Re: [cisco-ttl] Pix üstünde remote access vpn+radius

From: OGUZ ISLAM EMLIK <oguz_islam_at_....>
Date: Thu Nov 16 2006 - 10:03:16 EET


merhaba tekrar,

static (inside,outside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 static (inside,outside) 10.1.254.0 10.1.254.0 netmask 255.255.255.0

komutlarını verince hersey duzeldi, 10.1.1.21 icin daha onceden outside bacagi icin natlanmisti. ancak 10.1.1.42 icin outside bacaginda bir nat olmadigindan ve crypto outside bacaginda cozuldugunden ulasamiyordu. dikkatsizlik iste.. baskalarinin da basina gelebilir, dikkat.

            herkese merhaba,

mail gruba yeni katildim, bu da ilk gruba ilk mailim..

sistemimde kullanicilarim icin, pix 6.3(5) üzerinde remote access vpn konfigurasyonunu yaptim ve bu konfigurasyona gore kullanicilarim

agima baglaniyorlar. (VPN Client 3.5 ile)

Pix, Redhat Linux 4 Update2 uzerinde kurulu olan freeradius 1.0.1-3'tan baglanan her kullanici icin cisco-avpair yardimiyla verilen acl'leri download ediyor. Kullanici sisteme baglandiginda gercekten "sh access-list" ile baktigimda AAA-user-user_ name seklinde acllerin indirildigini ve hitcountlarinin arttigini goruyorum.

Ancak radiustan "permit ip any any" acl'i ile baglanan bir user icin dahi bircok makina icin dns'ten ismi cozmesine karsilik baglanirken Time Out aliyorum(kaldiki ip'leri ile de ulasamiyorum) . Ve bu ayni ip blogunda ve ayni switch altinda bulunan ve yapilandirilmasi tamamen ayni olan 2 makinamda oluyor. appsrv1(10.1. 1.21) ve appsrv2(10.1. 1.42) isimli 2 tane makinamdan ornek vermek gerekirse, her baglantida appsrv1'de hicbir problem yasamadan herturlu baglantiyi gerceklesitirirken, appsrv2 makinasina hicbir suretle baglanamiyor, surekli timed out aliyorum. ayrica sunuda belirtmek isterim network yuku acisindan appsrv1 appsrv2'ye gore daha yukte calisiyor. herseferinde appsrv1'de problem olmamasi ancak appsrv1'de olmasi konsunda da hicbir fikrim yok, daha once dedigim gibi makinalar tamamen ayni.

aslinda problemin neden kaynaklandigini tam olarak anlamis degilim. sizce ne olabilir.

pix configurasyonu

ip local pool vpn_ippool_sistem 10.1.253.1 mask 255.255.255. 252

....

aaa-server rasvpnauth protocol radius

aaa-server rasvpnauth max-failed-attempts 3

aaa-server rasvpnauth deadtime 10

aaa-server rasvpnauth (intf2) host 10.2.20.10 **** timeout 5

....

sysopt connection permit-ipsec

crypto ipsec transform-set vpn_tset_esp3des_ espshahmac esp-3des esp-sha-hmac

crypto dynamic-map vpn_dynmap 60 set transform-set vpn_tset_esp3des_ espshahmac

....

crypto map rtptrans 21 ipsec-isakmp

....

crypto map rtptrans 60 ipsec-isakmp dynamic vpn_dynmap

crypto map rtptrans client authentication rasvpnauth

....

vpngroup vpn_group_sistem address-pool vpn_ippool_sistem

vpngroup vpn_group_sistem dns-server 10.1.1.25

vpngroup vpn_group_sistem wins-server 10.1.254.43 10.1.1.22

vpngroup vpn_group_sistem default-domain mydomain.sec

vpngroup vpn_group_sistem idle-time 1800

vpngroup vpn_group_sistem password ****

____________ _________ _________ _________ _________ _________ _

Sponsored Link

Online degrees - find the right program to advance your career.

Www.nextag.com

[Non-text portions of this message have been removed]                  

<!--

#ygrp-mlmsg {font-size:13px;font-family:arial,helvetica,clean,sans-serif;}
#ygrp-mlmsg table {font-size:inherit;font:100%;}
#ygrp-mlmsg select, input, textarea {font:99% arial,helvetica,clean,sans-serif;}
#ygrp-mlmsg pre, code {font:115% monospace;}
#ygrp-mlmsg * {line-height:1.22em;}
#ygrp-text{

font-family:Georgia;
}
#ygrp-text p{

margin:0 0 1em 0;
}
#ygrp-tpmsgs{

font-family:Arial;
clear:both;
}
#ygrp-vitnav{

padding-top:10px;
font-family:Verdana;
font-size:77%;
margin:0;
}
#ygrp-vitnav a{

padding:0 1px;
}
#ygrp-actbar{

clear:both;
margin:25px 0;
white-space:nowrap;
color:#666;
text-align:right;
}
#ygrp-actbar .left{

float:left;
white-space:nowrap;
}
.bld{font-weight:bold;}
#ygrp-grft{

font-family:Verdana;
font-size:77%;
padding:15px 0;
}
#ygrp-ft{

font-family:verdana;
font-size:77%;
border-top:1px solid #666;
padding:5px 0;
}
#ygrp-mlmsg #logo{

padding-bottom:10px;
}

#ygrp-vital{

background-color:#e0ecee;
margin-bottom:20px;
padding:2px 0 8px 8px;
}
#ygrp-vital #vithd{

font-size:77%;
font-family:Verdana;
font-weight:bold;

color:#333;
text-transform:uppercase;
}
#ygrp-vital ul{

padding:0;
margin:2px 0;
}
#ygrp-vital ul li{

list-style-type:none;
clear:both;
border:1px solid #e0ecee;
}
#ygrp-vital ul li .ct{

font-weight:bold;
color:#ff7900;
float:right;
width:2em;

text-align:right;
padding-right:.5em;
}
#ygrp-vital ul li .cat{

font-weight:bold;
}
#ygrp-vital a {

text-decoration:none;
}

#ygrp-vital a:hover{

text-decoration:underline;
}

#ygrp-sponsor #hd{

color:#999;
font-size:77%;
}
#ygrp-sponsor #ov{

padding:6px 13px;
background-color:#e0ecee;
margin-bottom:20px;
}
#ygrp-sponsor #ov ul{

padding:0 0 0 8px;
margin:0;
}
#ygrp-sponsor #ov li{

list-style-type:square;
padding:6px 0;
font-size:77%;
}
#ygrp-sponsor #ov li a{

text-decoration:none;
font-size:130%;
}
#ygrp-sponsor #nc {

background-color:#eee;
margin-bottom:20px;
padding:0 8px;
}
#ygrp-sponsor .ad{

padding:8px 0;
}
#ygrp-sponsor .ad #hd1{

font-family:Arial;
font-weight:bold;
color:#628c2a;
font-size:100%;
line-height:122%;
}
#ygrp-sponsor .ad a{

text-decoration:none;
}
#ygrp-sponsor .ad a:hover{

text-decoration:underline;
}
#ygrp-sponsor .ad p{

margin:0;
}
o {font-size:0;}
.MsoNormal {
margin:0 0 0 0;
}
#ygrp-text tt{

font-size:120%;
}
blockquote{margin:0 0 0 4px;}
.replbq {margin:4;}
-->  



Sponsored Link

Mortgage rates near 39yr lows.
$510k for $1,698/mo. Calculate new payment! www.LowerMyBills.com/lre

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:cisco-ttl-digest@yahoogroups.com 
    mailto:cisco-ttl-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 
Received on Thu Nov 16 12:11:00 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 16 2006 - 12:12:10 EET