RE: [cisco-ttl] PIX 506e Vpn Routing Sorunu

From: Barış YAHŞİ <barisyahsi_at_....>
Date: Fri Jan 26 2007 - 09:23:57 CET


Selamlar  

Bildiğim kadarıyla  

Vpngroup vpngoupname split-tunnel access-listno  

Kolay Gelsin  

-----Original Message-----
From: cisco-ttl@yahoogroups.com [mailto:cisco-ttl@yahoogroups.com] On Behalf Of Yücel BAŞOĞLU Sent: Wednesday, January 24, 2007 11:27 PM To: cisco-ttl@yahoogroups.com
Subject: [cisco-ttl] PIX 506e Vpn Routing Sorunu  

Merhabalar,      

Pix 506e uzerinde disaridan Cisco VPN Client kullanarak locl areaya

baglanilmasini saglamak icin bi konfiguration yaptim. Fekat nedenini

bulamadigim bir sorun yuzunden sikintidayim.  

Cisco VPN Client ile kullanıcı adi ve sifre araciligi ile baglaniyorum. Ama

ayni zamanda default gateway aliyor bilgisayarim. Aldigindan dolayida kendi

baglantim kopuyor. Sadece locale erisebilir durumda oluyorum.  

Yani conftada goruldugu uzere 192.168.7.2 ip aliyosam vpnden default

gateway.de 192.168.7.2 oluyor.Ve bi bilgisayarda iki gateway olamiyacagindan

normal baglantim kopuyor ve butun paketleri 192.168.7.x den gondermeye

calisiyor. Bu konuda dokumanda arastirdim ama bisey bulamadim. Lutfen

troubleshooting arkadaslar J      

Conf asagidadir.      

Iyı Calismalar.      

Yucel BASOGLU      

PIX Version 6.3(5)  

interface ethernet0 auto  

interface ethernet1 auto  

nameif ethernet0 outside security0  

nameif ethernet1 inside security100  

enable password xxxxx encrypted  

passwd xxxxx.2KYOU encrypted  

hostname pixfirewall  

domain-name ciscopix.com  

fixup protocol dns maximum-length 512  

fixup protocol ftp 21  

fixup protocol h323 h225 1720  

fixup protocol h323 ras 1718-1719  

fixup protocol http 80  

fixup protocol rsh 514  

fixup protocol rtsp 554  

fixup protocol sip 5060  

fixup protocol sip udp 5060  

fixup protocol skinny 2000  

fixup protocol smtp 25  

fixup protocol sqlnet 1521  

fixup protocol tftp 69  

names  

name x.x.x.x Mail_Server  

name 192.168.7.0 vpnpool  

name 192.168.1.73 Selcuk  

access-list inside_access_in permit ip any any  

access-list inside_access_in permit icmp any any echo-reply  

access-list outside_access_in permit tcp any host x.x.x.x eq smtp  

access-list outside_access_in permit tcp any host x.x.x.x eq pop3  

access-list outside_access_in permit tcp any host x.x.x.x eq www  

access-list inside_nat0_outbound permit ip any vpnpool 255.255.255.0  

access-list outside_cryptomap_dyn_20 permit ip any vpnpool 255.255.255.0  

pager lines 24  

icmp permit any outside  

icmp permit any inside  

mtu outside 1500  

mtu inside 1500  

ip address outside y.y.y.y 255.255.255.248  

ip address inside 192.168.1.1 255.255.255.0  

ip audit info action alarm  

ip audit attack action alarm  

ip local pool vpnpool 192.168.7.1-192.168.7.254  

pdm location Mail_Server 255.255.255.255 inside  

pdm location vpnpool 255.255.255.0 outside  

pdm location 84.17.81.195 255.255.255.255 outside  

pdm location 85.108.253.150 255.255.255.255 outside  

pdm location 192.168.1.5 255.255.255.255 inside  

pdm location 85.100.34.254 255.255.255.255 outside  

pdm location 88.234.92.14 255.255.255.255 outside  

pdm location Selcuk 255.255.255.255 inside  

pdm logging informational 100  

pdm history enable  

arp timeout 14400  

global (outside) 1 interface  

nat (inside) 0 access-list inside_nat0_outbound  

nat (inside) 1 0.0.0.0 0.0.0.0 0 0  

static (inside,outside) tcp x.x.x.x smtp Mail_Server smtp netmask

255.255.255.255 0 0  

static (inside,outside) tcp x.x.x.x pop3 Mail_Server pop3 netmask

255.255.255.255 0 0  

static (inside,outside) tcp x.x.x.x www Mail_Server www netmask

255.255.255.255 0 0  

access-group outside_access_in in interface outside  

access-group inside_access_in in interface inside  

route outside 0.0.0.0 0.0.0.0 z.z.z.z 1  

timeout xlate 0:05:00  

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00  

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00  

timeout sip-disconnect 0:02:00 sip-invite 0:03:00  

timeout uauth 0:05:00 absolute  

aaa-server TACACS+ protocol tacacs+  

aaa-server TACACS+ max-failed-attempts 3  

aaa-server TACACS+ deadtime 10  

aaa-server RADIUS protocol radius  

aaa-server RADIUS max-failed-attempts 3  

aaa-server RADIUS deadtime 10  

aaa-server LOCAL protocol local  

http server enable  

http 85.108.253.150 255.255.255.255 outside  

http 85.100.34.254 255.255.255.255 outside  

http 88.234.92.14 255.255.255.255 outside  

http 192.168.1.0 255.255.255.0 inside  

no snmp-server location  

no snmp-server contact  

snmp-server community public  

no snmp-server enable traps  

no floodguard enable  

sysopt connection permit-ipsec  

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac  

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac  

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20  

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5  

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map  

crypto map outside_map interface outside  

isakmp enable outside  

isakmp policy 20 authentication pre-share  

isakmp policy 20 encryption 3des  

isakmp policy 20 hash md5  

isakmp policy 20 group 2  

isakmp policy 20 lifetime 86400  

vpngroup vpn-group address-pool vpnpool  

vpngroup vpn-group dns-server 213.144.97.12 213.144.97.13  

vpngroup vpn-group idle-time 1800  

vpngroup vpn-group password ********  

telnet timeout 5  

ssh timeout 5  

console timeout 0  

terminal width 80  

Cryptochecksum:2497c3fcf886d0c6e865cf9e409ef94b  

: end  

[OK]      

[Non-text portions of this message have been removed]      

--

Cisco Teknik Tartisma Listesi (Cisco-ttl)

 

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 

kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 

bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 

Yahoo! Groups Links

 

    http://groups.yahoo.com/group/cisco-ttl/

 

    Individual Email | Traditional

 

    http://groups.yahoo.com/group/cisco-ttl/join

    (Yahoo! ID required)

 

    mailto:cisco-ttl-digest@yahoogroups.com 

    mailto:cisco-ttl-fullfeatured@yahoogroups.com

 

    cisco-ttl-unsubscribe@yahoogroups.com

 

    http://docs.yahoo.com/info/terms/
-----------------------------------------------------------------------------
Uyari: Bu mesaj ve ekleri kisiye özel olup, gizli bilgiler içerebilir.
Yetkili alicilardan biri degilseniz, bu mesajin ve eklerinin içeriginde 
yer alan bilgilerin kullanilmasi, açiklanmasi, kopyalanmasi ve bunlara 
göre islem yapilmasi yasak olup; derhal göndericiyi uyararak mesaji 
silmeniz gerekmektedir. Reform Bilgisayar, bu mesaj ve eklerinin 
içeriginden dolayi hiçbir sorumluluk kabul etmez. Bu mesaj bilinen tüm
bilgisayar virüslerine karsi taranmis olsa da, gönderici virüs içermedigini
garanti etmez ve dogabilecek zararlardan sorumluluk kabul etmez. 

Disclaimer: This message and its attachments are for private use only and 
they may contain confidential information. If you are not one of the 
authorized recipients, you are notified that using, disclosing, copying, or
taking any action in reliance on the contents of this information is strictly
prohibited, and you should delete this message and inform the sender immediately.
 Reform Bilgisayar does not accept any liability for the content of this message 
and its attachments. Although this message has been scanned for all known computer 
viruses, the sender does not guarantee that no viruses are present in this message 
and does not accept responsibility for any loss or damage which may arise from the 
use of this message. 
-----------------------------------------------------------------------------------------


[Non-text portions of this message have been removed]



--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar. 
Yahoo! Groups Links


<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/cisco-ttl/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/cisco-ttl/join (Yahoo! ID required)
<*> To change settings via email:
mailto:cisco-ttl-digest@yahoogroups.com mailto:cisco-ttl-fullfeatured@yahoogroups.com
<*> To unsubscribe from this group, send an email to:
cisco-ttl-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
Received on Sat Jan 27 14:51:21 2007

This archive was generated by hypermail 2.1.8 : Sat Jan 27 2007 - 14:51:21 CET