[cisco-ttl] ASA vpn client problem

From: TOLGA SAHAN CELTIK <t_celtik_at_....>
Date: Thu Oct 12 2006 - 18:40:37 EEST


Merhaba,
  Elimizde checkpoint arkasinda calisan bir ASA var.ASA da vpn tanimi yaptim ve baglanabiliyorum.VPN isteginde checkpointteki log lara bakiyoruz ve bir probleme rastlamiyoruz.(Checkpoint any any acik durumda)   VPN le tanimladigim ip pool dan bir ip aliyorum ama bu ip den ASA nin inside bacagi(bu local) ulasamiyorum.   Yapi su sekilde..    

  Bizim taraf-----internet---------Checpoint-----ASA-----Lokal   VPN clientla baglandigim zaman hicbir paketin encrypt edilmedigini ayrica secured network un 0.0.0.0 0.0.0.0 seklinde oldugunu goruyorum.Confıg te hıc bır problem gormezken...neden oluyor, yardimci olursaniz sevinirim..    

  Config ekte


ASA Version 7.0(2)
names
name... ......
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.19.60.0 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1
 management-only
!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0 
access-list deneme_splitTunnelAcl standard permit any 
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0 
access-list deneme1_splitTunnelAcl standard permit any 
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0 
access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0 
access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0 
access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0 
access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0



group-policy deneme internal
group-policy deneme attributes
 split-tunnel-policy tunnelspecif deneme_splitTunnelAcl  webvpn
group-policy deneme1 internal
group-policy deneme1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value deneme1_splitTunnelAcl  webvpn
ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255

username tolga password 5mhYTi9IjTkulMAX encrypted privilege 0 aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL aaa authentication telnet console LOCAL http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 172.19.0.91 255.255.255.255 outside
ssh 172.19.0.71 255.255.255.255 outside
ssh 172.19.0.61 255.255.255.255 outside
ssh 172.19.0.78 255.255.255.255 outside

ssh 172.19.0.212 255.255.255.255 outside
ssh 172.19.0.243 255.255.255.255 outside ssh 172.19.60.170 255.255.255.255 outside ssh timeout 5
console time deneme type ipsec-ra
tunnel-group deneme general-attributes
 default-group-policy deneme
tunnel-group deneme ipsec-attributes
 pre-shared-key *
tunnel-group deneme1 type ipsec-ra
tunnel-group deneme1 general-attributes
 address-pool POOLVPN
 default-group-policy deneme1
tunnel-group deneme1 ipsec-attributes
 pre-shared-key *

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links


<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/cisco-ttl/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/cisco-ttl/join (Yahoo! ID required)
<*> To change settings via email:
mailto:cisco-ttl-digest@yahoogroups.com mailto:cisco-ttl-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
cisco-ttl-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
Received on Fri Oct 13 20:02:17 2006

This archive was generated by hypermail 2.1.8 : Fri Oct 13 2006 - 20:02:24 EEST