[ GORSHTAK @ 11.05.2010. 23:23 ] @
Treba da osposobim p2p vpn, nije mi toliko bitno da li će biti preko cisco vpn klijenta ili ms klijenta l2tp over ipsec Gledao sam ovaj link: http://www.cisco.com/en/US/doc...a5505/quick/guide/rem_acc.html i najviše sam pokušavao za cisco klijent Ne znam skoro ništa o ciscu pa ne znam gde još da potražim i šta još treba Konfig je: Code: denied(config)# show configuration : Saved : Written by enable_15 at 17:32:52.179 UTC Tue May 11 2010 ! ASA Version 7.2(4) ! hostname denied domain-name default.domain.invalid enable password <sakrio> encrypted passwd <sakrio> encrypted names name <neki_ip> ime_lokacije ! interface Vlan1 nameif inside security-level 100 ip address 172.16.30.252 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address <javna_adresa_cisca> 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid object-group service at9955 tcp description test port-object eq 9955 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service pf_136 tcp-udp port-object eq 2222 access-list outside_1_cryptomap extended permit ip host 172.16.30.136 host <sakrio_vpn1> access-list ping1 extended permit icmp any any echo-reply access-list ping1 extended permit ip any any access-list ping2 extended permit icmp any any echo-reply access-list ping2 extended permit object-group TCPUDP any any object-group pf_136 access-list ping2 extended permit tcp any any object-group at9955 access-list ping2 extended permit ip host ime_lokacije any log debugging access-list inside_nat0_outbound extended permit ip host 172.16.30.136 host <sakrio_vpn1> access-list inside_nat0_outbound extended permit ip host 172.16.30.136 host <sakrio_vpn2> access-list inside_nat0_outbound extended permit ip host 172.16.30.136 <sakrio_vpn3> 255.255.255.248 access-list inside_nat0_outbound extended permit ip host 172.16.30.136 host <sakrio_vpn4> access-list inside_nat0_outbound extended permit ip any 172.16.30.96 255.255.255.224 access-list inside_nat0_outbound extended permit ip any 172.16.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 172.16.30.128 255.255.255.224 access-list inside_nat0_outbound extended permit ip any 172.16.30.144 255.255.255.240 access-list outside_2_cryptomap extended permit ip host 172.16.30.136 host <sakrio_vpn2> access-list outside_3_cryptomap extended permit ip host 172.16.30.136 <sakrio_vpn3> 255.255.255.248 access-list outside_4_cryptomap extended permit ip host 172.16.30.136 host <sakrio_vpn4> pager lines 24 logging enable logging asdm debugging mtu inside 1500 mtu outside 1500 ip local pool Test 172.16.30.100-172.16.30.120 mask 255.255.255.0 ip local pool test2 172.16.30.121-172.16.30.135 mask 255.255.255.0 ip local pool test3 172.16.30.140-172.16.30.145 mask 255.255.255.0 ip local pool Test4 172.16.30.150-172.16.30.155 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-524.bin asdm location ime_lokacije 255.255.255.255 inside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 2222 172.16.30.135 2222 netmask 255.255.255.255 static (inside,outside) tcp interface 9955 172.16.30.135 9955 netmask 255.255.255.255 access-group ping1 in interface inside access-group ping2 in interface outside route outside 0.0.0.0 0.0.0.0 195.252.89.241 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 172.16.30.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer <sakrio> crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set peer <sakrio> crypto map outside_map 2 set transform-set ESP-3DES-MD5 crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs crypto map outside_map 3 set peer <sakrio> crypto map outside_map 3 set transform-set ESP-3DES-MD5 crypto map outside_map 4 match address outside_4_cryptomap crypto map outside_map 4 set pfs crypto map outside_map 4 set peer <sakrio> crypto map outside_map 4 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 5 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 50 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 172.16.30.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd auto_config outside ! group-policy DefaultRAGroup_1 internal group-policy DefaultRAGroup_1 attributes wins-server none dns-server value <adsl ruter> group-policy GroupPolicyEP internal group-policy GroupPolicyEP attributes vpn-tunnel-protocol IPSec pfs enable username user1 password <loz1> encrypted username user2 password <loz2> encrypted privilege 7 username user3 password <loz3> encrypted tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 300 retry 2 tunnel-group DefaultRAGroup general-attributes address-pool Test address-pool test2 address-pool test3 address-pool Test4 authorization-server-group LOCAL authorization-server-group (outside) LOCAL tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group <sakrio_1> type ipsec-l2l tunnel-group <sakrio_1> ipsec-attributes pre-shared-key * tunnel-group <sakrio_2> type ipsec-l2l tunnel-group <sakrio_2> ipsec-attributes pre-shared-key * tunnel-group <sakrio_3> type ipsec-l2l tunnel-group <sakrio_3> ipsec-attributes pre-shared-key * tunnel-group cisco0 type ipsec-ra tunnel-group cisco0 general-attributes address-pool Test tunnel-group cisco0 ipsec-attributes pre-shared-key * tunnel-group <sakrio_4> type ipsec-l2l tunnel-group <sakrio_4> ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f7d7c9afd4b28f5f1e0b9f6e913ef4f8 Rezultati loga su (da ne zbuni, čita se naopako): Code: 7|May 11 2010|14:45:43|710005|<ip_adsl_rutera>|195.252.89.247|UDP request discarded from <ip_adsl_rutera>/520 to outside:195.252.89.247/520 4|May 11 2010|14:45:40|713903|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, Error: Unable to remove PeerTblEntry 3|May 11 2010|14:45:40|713902|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, Removing peer from peer table failed, no match! 7|May 11 2010|14:45:40|713906|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, sending delete/delete with reason message 7|May 11 2010|14:45:40|713906|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, IKE SA AM:f624c181 terminating: flags 0x0104c001, refcnt 0, tuncnt 0 7|May 11 2010|14:45:40|715065|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, IKE AM Responder FSM error history (struct &0x41bcaf0) <state>, <event>: AM_DONE, EV_ERROR-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_BLD_MSG2, EV_BLD_MSG2_TRL-->AM_BLD_MSG2, EV_SKEYID_OK-->AM_BLD_MSG2, NullEvent-->AM_BLD_MSG2, EV_GEN_SKEYID-->AM_BLD_MSG2, EV_BLD_MSG2_HDR 7|May 11 2010|14:45:40|713236|||IP = <ip_mreze_sa_koje_sam_pokusao>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 348 7|May 11 2010|14:45:40|715048|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing VID payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing Fragmentation VID + extended capabilities payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing xauth V6 VID payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing Cisco Unity VID payload 7|May 11 2010|14:45:40|715076|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, Computing hash for ISAKMP 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing hash payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing ID payload 7|May 11 2010|14:45:40|713906|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, Generating keys for Responder... 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing nonce payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing ke payload 7|May 11 2010|14:45:40|715046|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, constructing ISAKMP SA payload 7|May 11 2010|14:45:40|715028|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, IKE SA Proposal # 1, Transform # 10 acceptable Matches global IKE entry # 2 7|May 11 2010|14:45:40|715047|||Group = DefaultRAGroup, IP = <ip_mreze_sa_koje_sam_pokusao>, processing IKE SA payload 7|May 11 2010|14:45:40|715049|||IP = <ip_mreze_sa_koje_sam_pokusao>, Received Cisco Unity client VID 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing VID payload 7|May 11 2010|14:45:40|715049|||IP = <ip_mreze_sa_koje_sam_pokusao>, Received NAT-Traversal ver 02 VID 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing VID payload 7|May 11 2010|14:45:40|715064|||IP = <ip_mreze_sa_koje_sam_pokusao>, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False 7|May 11 2010|14:45:40|715049|||IP = <ip_mreze_sa_koje_sam_pokusao>, Received Fragmentation VID 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing VID payload 7|May 11 2010|14:45:40|715049|||IP = <ip_mreze_sa_koje_sam_pokusao>, Received DPD VID 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing VID payload 7|May 11 2010|14:45:40|715049|||IP = <ip_mreze_sa_koje_sam_pokusao>, Received xauth V6 VID 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing VID payload 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing ID payload 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing nonce payload 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing ISA_KE payload 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing ke payload 7|May 11 2010|14:45:40|715047|||IP = <ip_mreze_sa_koje_sam_pokusao>, processing SA payload 7|May 11 2010|14:45:40|713236|||IP = <ip_mreze_sa_koje_sam_pokusao>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849 6|May 11 2010|14:45:40|302015|<ip_mreze_sa_koje_sam_pokusao>|<ip_cisca_outside>|Built inbound UDP connection 23308 for outside:<ip_mreze_sa_koje_sam_pokusao>/1963 (<ip_mreze_sa_koje_sam_pokusao>/1963) to NP Identity Ifc:<ip_cisca_outside>/500 (<ip_cisca_outside>/500) 7|May 11 2010|14:45:40|609001|<ip_cisca_outside>||Built local-host NP Identity Ifc:<ip_cisca_outside> 7|May 11 2010|14:45:40|609001|<ip_mreze_sa_koje_sam_pokusao>||Built local-host outside:<ip_mreze_sa_koje_sam_pokusao> Da li je potrebno još nešto da se podesi, acl ili nešto drugo da bi proradilo? Ima li iko ideju? |