Re: [cisco-ttl] Pix üstünde remote access vpn+radius

From: Serhat Uslay <serhat.uslay_at_....>
Date: Thu Nov 16 2006 - 04:14:04 EET

cok basit bir soru ama appsrv2(10.1.1.42) normalde lokal network de calisiyormu ? Uzerindeki gw tanimlari neler ? Eger gercekten iki server tamamen ayni ise appsrv2(10.1.1.42) de calisip, appsrv1 calismadigi durumlar oldu mu ?
PIX 6.3(5) de "capture" ile appsrv2 ye giden trafigi yakalayip bakabilirsin, bunu yaparken birde appsrv2 uzerinde ethereal calistir ve captured bilgiyi karsilastir.

Serhat

OGUZ ISLAM EMLIK <oguz_islam@yahoo.com> Sent by: cisco-ttl@yahoogroups.com
16/11/2006 02:27 AM
Please respond to
cisco-ttl@yahoogroups.com

To
cisco-ttl@yahoogroups.com
cc

Subject
[cisco-ttl] Pix üstünde remote access vpn+radius

herkese merhaba,
mail gruba yeni katildim, bu da ilk gruba ilk mailim..

sistemimde kullanicilarim icin, pix 6.3(5) üzerinde remote access vpn konfigurasyonunu yaptim ve bu konfigurasyona gore kullanicilarim agima baglaniyorlar. (VPN Client 3.5 ile)

Pix, Redhat Linux 4 Update2 uzerinde kurulu olan freeradius 1.0.1-3'tan baglanan her kullanici icin cisco-avpair yardimiyla verilen acl'leri download ediyor. Kullanici sisteme baglandiginda gercekten "sh access-list" ile baktigimda AAA-user-user_name seklinde acllerin indirildigini ve hitcountlarinin arttigini goruyorum.

 Ancak radiustan "permit ip any any" acl'i ile baglanan bir user icin dahi bircok makina icin dns'ten ismi cozmesine karsilik baglanirken Time Out aliyorum(kaldiki ip'leri ile de ulasamiyorum). Ve bu ayni ip blogunda ve ayni switch altinda bulunan ve yapilandirilmasi tamamen ayni olan 2 makinamda oluyor. appsrv1(10.1.1.21) ve appsrv2(10.1.1.42) isimli 2 tane makinamdan ornek vermek gerekirse, her baglantida appsrv1'de hicbir problem yasamadan herturlu baglantiyi gerceklesitirirken, appsrv2 makinasina hicbir suretle baglanamiyor, surekli timed out aliyorum. ayrica sunuda belirtmek isterim network yuku acisindan appsrv1 appsrv2'ye gore daha yukte calisiyor. herseferinde appsrv1'de problem olmamasi ancak appsrv1'de olmasi konsunda da hicbir fikrim yok, daha once dedigim gibi makinalar tamamen ayni.

aslinda problemin neden kaynaklandigini tam olarak anlamis degilim. sizce ne olabilir.

pix configurasyonu



ip local pool vpn_ippool_sistem 10.1.253.1 mask 255.255.255.252
....
aaa-server rasvpnauth protocol radius
aaa-server rasvpnauth max-failed-attempts 3
aaa-server rasvpnauth deadtime 10
aaa-server rasvpnauth (intf2) host 10.2.20.10 **** timeout 5

....

sysopt connection permit-ipsec
crypto ipsec transform-set vpn_tset_esp3des_espshahmac esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap 60 set transform-set vpn_tset_esp3des_espshahmac
....

crypto map rtptrans 21 ipsec-isakmp
....

crypto map rtptrans 60 ipsec-isakmp dynamic vpn_dynmap crypto map rtptrans client authentication rasvpnauth

....

vpngroup vpn_group_sistem address-pool vpn_ippool_sistem
vpngroup vpn_group_sistem dns-server 10.1.1.25
vpngroup vpn_group_sistem wins-server 10.1.254.43 10.1.1.22
vpngroup vpn_group_sistem default-domain mydomain.sec
vpngroup vpn_group_sistem idle-time 1800
vpngroup vpn_group_sistem password ****
-------------------------------------------------------------------------------







____________________________________________________________________________________
Sponsored Link

Online degrees - find the right program to advance your career. Www.nextag.com

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
tutulamazlar.
Yahoo! Groups Links









----
This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed]
Received on Thu Nov 16 11:53:33 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 16 2006 - 11:53:40 EET