[ Joja82 @ 15.11.2009. 17:42 ] @
Pozdrav svima, Imam malih problema sa pix-om. Ovako Imam pix 515e verzija 6.3(5) sa sledecom konfiguracijom: Code: PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password /Cyi5kGRrUNhfKp9 encrypted passwd I3Hys02ggggmeu0O encrypted hostname pix domain-name tsu clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list no-nat permit ip 10.41.0.0 255.255.255.0 172.29.64.0 255.255.255.0 access-list no-nat permit ip any 10.41.0.48 255.255.255.240 access-list no-nat permit ip 10.41.0.0 255.255.255.0 192.168.116.0 255.255.255.0 access-list no-nat permit ip 10.41.0.0 255.255.255.0 10.100.1.0 255.255.255.0 access-list from-outside permit gre 172.29.64.0 255.255.255.0 host 10.41.0.230 access-list kripto-map permit ip 10.41.0.0 255.255.255.0 172.29.64.0 255.255.255.0 access-list acl-out permit icmp any any access-list outside_cryptomap_120 permit ip 10.41.0.0 255.255.255.0 192.168.116.0 255.255.255.0 access-list kripto-ruterKB permit ip 10.41.0.0 255.255.255.0 10.100.1.0 255.255.255.0 access-list from-inside permit ip host 10.41.0.230 any access-list from-inside permit ip host 10.40.10.111 any pager lines 24 icmp permit any outside icmp permit 172.29.64.0 255.255.255.0 outside icmp permit 10.0.0.0 255.0.0.0 inside icmp permit 172.29.64.0 255.255.255.0 inside mtu outside 1500 mtu inside 1500 ip address outside 212.xxx.xxx.xxx 255.255.255.252 ip address inside 10.41.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 10.41.0.50-10.41.0.59 pdm location 10.41.0.230 255.255.255.255 inside pdm location 10.41.0.0 255.255.255.0 inside pdm location 10.0.0.0 255.0.0.0 inside pdm location 172.29.64.0 255.255.255.0 outside pdm location 10.40.1.11 255.255.255.255 inside pdm location 192.168.116.0 255.255.255.0 outside pdm location 10.40.5.8 255.255.255.255 inside pdm location 10.41.0.48 255.255.255.240 outside pdm location 10.81.0.0 255.255.255.0 outside pdm location 10.0.0.0 255.0.0.0 outside pdm location 10.100.1.0 255.255.255.0 outside pdm location 10.40.10.11 255.255.255.255 inside pdm location 10.40.10.111 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 212.xxx.xxx.xxx nat (inside) 0 access-list no-nat nat (inside) 1 10.40.10.11 255.255.255.255 0 0 nat (inside) 1 10.40.10.111 255.255.255.255 0 0 nat (inside) 1 10.41.0.230 255.255.255.255 0 0 access-group from-outside in interface outside route outside 0.0.0.0 0.0.0.0 212.xxx.xxx.xxx 1 route inside 10.0.0.0 255.0.0.0 10.41.0.230 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local ntp server 10.41.0.230 source inside http server enable http 10.0.0.0 255.0.0.0 inside snmp-server host inside 10.40.5.8 snmp-server location xy snmp-server contact xxxxxxxxxxx snmp-server community xxxxxxxx snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set map-set esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map m-map 100 ipsec-isakmp crypto map m-map 100 match address kripto-map crypto map m-map 100 set peer 217.xxx.xxx.xxx crypto map m-map 100 set transform-set map-set crypto map m-map 100 set security-association lifetime seconds 3600 kilobytes 4608000 crypto map m-map 120 ipsec-isakmp crypto map m-map 120 match address outside_cryptomap_120 crypto map m-map 120 set peer 212.xxx.xxx.xxx crypto map m-map 120 set transform-set map-set crypto map m-map interface outside isakmp enable outside isakmp key ******** address 212.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 217.xxx.xxx.xxx netmask 255.255.255.255 isakmp identity address isakmp log 1000 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 telnet 10.0.0.0 255.0.0.0 outside telnet 10.0.0.0 255.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 10 vpdn group PPTP-VPDN-GROUP accept dialin pptp vpdn group PPTP-VPDN-GROUP ppp authentication mschap vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required vpdn group PPTP-VPDN-GROUP client configuration address local vpnpool vpdn group PPTP-VPDN-GROUP client configuration dns 10.40.5.1 vpdn group PPTP-VPDN-GROUP pptp echo 60 vpdn group PPTP-VPDN-GROUP client authentication local vpdn username nemanja password ********* vpdn enable outside terminal width 130 Cryptochecksum:61056d6b209a1dc1bcdff1982357f91e : end kao sto se vidi imam ipsec tunele koji rade kako treba. E sada hocu da uz ovaj PPTP vpn koji koristim za konekciju od kuce napravim i L2TP vpn zbog windows-a 7, jer u ovom win-u nece da radi obican PPTP. Dodao sam sledecu konfiguraciju za L2TP: Code: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA mode transport crypto dynamic-map l2tp 30 set transform-set ESP-3DES-SHA crypto map dmu 30 ipsec-isakmp dynamic l2tp crypto map dmu interface outside isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800 isakmp nat-traversal 20 vpdn group L2TP-VPDN-GROUP accept dialin l2tp vpdn group L2TP-VPDN-GROUP ppp authentication pap vpdn group L2TP-VPDN-GROUP client configuration address local vpnpool vpdn group L2TP-VPDN-GROUP client configuration dns 10.40.5.1 vpdn group L2TP-VPDN-GROUP client authentication local vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60 Kad dodam ovaj deo za L2TP i zakacim se od kuce na pix napravi se tunel i sve se lepo pinguje sto treba ali mi posve minut dva pukne ovaj IPSEC tunel koji imam. Zna li neko mozda kako to da resim sa ovom konfiguracijom? I da li je to mozda zbog ove komande NAT TRAVERSAL 20? Unapred hvala puno |