Re: [cisco-ttl] 878 Router - pix 515 vpn

From: Halil Ergun Korkmaz <halilergun.korkmaz_at_....>
Date: Fri Aug 25 2006 - 09:19:07 EEST


Sorunu cozdum gerek kalmadi tsk ederim  

Halil Ergun KORKMAZ  

Merhaba,

VPN client ile baglaniyorum ip pool dan ip de aliyorum routerin ic interace'ine de ping atabiliyorum ama icerideki hic bir host'a ulasamiyorum. Sanirim ic interface'deki ACL takiliyorum ama bir turlu goremedim!!!!!!!! yardim ederseniz cok sevinirim simdiden tesekkur ederim, yeni konfigurasyon asagida :

!This is the running config of the router:
!----------------------------------------------------------
!version 12.4

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption
service sequence-numbers
!

hostname router
!

boot-start-marker
boot-end-marker
!

logging buffered 51200 debugging
logging console critical
!

aaa new-model
!
!

aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!

aaa session-id common
!

resource policy
!

clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 no ip source-route
ip cef
!
!

ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive

ip inspect name SDM_HIGH appfw   SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH   dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https

ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.1.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
!

appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com server deny name webmessenger.msn.com
audit-trail on
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server   deny name scsc.msg.yahoo.com
server deny name   scsd.msg.yahoo.com
server deny name   cs16.msg.dcn.yahoo.com
server deny name   cs19.msg.dcn.yahoo.com
server deny name   cs42.msg.dcn.yahoo.com
server deny name   cs53.msg.dcn.yahoo.com
server deny name   cs54.msg.dcn.yahoo.com
server deny name   ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com server deny name in1.msg.vip.re2.yahoo.com server deny name data1.my.vip.sc5.yahoo.com server deny name address1.pim.vip.mud.yahoo.com server deny name edit.messenger.yahoo.com server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
!
!

controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
!
!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!

crypto isakmp client configuration group grb
key ****************

dns 10.1.1.1 10.1.1.3
domain domain.com.tr
pool SDM_POOL_1
max-users 2
max-logins 2
netmask 255.255.255.0
!
!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!

crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map   SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map   SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map   SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!

interface Null0
no ip unreachables
!

interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!

interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
!

interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!

interface FastEthernet0
!

interface FastEthernet1
!

interface FastEthernet2
!

interface FastEthernet3
!

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.1.1.250 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!

interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ******** password 7 ************* crypto map SDM_CMAP_1
!

ip local pool SDM_POOL_1 10.1.1.200 10.1.1.202 ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.255.255.0 10.1.1.10
!

ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!

logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark   SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2   remark HTTP Access-class list
access-list 2 remark SDM_ACL   Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark auto generated by Cisco SDM Express firewall   configuration
access-list 100 remark SDM_ACL Category=1
access-list 100   deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0   0.255.255.255 any
access-list 100 permit ip any any
access-list 101   remark auto generated by Cisco SDM Express firewall   configuration
access-list 101 remark SDM_ACL Category=1
access-list 101   permit ip host 10.1.1.200 any
access-list 101 permit ip host 10.1.1.201   any
access-list 101 permit ip host 10.1.1.202 any
access-list 101 permit   udp any any eq non500-isakmp
access-list 101 permit udp any any eq   isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any   any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101   permit icmp any any echo-reply
access-list 101 permit icmp any any   time-exceeded
access-list 101 permit icmp any any   unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255   any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101   deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0   0.255.255.255 any
access-list 101 deny ip host 255.255.255.255   any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any   any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip   any host 10.1.1.200
access-list 102 deny ip any host   10.1.1.201
access-list 102 deny ip any host 10.1.1.202
access-list 102   permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0   0.0.0.255 any
access-list 103 remark auto generated by SDM firewall   configuration
access-list 103 remark SDM_ACL Category=1
access-list 103   permit ip host 10.1.1.200 any
access-list 103 permit ip host 10.1.1.201   any
access-list 103 permit ip host 10.1.1.202 any
access-list 103 permit   ahp any any
access-list 103 permit esp any any
access-list 103 permit   udp any any eq isakmp
access-list 103 permit udp any any eq   non500-isakmp
access-list 103 deny ip 10.1.1.0 0.0.0.255 any
access-list   103 permit icmp any any echo-reply
access-list 103 permit icmp any any   time-exceeded
access-list 103 permit icmp any any   unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255   any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103   deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0   0.255.255.255 any
access-list 103 deny ip host 255.255.255.255   any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any   any log
access-list 104 remark VTY Access-class list
access-list 104   remark SDM_ACL Category=1
access-list 104 permit ip 10.1.1.0 0.0.0.255   any
access-list 104 deny ip any any
dialer-list 1 protocol ip   permit

no cdp run
!
!

route-map SDM_RMAP_1 permit 1
match ip address 102
!
!

control-plane
!

banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
!

line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 104 in
transport input telnet ssh
!

scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!

webvpn context Default_context
ssl authenticate verify all
!

no inservice
!

end

Do you Yahoo!?
Get on board. You're invited to try the new Yahoo! Mail.

[Non-text portions of this message have been removed]

   #ygrp-mlmsg {	FONT-SIZE: small; FONT-FAMILY: arial,helvetica,clean,sans-serif}#ygrp-mlmsg TABLE {	}#ygrp-mlmsg SELECT {	FONT: 99% arial,helvetica,clean,sans-serif}INPUT {	FONT: 99% arial,helvetica,clean,sans-serif}TEXTAREA {	FONT: 99% arial,helvetica,clean,sans-serif}#ygrp-mlmsg PRE {	FONT: 100% monospace}CODE {	FONT: 100% monospace}#ygrp-mlmsg  {	LINE-HEIGHT: 1.22em}#ygrp-text {	FONT-FAMILY: Georgia}#ygrp-text P {	MARGIN: 0px 0px 1em}#ygrp-tpmsgs {	CLEAR: both; FONT-FAMILY: Arial}#ygrp-vitnav {	FONT-SIZE: 77%; MARGIN: 0px; PADDING-TOP: 10px; FONT-FAMILY: Verdana}#ygrp-vitnav A {	PADDING-RIGHT: 1px; PADDING-LEFT: 1px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px}#ygrp-actbar {	CLEAR: both; MARGIN: 25px 0px; COLOR: #666; WHITE-SPACE: nowrap; TEXT-ALIGN: right}#ygrp-actbar .left {	FLOAT: left; WHITE-SPACE: nowrap}..bld {	FONT-WEIGHT: bold}#ygrp-grft {	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 77%; PADDING-BOTTOM: 15px; PADDING-TOP: 15px; FONT-FAMILY:
 Verdana}#ygrp-ft {	PADDING-RIGHT: 0px; BORDER-TOP: #666 1px solid; PADDING-LEFT: 0px; FONT-SIZE: 77%; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; FONT-FAMILY: verdana}#ygrp-mlmsg #logo {	PADDING-BOTTOM: 10px}#ygrp-vital {	PADDING-RIGHT: 0px; PADDING-LEFT: 8px; MARGIN-BOTTOM: 20px; PADDING-BOTTOM: 8px; PADDING-TOP: 2px; BACKGROUND-COLOR: #e0ecee}#ygrp-vital #vithd {	FONT-WEIGHT: bold; FONT-SIZE: 77%; TEXT-TRANSFORM: uppercase; COLOR: #333; FONT-FAMILY: Verdana}#ygrp-vital UL {	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 2px 0px; PADDING-TOP: 0px}#ygrp-vital UL LI {	CLEAR: both; BORDER-RIGHT: #e0ecee 1px solid; BORDER-TOP: #e0ecee 1px solid; BORDER-LEFT: #e0ecee 1px solid; BORDER-BOTTOM: #e0ecee 1px solid; LIST-STYLE-TYPE: none}#ygrp-vital UL LI .ct {	PADDING-RIGHT: 0.5em; FONT-WEIGHT: bold; FLOAT: right; WIDTH: 2em; COLOR: #ff7900; TEXT-ALIGN: right}#ygrp-vital UL LI .cat {	FONT-WEIGHT: bold}#ygrp-vital A {	TEXT-DECORATION: none}#ygrp-vital A:hover {
	TEXT-DECORATION: underline}#ygrp-sponsor #hd {	FONT-SIZE: 77%; COLOR: #999}#ygrp-sponsor #ov {	PADDING-RIGHT: 13px; PADDING-LEFT: 13px; MARGIN-BOTTOM: 20px; PADDING-BOTTOM: 6px; PADDING-TOP: 6px; BACKGROUND-COLOR: #e0ecee}#ygrp-sponsor #ov UL {	PADDING-RIGHT: 0px; PADDING-LEFT: 8px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px}#ygrp-sponsor #ov LI {	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 77%; PADDING-BOTTOM: 6px; PADDING-TOP: 6px; LIST-STYLE-TYPE: square}#ygrp-sponsor #ov LI A {	FONT-SIZE: 130%; TEXT-DECORATION: none}#ygrp-sponsor #nc {	PADDING-RIGHT: 8px; PADDING-LEFT: 8px; MARGIN-BOTTOM: 20px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; BACKGROUND-COLOR: #eee}#ygrp-sponsor .ad {	PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 8px; PADDING-TOP: 8px}#ygrp-sponsor .ad #hd1 {	FONT-WEIGHT: bold; FONT-SIZE: 100%; COLOR: #628c2a; LINE-HEIGHT: 122%; FONT-FAMILY: Arial}#ygrp-sponsor .ad A {	TEXT-DECORATION: none}#ygrp-sponsor .ad A:hover {	TEXT-DECORATION:
 underline}#ygrp-sponsor .ad P {	MARGIN: 0px}o {	FONT-SIZE: 0px}..MsoNormal {	MARGIN: 0px}#ygrp-text TT {	FONT-SIZE: 120%}BLOCKQUOTE {	MARGIN: 0px 0px 0px 4px}..replbq {	}
 __________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 
Received on Fri Aug 25 11:31:15 2006

This archive was generated by hypermail 2.1.8 : Fri Aug 25 2006 - 11:31:15 EEST