Re: [cisco-ttl] PIX 506e Vpn Routing Sorunu

From: Faruk YALÇIN <farukyalcin_at_....>
Date: Fri Jan 26 2007 - 07:35:34 CET


Merhaba

Split-tunneling yapman gerekecektir. Yani kullanici ya da grup icin bir access-list ile hangi trafigin tunele girmesi gerektigini tanimlaman yeterli olacaktir.
Asagida hem cli hem gui orneklerini bulabilirsin.

Kolay gelsin

Iyi calismalar

Faruk YALCIN

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml http://www.cisco.com/warp/public/471/asa-split-tunnel-vpn-client.pdf

On 1/24/07, Yücel BAŞOĞLU <ybasoglu@teknotel.net> wrote:
>
> Merhabalar,
>
>
>
> Pix 506e uzerinde disaridan Cisco VPN Client kullanarak locl areaya
> baglanilmasini saglamak icin bi konfiguration yaptim. Fekat nedenini
> bulamadigim bir sorun yuzunden sikintidayim.
>
> Cisco VPN Client ile kullanýcý adi ve sifre araciligi ile baglaniyorum.
> Ama
> ayni zamanda default gateway aliyor bilgisayarim. Aldigindan dolayida
> kendi
> baglantim kopuyor. Sadece locale erisebilir durumda oluyorum.
>
> Yani conftada goruldugu uzere 192.168.7.2 ip aliyosam vpnden default
> gateway.de 192.168.7.2 oluyor.Ve bi bilgisayarda iki gateway
> olamiyacagindan
> normal baglantim kopuyor ve butun paketleri 192.168.7.x den gondermeye
> calisiyor. Bu konuda dokumanda arastirdim ama bisey bulamadim. Lutfen
> troubleshooting arkadaslar J
>
>
>
> Conf asagidadir.
>
>
>
> Iyý Calismalar.
>
>
>
> Yucel BASOGLU
>
>
>
> PIX Version 6.3(5)
>
> interface ethernet0 auto
>
> interface ethernet1 auto
>
> nameif ethernet0 outside security0
>
> nameif ethernet1 inside security100
>
> enable password xxxxx encrypted
>
> passwd xxxxx.2KYOU encrypted
>
> hostname pixfirewall
>
> domain-name ciscopix.com
>
> fixup protocol dns maximum-length 512
>
> fixup protocol ftp 21
>
> fixup protocol h323 h225 1720
>
> fixup protocol h323 ras 1718-1719
>
> fixup protocol http 80
>
> fixup protocol rsh 514
>
> fixup protocol rtsp 554
>
> fixup protocol sip 5060
>
> fixup protocol sip udp 5060
>
> fixup protocol skinny 2000
>
> fixup protocol smtp 25
>
> fixup protocol sqlnet 1521
>
> fixup protocol tftp 69
>
> names
>
> name x.x.x.x Mail_Server
>
> name 192.168.7.0 vpnpool
>
> name 192.168.1.73 Selcuk
>
> access-list inside_access_in permit ip any any
>
> access-list inside_access_in permit icmp any any echo-reply
>
> access-list outside_access_in permit tcp any host x.x.x.x eq smtp
>
> access-list outside_access_in permit tcp any host x.x.x.x eq pop3
>
> access-list outside_access_in permit tcp any host x.x.x.x eq www
>
> access-list inside_nat0_outbound permit ip any vpnpool 255.255.255.0
>
> access-list outside_cryptomap_dyn_20 permit ip any vpnpool 255.255.255.0
>
> pager lines 24
>
> icmp permit any outside
>
> icmp permit any inside
>
> mtu outside 1500
>
> mtu inside 1500
>
> ip address outside y.y.y.y 255.255.255.248
>
> ip address inside 192.168.1.1 255.255.255.0
>
> ip audit info action alarm
>
> ip audit attack action alarm
>
> ip local pool vpnpool 192.168.7.1-192.168.7.254
>
> pdm location Mail_Server 255.255.255.255 inside
>
> pdm location vpnpool 255.255.255.0 outside
>
> pdm location 84.17.81.195 255.255.255.255 outside
>
> pdm location 85.108.253.150 255.255.255.255 outside
>
> pdm location 192.168.1.5 255.255.255.255 inside
>
> pdm location 85.100.34.254 255.255.255.255 outside
>
> pdm location 88.234.92.14 255.255.255.255 outside
>
> pdm location Selcuk 255.255.255.255 inside
>
> pdm logging informational 100
>
> pdm history enable
>
> arp timeout 14400
>
> global (outside) 1 interface
>
> nat (inside) 0 access-list inside_nat0_outbound
>
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>
> static (inside,outside) tcp x.x.x.x smtp Mail_Server smtp netmask
> 255.255.255.255 0 0
>
> static (inside,outside) tcp x.x.x.x pop3 Mail_Server pop3 netmask
> 255.255.255.255 0 0
>
> static (inside,outside) tcp x.x.x.x www Mail_Server www netmask
> 255.255.255.255 0 0
>
> access-group outside_access_in in interface outside
>
> access-group inside_access_in in interface inside
>
> route outside 0.0.0.0 0.0.0.0 z.z.z.z 1
>
> timeout xlate 0:05:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
>
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout sip-disconnect 0:02:00 sip-invite 0:03:00
>
> timeout uauth 0:05:00 absolute
>
> aaa-server TACACS+ protocol tacacs+
>
> aaa-server TACACS+ max-failed-attempts 3
>
> aaa-server TACACS+ deadtime 10
>
> aaa-server RADIUS protocol radius
>
> aaa-server RADIUS max-failed-attempts 3
>
> aaa-server RADIUS deadtime 10
>
> aaa-server LOCAL protocol local
>
> http server enable
>
> http 85.108.253.150 255.255.255.255 outside
>
> http 85.100.34.254 255.255.255.255 outside
>
> http 88.234.92.14 255.255.255.255 outside
>
> http 192.168.1.0 255.255.255.0 inside
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server community public
>
> no snmp-server enable traps
>
> no floodguard enable
>
> sysopt connection permit-ipsec
>
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
>
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
>
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>
> crypto map outside_map interface outside
>
> isakmp enable outside
>
> isakmp policy 20 authentication pre-share
>
> isakmp policy 20 encryption 3des
>
> isakmp policy 20 hash md5
>
> isakmp policy 20 group 2
>
> isakmp policy 20 lifetime 86400
>
> vpngroup vpn-group address-pool vpnpool
>
> vpngroup vpn-group dns-server 213.144.97.12 213.144.97.13
>
> vpngroup vpn-group idle-time 1800
>
> vpngroup vpn-group password ********
>
> telnet timeout 5
>
> ssh timeout 5
>
> console timeout 0
>
> terminal width 80
>
> Cryptochecksum:2497c3fcf886d0c6e865cf9e409ef94b
>
> : end
>
> [OK]
>
>
>
> [Non-text portions of this message have been removed]
>
>
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
> da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.
> Yahoo! Groups Links
>
>
>
>

[Non-text portions of this message have been removed] Received on Sat Jan 27 14:53:17 2007

This archive was generated by hypermail 2.1.8 : Sat Jan 27 2007 - 14:53:17 CET