Re: [cisco-ttl] Pix ve PPTP Tam Calisan Config

From: Mesut Canbolat (cmesut_at_yahoo.com)
Date: Mon Mar 07 2005 - 10:47:19 EET


Merhaba Oguzhan Bey ,
Tam isteklerinize gore bizde calisan configi gonderiyorum...
Dikkalice inceleyip hemen kendinize uyarlayiniz ......
Kolay Gelsin .. Yardimci olabildiysem sevinecegim ....
------------------------------------------------------------------
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.65.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.99.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.98.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.98.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0 192.168.70.0 255.255.255.248

access-list outside_cryptomap_dyn_20 permit ip any 192.168.98.0 255.255.255.0
access-list vpn_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0 any
access-list vpn_splitTunnelAcl permit ip 192.168.6.0 255.255.255.0 any
access-list vpn_splitTunnelAcl permit ip 192.168.7.0 255.255.255.0 any
access-list vpn_splitTunnelAcl permit ip 192.168.98.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.6.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.7.0 255.255.255.0 any
access-list vpn2_splitTunnelAcl permit ip 192.168.98.0 255.255.255.0 any

ip address outside 213.xxx.xxx.196 255.255.255.240
ip address inside 192.168.5.2 255.255.255.0

ip local pool PptPool 192.168.99.1-192.168.99.254
ip local pool VpnPool 192.168.98.1-192.168.98.254

global (outside) 1 213.xxx.xxx.203-213.xxx.xxx.206
global (outside) 1 213.xxx.xxx.202
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.xxx.xxx.193 1

sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption des
isakmp policy 60 hash sha
isakmp policy 60 group 1
isakmp policy 60 lifetime 86400
vpngroup vpn address-pool VpnPool
vpngroup vpn dns-server 192.168.5.7
vpngroup vpn wins-server 192.168.5.7
vpngroup vpn split-tunnel vpn_splitTunnelAcl
vpngroup vpn idle-time 1800
vpngroup vpn password ********
vpngroup vpn2 address-pool VpnPool
vpngroup vpn2 dns-server 192.168.5.7
vpngroup vpn2 wins-server 192.168.5.7
vpngroup vpn2 split-tunnel vpn2_splitTunnelAcl
vpngroup vpn2 idle-time 1800
vpngroup vpn2 password ********

vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local PptPool
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.5.7
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.5.7
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username pptp password *********
vpdn username pptp2 password *********
vpdn enable outside
-----------------------------------------------------------------------------------

Monday, March 7, 2005, 8:00:44 AM, you wrote:

> Selam.

> Pix 6.3(4) uzerinden clienatlarin pptp ile baglanmasi asamasini niyahet
> gerceklestirdim.

> Ic networke de ulasmakta sorunum yok.

> Ancak vpn ile baglanan clientlar ile sadece iceriden outbound ile disari
> cikma yetkisi verdigim bilg.lara ulasabiliyorum.

> TUm networke ulasabilmek icin ne yapmaliyim?

> Ayrica meark ettigim bir diger olay da, outside tan gelen bu pptp
> clientlarin hem local baglantisinin hem de internet baglantisinin
> olabilmesi.

> Pix ustunden nasil bunlara internete cikma yetkisi verebilirim?

> Configi asagida gonderiyorum.

> Bir de PPTP icin 7200 veya 5300 serisi routerlari da kullanabilirmiyim?

> Tesekkurler.

> PIX Version 6.3(4)

> interface ethernet0 auto

> interface ethernet1 auto

> interface ethernet2 auto

> nameif ethernet0 outside security0

> nameif ethernet1 inside security100

> nameif ethernet2 DMZ security50

> ...........

> fixup protocol dns maximum-length 512

> fixup protocol ftp 21

> no fixup protocol h323 h225 1720

> fixup protocol h323 ras 1718-1719

> fixup protocol http 80

> fixup protocol pptp 1723

> fixup protocol rsh 514

> fixup protocol rtsp 554

> fixup protocol sip 5060

> fixup protocol sip udp 5060

> fixup protocol skinny 2000

> fixup protocol smtp 25

> fixup protocol sqlnet 1521

> fixup protocol tftp 69

> ......................

> access-list unsecure permit icmp any any

> access-list unsecure permit gre any any

> .......................

> access-list unsecure permit ip 10.100.100.0 255.255.255.0 192.168.0.0
> 255.255.0.0

> access-list unsecure permit ip 192.168.0.0 255.255.0.0 10.100.100.0
> 255.255.255.0

> access-list 101 permit ip 192.168.0.0 255.255.0.0 10.100.100.0
> 255.255.255.0

> pager lines 24

> logging on

> logging trap debugging

> logging facility 9

> logging host inside Ras_Internal

> no logging message 111005

> mtu outside 1500

> mtu inside 1500

> mtu DMZ 1500

> ip address outside xxx.xxx.xxx.xxx

> ip address inside 192.168.10.1 255.255.255.0

> ip address DMZ 10.10.10.1 255.255.255.0

> ip verify reverse-path interface outside

> ip verify reverse-path interface inside

> ip audit name ids attack action alarm drop reset

> ip audit info action alarm

> ip audit attack action alarm drop

> ip local pool pptp-pool 10.100.100.1-10.100.100.250

> pdm history enable

> arp timeout 14400

> global (outside) 1 PAT2

> global (DMZ) 1 10.10.10.200

> nat (inside) 0 access-list 101

> nat (inside) 1 192.168.0.0 255.255.0.0 0 0

> nat (DMZ) 2 10.10.10.2 255.255.255.255 0 0

> access-group unsecure in interface outside

> access-group DMZ in interface DMZ

> outbound   1 deny 0.0.0.0 0.0.0.0 0 ip

> ..................

> outbound   1 permit 10.100.100.0 255.255.255.0 0 ip

> apply (inside) 1 outgoing_src

> route outside 0.0.0.0 0.0.0.0 80.69.50.1 1

> route DMZ 192.1.1.0 255.255.255.0 10.10.10.5 1

> route inside 192.168.0.0 255.255.0.0 192.168.10.6 1

> timeout xlate 3:00:00

> timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225
> 1:00:00

> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

> timeout uauth 0:05:00 absolute

> aaa-server TACACS+ protocol tacacs+

> aaa-server TACACS+ max-failed-attempts 3

> aaa-server TACACS+ deadtime 10

> aaa-server RADIUS protocol radius

> aaa-server RADIUS max-failed-attempts 3

> aaa-server RADIUS deadtime 10

> aaa-server LOCAL protocol local

> aaa-server AuthInbound protocol radius

> aaa-server AuthInbound max-failed-attempts 3

> aaa-server AuthInbound deadtime 10

> aaa-server AuthInbound (inside) host 192.168.10.8 xxxx timeout 15

> floodguard enable

> sysopt connection permit-pptp

> telnet timeout 5

> console timeout 0

> vpdn group 1 accept dialin pptp

> vpdn group 1 ppp authentication pap

> vpdn group 1 ppp authentication chap

> vpdn group 1 ppp authentication mschap

> vpdn group 1 ppp encryption mppe 40

> vpdn group 1 client configuration address local pptp-pool

> vpdn group 1 client configuration dns 192.168.10.8

> vpdn group 1 client configuration wins Proxy_Internal

> vpdn group 1 client authentication aaa AuthInbound

> vpdn group 1 pptp echo 60

> vpdn enable outside

> --------------------------------------------------------------------------

> DISCLAIMER: By opening this e-mail you hereby acknowledge that
> all information given in this e-mail by Barmek Azerbaijan
> Electricity Network LLC and/or by companies which it owns, controls
> and/or is affiliated with (altogether Barmek) is confidential and
> you agree that you will treat it as confidential and will not
> disclose or release it to any third party or not use it without the
> prior written consent of Barmek; and you agree that any failure to
> fullfill above-mentioned requirements will create a serious breach
> of ethics and law, and you will be responsible for all direct and/or
> indirect damages/losses and any other consequences that Barmek will
> encounter.

> [Non-text portions of this message have been removed]

> --

> Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

> Listede onerilen cozumlerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, liste uyeleri ya da bu
> uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.

> Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com
> adresine bir e-posta gönderebilirsiniz.

> Yahoo! Groups SponsorADVERTISEMENT

> Yahoo! Groups Links
> To visit your group on the web, go to:
> http://groups.yahoo.com/group/cisco-ttl/
>  To unsubscribe from this group, send an email to:
> cisco-ttl-unsubscribe_at_yahoogroups.com
>  Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

-- 
Best regards,
 Mesut                            mailto:cmesut_at_yahoo.com

--

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listede onerilen cozumlerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, liste uyeleri ya da bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.

Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz. Yahoo! Groups Links

<*> To visit your group on the web, go to: http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to: cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/



This archive was generated by hypermail 2.1.3 : Mon Mar 07 2005 - 10:47:39 EET