Re: [cisco-ttl] ASA vpn client problem

From: Serhat Uslay <serhat.uslay_at_....>
Date: Tue Oct 17 2006 - 08:48:47 EEST

Bu tam cikti degil herhalde, bir suru sey eksik gibi gozuluyor. Iki tane local pool var 192.168.1.0 ve 192.168.70.0 Ama sadece pool "gezi " tanimlanmis. Ama bu "gezi" tunnel-group icinde tanimlanmamis onun yerine "POOLVPN" diye bir sey var.
Hemde bu pool icin gerekli DNS, WINS tanimlari yok.

Soyle bir ornek yapman gerekiyor ;
tunnel-group xyz type ipsec-ra
tunnel-group xyz general-attributes
 address-pool gezi (yada POOLVPN ?
 authentication-server-group xxxxx
 default-group-policy xyz
 dhcp-server "ip address"

Birde access-list 15 hic bir yere uygulanmamis.

Tam ciktiyi yollarsan tekrar bakabilirim.

Serhat

TOLGA SAHAN CELTIK <t_celtik@yahoo.com> Sent by: cisco-ttl@yahoogroups.com
13/10/2006 01:40 AM
Please respond to
cisco-ttl@yahoogroups.com

To
cisco-ttl@yahoogroups.com
cc

Subject
[cisco-ttl] ASA vpn client problem

Merhaba,
  Elimizde checkpoint arkasinda calisan bir ASA var.ASA da vpn tanimi yaptim ve baglanabiliyorum.VPN isteginde checkpointteki log lara bakiyoruz ve bir probleme rastlamiyoruz.(Checkpoint any any acik durumda)   VPN le tanimladigim ip pool dan bir ip aliyorum ama bu ip den ASA nin inside bacagi(bu local) ulasamiyorum.
  Yapi su sekilde..

  Bizim taraf-----internet---------Checpoint-----ASA-----Lokal   VPN clientla baglandigim zaman hicbir paketin encrypt edilmedigini ayrica secured network un 0.0.0.0 0.0.0.0 seklinde oldugunu goruyorum.Confıg te hıc bır problem gormezken...neden oluyor, yardimci olursaniz sevinirim..

  Config ekte


ASA Version 7.0(2)
names
name... ......
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.19.60.0 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1
 management-only
!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0
access-list deneme_splitTunnelAcl standard permit any access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0
access-list deneme1_splitTunnelAcl standard permit any access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0
access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0
access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0
access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0
access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

group-policy deneme internal
group-policy deneme attributes
 split-tunnel-policy tunnelspecif deneme_splitTunnelAcl  webvpn
group-policy deneme1 internal
group-policy deneme1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value deneme1_splitTunnelAcl  webvpn
ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255

username tolga password 5mhYTi9IjTkulMAX encrypted privilege 0 aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL aaa authentication telnet console LOCAL http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

ssh 172.19.0.91 255.255.255.255 outside
ssh 172.19.0.71 255.255.255.255 outside
ssh 172.19.0.61 255.255.255.255 outside
ssh 172.19.0.78 255.255.255.255 outside

ssh 172.19.0.212 255.255.255.255 outside
ssh 172.19.0.243 255.255.255.255 outside ssh 172.19.60.170 255.255.255.255 outside ssh timeout 5
console time deneme type ipsec-ra
tunnel-group deneme general-attributes
 default-group-policy deneme
tunnel-group deneme ipsec-attributes
 pre-shared-key *
tunnel-group deneme1 type ipsec-ra
tunnel-group deneme1 general-attributes
 address-pool POOLVPN
 default-group-policy deneme1
tunnel-group deneme1 ipsec-attributes
 pre-shared-key *

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
tutulamazlar.
Yahoo! Groups Links









----
This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed]




--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links


<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/cisco-ttl/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/cisco-ttl/join (Yahoo! ID required)
<*> To change settings via email:
mailto:cisco-ttl-digest@yahoogroups.com mailto:cisco-ttl-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
cisco-ttl-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
Received on Tue Oct 17 12:54:07 2006

This archive was generated by hypermail 2.1.8 : Tue Oct 17 2006 - 12:54:07 EEST