RE: [cisco-ttl] Pix-PPTP Config

From: Oguzhan Kayhan (oguzhan.kayhan_at_barmek.az)
Date: Sat Feb 26 2005 - 14:37:36 EET


Sanirim atladigim seyi buldum.

Denemek icin asagidaki satirlari ekledim

 

access-list vpn permit ip any 172.16.5.0 255.255.255.0

access-list vpn permit ip 172.16.5.0 255.255.255.0 any

ve

nat (inside) 1 access-list vpn 0 0

 

Bu sefer de 2005-02-26 16:22:33 Cron.Error 192.168.10.1 %PIX-3-106011: Deny inbound (No xlate) icmp src inside:192.168.10.34 dst inside:172.16.5.1 (type 8, code 0) hatasi almaya basladim.

 

 

  _____

From: Oguzhan Kayhan
Sent: Saturday, February 26, 2005 4:24 PM
To: cisco-ttl_at_yahoogroups.com
Subject: [Possible SPAM] - [cisco-ttl] Pix-PPTP Config - Email found in subject

 

Selam.
Pixe disaridan PPTP connection yapmaya calisiyorum.
Disaridan windows clientlar authentication yapiyor (Cisco ACS ile domain
ustunden yaptiriyorum)
Vpn ipsini alip connect oluyorlar.
Buraya kadar hicbir sorun yok.
Ancak bu asamadan sonra hicbir yere giremiyorlar..

Loglarda da soyle bir hata aliyorum

005-02-26 15:50:58 Cron.Error 192.168.10.1 %PIX-3-305005:
No translation group found for icmp src outside:172.16.5.1 dst
inside:192.168.10.8 (type 8, code 0)

Config fileimi da gonderiyorm.Neyi atliyorum acaba?

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
.
.
.
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
.
.
.
.
access-list unsecure permit icmp any any
access-list unsecure permit gre any any
ccess-list unsecure permit tcp any host Test_External eq www
access-list unsecure permit tcp any host Test_External eq https
access-list unsecure permit tcp any host Mail_External eq smtp
access-list unsecure permit tcp any host Mail_External eq https
access-list unsecure permit tcp any host Web_External eq www
access-list unsecure permit tcp any host Web_External eq https
.
.
access-list DMZ permit icmp any any echo-reply
access-list DMZ permit tcp any host Test_Internal eq www
access-list DMZ permit tcp any host Web_Internal eq www
access-list DMZ permit tcp any host Web_Internal eq https
access-list DMZ permit tcp any host Test_Internal eq https
access-list DMZ permit tcp any host 10.10.10.50 eq https
access-list DMZ permit tcp any host 10.10.10.51 eq https
access-list DMZ permit tcp any host 10.10.10.51 eq www
access-list DMZ permit tcp any host 10.10.10.50 eq www
access-list DMZ permit tcp any host 10.10.10.53 eq sqlnet
.
.
.
logging on
logging trap debugging
logging facility 9
logging host inside Ras_Internal
no logging message 111005
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 217.64.18.34 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name ids attack action alarm drop reset
ip audit info action alarm
ip audit attack action alarm drop
logging on
logging trap debugging
logging facility 9
logging host inside Ras_Internal
no logging message 111005
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 217.64.18.34 255.255.255.224
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name ids attack action alarm drop reset
ip audit info action alarm
ip audit attack action alarm drop
static (inside,outside) Murat_External Murat_Internal netmask
255.255.255.255 0 0
static (inside,outside) Proxy_External Proxy_Internal netmask
255.255.255.255 0 0
static (inside,outside) Test_External Test_Internal netmask
255.255.255.255 0 0
.
.
.
.
access-group unsecure in interface outside
access-group DMZ in interface DMZ
outbound 1 deny 0.0.0.0 0.0.0.0 0 ip
outbound 1 permit 192.168.10.8 255.255.255.255 0 ip
outbound 1 permit 192.168.10.33 255.255.255.255 0 ip
outbound 1 permit 192.168.10.5 255.255.255.255 0 ip
outbound 1 permit Ras_Internal 255.255.255.255 0 ip
.
.
.
.
apply (inside) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 217.64.18.33 1
route DMZ 192.1.1.0 255.255.255.0 10.10.10.5 1
route inside 192.168.0.0 255.255.0.0 192.168.10.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 192.168.10.8 test timeout 5
sysopt connection permit-pptp
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns 192.168.10.8
vpdn group 1 client configuration wins Proxy_Internal
vpdn group 1 client authentication aaa AuthInbound
vpdn group 1 pptp echo 60
vpdn enable outside

--------------------------------------------------------------------------

DISCLAIMER: By opening this e-mail you hereby acknowledge that all information given in this e-mail by Barmek Azerbaijan Electricity Network LLC and/or by companies which it owns, controls and/or is affiliated with (altogether Barmek) is confidential and you agree that you will treat it as confidential and will not disclose or release it to any third party or not use it without the prior written consent of Barmek; and you agree that any failure to fullfill above-mentioned requirements will create a serious breach of ethics and law, and you will be responsible for all direct and/or indirect damages/losses and any other consequences that Barmek will encounter.

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.

Yahoo! Groups Sponsor

ADVERTISEMENT
click here <http://us.ard.yahoo.com/SIG=129cn7r43/M=298184.6018725.7038619.3001176/D=groups/S=1705004726:HM/EXP=1109507042/A=2593423/R=0/SIG=11el9gslf/*http:/www.netflix.com/Default?mqso=60190075>

 <http://us.adserver.yahoo.com/l?M=298184.6018725.7038619.3001176/D=groups/S=:HM/A=2593423/rand=436969289>

 

  _____

Yahoo! Groups Links

* To visit your group on the web, go to:
        http://groups.yahoo.com/group/cisco-ttl/
          
* To unsubscribe from this group, send an email to:
        cisco-ttl-unsubscribe_at_yahoogroups.com <mailto:cisco-ttl-unsubscribe_at_yahoogroups.com?subject=Unsubscribe>
          
* Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .

[Non-text portions of this message have been removed]

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 



This archive was generated by hypermail 2.1.3 : Sun Feb 27 2005 - 02:35:18 EET