RE: [cisco-ttl] VPN Client Problemi

From: ali tadir <alitadir_at_....>
Date: Sat Oct 15 2005 - 12:25:50 EEST


Tesekkurler Cumhur, sorun dun itibari ile cozuldu. Bahsettigin gibi nat-traversal enable edilmemis.

Cok tesekkurler, iyi calismalar!

> Selamlar Ali,
>
> Bu birden fazla kullanici NAT'in arkadasinda ise "
> isakmp nat-traversal
> [natkeepalive] " tanimlaman problemini cozebilir.
>
> Kolay Gelsin,
> Cumhur
>
> Enabling IPSec over NAT-T
>
> NAT-T lets IPSec peers establish a connection
> through a NAT device. It does
> this by encapsulating IPSec traffic in UDP
> datagrams, using port 4500,
> thereby providing NAT devices with port information.
> NAT-T auto-detects any
> NAT devices, and only encapsulates IPSec traffic
> when necessary. This
> feature is disabled by default.
>
> •The security appliance can simultaneously support
> standard IPSec, IPSec
> over TCP, NAT-T, and IPSec over UDP, depending on
> the client with which it
> is exchanging data.
>
> •When both NAT-T and IPSec over UDP are enabled,
> NAT-T takes precedence.
>
> •When enabled, IPSec over TCP takes precedence over
> all other connection
> methods.
>
> •When you enable NAT-T, the security appliance
> automatically opens port 4500
> on all IPSec enabled interfaces.
>
> The security appliance implementation of NAT-T
> supports IPSec peers behind a
> single NAT/PAT device as follows:
>
> •One LAN-to-LAN connection.
>
> •Either a LAN-to-LAN connection or multiple remote
> access clients, but not a
> mixture of both.
>
> This restriction applies when you the IP address of
> the NAT device is the
> name of the tunnel group. This is because all peers
> behind that NAT device
> are likely to be associated with that same tunnel
> group. This may result in
> failed negotiations when connecting to multiple
> LAN-to-LAN peers behind the
> NAT device, or VPN clients being associated to a NAT
> device when there a
> mixture of remote access and LAN-to-LAN peers.
> Using NAT-T
>
> To use NAT-T you must perform three tasks:
>
> 1. Enable IPSec over NAT-T globally on the security
> appliance.
>
> 2. Select the "before-fragmentation" option for the
> IPSec fragmentation
> policy. This option lets traffic travel across NAT
> devices that do not
> support IP fragmentation. It does not impede the
> operation of NAT devices
> that do support IP fragmentation.
>
> 3. Set a keepalive value, which can be from 10 to
> 3600 seconds. The default
> is 20 seconds.
>
> To enable NAT-T globally on the security appliance,
> enter the following
> command:
>
> isakmp nat-traversal natkeepalive
>
>
> This example sets enables NAT-T and sets the
> keepalive to one hour.
>
> hostname(config)# isakmp nat-traversal 3600
>
> Valid values for natkeepalive are 10 to 3600
> seconds; the default is 20
> seconds.
>
>
> -----Original Message-----
> From: cisco-ttl@yahoogroups.com
> [mailto:cisco-ttl@yahoogroups.com] On Behalf
> Of ali tadir
> Sent: Thursday, October 13, 2005 17:42
> To: cisco-ttl@yahoogroups.com
> Subject: [cisco-ttl] VPN Client Problemi
>
> Herkese selam.
>
> 11 şubeli bir ağın merkezinde PIX 506 kurduk.
> Şubelerin tamamı VPN Client yazılımı ile ADSL
> üzerinden merkeze bağlanıyor. Merkezdeki internet
> çıkışı ise LL.
>
> Sorunumuz ise tek kullanıcılı şubelerin saatlarce
> bağlanırken aynı şubedeki birden fazla kullanıcının
> birinin bağlanması durumunda diğerinin kopması.
>
> Konfigürasyon aşağıdaki gibidir. İlgilenen
> arkadaşlara
> şimdiden teşekkür ederim.
>
>
>
>
>
> :
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password xxxxxx encrypted
> hostname pix
> domain-name cisco.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> name 10.8.1.2 VPN_Router
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq www
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq ftp
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq
> smtp
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq
> pop3
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq
> domain
> access-list inside_access_in permit udp 10.8.0.0
> 255.255.0.0 any eq
> domain
> access-list inside_access_in permit icmp 10.8.0.0
> 255.255.0.0 any echo
> access-list inside_access_in permit tcp 10.8.0.0
> 255.255.0.0 any eq
> https
> access-list outside_access_in permit icmp any any
> echo-reply
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.1.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.2.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.3.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.4.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.5.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.6.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.7.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.8.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.9.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.10.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.11.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.12.0 255.255.255.0
> access-list 101 permit ip 10.8.0.0 255.255.0.0
> 10.9.13.0 255.255.255.0
> pager lines 24
> logging on
> logging console critical
> logging monitor emergencies
> logging buffered alerts
> icmp permit any outside
> icmp permit any inside
>

=== message truncated ===                          



Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 
Received on Sat Oct 15 12:26:08 2005

This archive was generated by hypermail 2.1.8 : Sat Oct 15 2005 - 12:26:12 EEST