ksıtlama yokmuş gibi gözüküyor (yanlış mı düşünüyorum ?)

    4) Acaba Cisco-VPN client ile tunnel-splitting kullanarak bağlanırken "NAT" ile ilgili PIX te başka bir ayar mı yapmak gerekiyor ? (Ya da aklıma gelmeyen; MSclient bağlanırken VPN Client ın LAN ı pingleyememesinin başka bir sebebi olabilir mi ?)

    5) Acaba oradaki routera VPN ile ilgili bir geçiş izni mi vermek gerekiyor?

    6) PIX e bağlantı kurulup IP alınmasına rağmen bağlantının başka fazlarında bir sorun oluşmuş olabilir mi? Olabilirse bunu nasıl kontrol edebilirim?

     

    Uzun oldu biraz ama hakkaten takılmış durumdayım. Aşağıya PIX'in ve karşı tarafın router konfiglerini ekledim.

    Herkese İyi çalışmalar

    Bahadır Girtten

    ------------------------------------------------------------------------------------------------------------------------------

    ROUTER:

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password encryption
    !
    hostname SBBB
    !
    eneable secret 5 $1$6qbu$1CI0KANSINPXhpf79VAxe/
    !
    ip subnet-zero
    !
    ip dhcp pool murat
       network 192.168.10.0
       default-router 192.168.10.1
       dns-server 212.156.4.6
       lease infinite
    !
    !
    !
    !
    interface Ethernet0
     ip address 192.168.10.1 255.255.255.0
     ip nat inside
     hold-queue 100 out
    !
    interface Ethernet1
     ip address dhcp client-id Ethernet1
     ip nat outside
    !
    ip nat inside source list 1 interface Ethernet1 overload
    ip classless
    no ip http server
    ip pim bidir-enable
    !
    !
    access-list 1 permit 192.168.10.0 0.0.0.255
    access-list 1 permit 10.0.0.0 0.255.255.255 / Bizim networkten alacağı IP
    !
    line con 0
     exec time-out 120 0
     stopbits 1
    line vty 0 4
     access-class 1 in
     exec-timeout 120 0
     password 7 *********
     login
    !
    scheduler max-task-time 5000
    end
    ----------------------------------------------------------------------------------------------------------------------------

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security50
    enable password 3NMclkdOUiRVjKPH encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname thpix
    domain-name teknoloji
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    name 213.74.42.35 mail.th.out
    name 10.1.1.4 mail.th.in
    name 10.1.1.9 ftp-web-ts
    name 10.1.1.8 gold-ts
    name 10.1.1.12 Ziya
    name 10.1.1.11 Mehmet
    name 10.1.1.202 Tansel
    name 213.74.42.38 murattestip
    name 10.6.0.202 ukhweb
    name 10.1.1.157 CRM
    name 10.6.0.27 IPS
    name 213.161.154.146 Planet
    name 10.1.1.137 murattest
    name 10.1.1.179 devrim
    name 10.1.1.136 gmsdisbank
    name 172.16.32.12 disbanklocal
    name 172.16.32.0 DISBANK
    name 172.16.32.30 dibankalpar
    object-group service Mail-Srv tcp
      port-object eq pop3
      port-object eq www
      port-object eq smtp
    object-group service ftp-web-ts-Srv tcp
      port-object eq ftp
      port-object eq ftp-data
      port-object range 3389 3389
      port-object eq https
      port-object eq www
      port-object range 8080 8080
      port-object range 1433 1433
    object-group network Admin
      network-object Mehmet 255.255.255.255
      network-object Ziya 255.255.255.255
      network-object Tansel 255.255.255.255
    object-group service http-https tcp
      port-object eq www
      port-object eq https
    object-group service CRM tcp
      description CRM
      port-object eq www
      port-object range 3389 3389
      port-object eq https
      port-object range 6401 6401
    object-group service murtatest tcp
      port-object range 8080 8080
    object-group service ftp tcp
      description disbankgms
      port-object eq ftp-data
      port-object eq ftp
    access-list outside_access_in permit tcp any host mail.th.out object-group Mail-
    Srv
    access-list outside_access_in permit tcp any host 213.74.42.37 object-group ftp-
    web-ts-Srv
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit tcp any host murattestip object-group CRM
    access-list outside_access_in permit tcp any host 213.74.42.36 eq 3389
    access-list outside_access_in permit tcp any host 213.74.42.43 object-group http
    -https
    access-list outside_access_in permit ip host Planet host 213.74.42.45
    access-list inside_outbound_nat0_acl permit ip any 10.1.1.128 255.255.255.128
    access-list inside_outbound_nat0_acl permit ip 10.1.0.0 255.255.0.0 DISBANK 255.
    255.255.0
    access-list inside_outbound_nat0_acl permit ip any 10.1.3.0 255.255.255.0
    access-list inside_access_in permit ip any any
    access-list outside_cryptomap_20 permit ip 10.1.0.0 255.255.0.0 DISBANK 255.255.
    255.0
    access-list outside_cryptomap_20 permit icmp host gmsdisbank host disbanklocal
    access-list outside_cryptomap_20 permit icmp host gmsdisbank host dibankalpar
    access-list Cisco_VPN_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any
    access-list outside_cryptomap_dyn_20 permit ip any 10.1.3.0 255.255.255.0
    pager lines 24
    logging on
    icmp deny any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 213.74.42.34 255.255.255.240
    ip address inside 10.1.1.2 255.255.0.0
    ip address intf2 10.10.1.1 255.255.0.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm drop
    ip local pool teknoloji 10.1.1.190-10.1.1.192
    ip local pool Teknoloji_Yeni 10.1.3.1-10.1.3.254
    pdm location Mehmet 255.255.255.255 inside
    pdm location Ziya 255.255.255.255 inside
    pdm location mail.th.in 255.255.255.255 inside
    pdm location mail.th.out 255.255.255.255 outside
    pdm location ftp-web-ts 255.255.255.255 inside
    pdm location gold-ts 255.255.255.255 inside
    pdm location Tansel 255.255.255.255 inside
    pdm location murattestip 255.255.255.255 outside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location 10.6.0.0 255.255.255.0 inside
    pdm location ukhweb 255.255.255.255 inside
    pdm location 10.1.1.121 255.255.255.255 inside
    pdm location 10.1.1.128 255.255.255.128 outside
    pdm location 10.1.1.118 255.255.255.255 inside
    pdm location 10.1.1.118 255.255.255.255 outside
    pdm location CRM 255.255.255.255 inside
    pdm location IPS 255.255.255.255 inside
    pdm location Planet 255.255.255.255 outside
    pdm location murattest 255.255.255.255 inside
    pdm location 10.1.0.0 255.255.0.0 inside
    pdm location devrim 255.255.255.255 outside
    pdm location gmsdisbank 255.255.255.255 inside
    pdm location disbanklocal 255.255.255.255 outside
    pdm location DISBANK 255.255.255.0 outside
    pdm location dibankalpar 255.255.255.255 outside
    pdm location 10.1.3.0 255.255.255.0 outside
    pdm group Admin inside
    pdm logging debugging 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) mail.th.out mail.th.in netmask 255.255.255.255 0 0
    static (inside,outside) 213.74.42.37 ftp-web-ts netmask 255.255.255.255 0 0
    static (inside,outside) 213.74.42.36 gold-ts netmask 255.255.255.255 0 0
    static (inside,outside) murattestip CRM netmask 255.255.255.255 0 0
    static (inside,outside) 213.74.42.43 ukhweb netmask 255.255.255.255 0 0
    static (inside,outside) 213.74.42.45 IPS netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 213.74.42.33 1
    route inside 10.6.0.0 255.255.255.0 10.1.1.1 1
    route inside 192.168.1.0 255.255.255.0 10.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    url-server (inside) vendor websense host 10.1.1.118 timeout 30 protocol TCP vers
    ion 1
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    http server enable
    http Mehmet 255.255.255.255 inside
    http Ziya 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection tcpmss 0
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 213.243.63.129
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 213.243.63.129 netmask 255.255.255.255 no-xauth no-c
    onfig-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup Cisco_VPN address-pool Teknoloji_Yeni
    vpngroup Cisco_VPN dns-server 10.1.1.7
    vpngroup Cisco_VPN default-domain teknoloji.local
    vpngroup Cisco_VPN split-tunnel Cisco_VPN_splitTunnelAcl
    vpngroup Cisco_VPN idle-time 1800
    vpngroup Cisco_VPN password ********
    telnet Mehmet 255.255.255.255 inside
    telnet Ziya 255.255.255.255 inside
    telnet 10.1.1.121 255.255.255.255 inside
    telnet timeout 5
    ssh Mehmet 255.255.255.255 inside
    ssh Ziya 255.255.255.255 inside
    ssh 10.1.1.121 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    vpdn group PPTP-VPDN-GROUP accept dialin pptp
    vpdn group PPTP-VPDN-GROUP client configuration address local teknoloji
    vpdn group PPTP-VPDN-GROUP client configuration dns 10.1.1.7 213.74.4.131
    vpdn group PPTP-VPDN-GROUP pptp echo 60
    vpdn group PPTP-VPDN-GROUP client authentication local
    vpdn username ttronics password *********
    vpdn enable outside
    username ttronics password NxE.zqnXeufc60NG encrypted privilege 3
    username omer password 2YWQbIURhlsZiSEv encrypted privilege 15
    username bahadir password tUyjU1jkmzRjDAXW encrypted privilege 3
    username bgirtten password X6p0gNgTORjgLlyO encrypted privilege 15
    username suat password iFYviUGOXgYSawtL encrypted privilege 15
    username cuneyt password O2p.xbNzv8SbFFt4 encrypted privilege 3
    username ersin password 0tFwfHNn4.l.DSBo encrypted privilege 15
    username emin password poOfvGRGbu.aXoiy encrypted privilege 15
    username mehmet password IqgmOjuZetR2QZy. encrypted privilege 15
    username hakan password oMB1ORmpWnV6s/b8 encrypted privilege 15
    url-block url-mempool 5000
    url-block url-size 4
    terminal width 80
    Cryptochecksum:5bda006ae5aea871dc48334c971a1adb
    : end

                            
    ---------------------------------
    Do you Yahoo!?
     Check out the new Yahoo! Front Page. www.yahoo.com



    This archive was generated by hypermail 2.1.5 : Mon Nov 08 2004 - 15:37:14 GMT