forum.opennet.ru

Составление сообщения

Исходное сообщение

"IPsec Pix-Router"
Отправлено Regnalos, 22-Июн-07 08:25

Друзья, несколько дней не вылазию из cisco.com, перечитал на opennet.ru похожие темы, но никак не получается поднять ipsec между pix 501 v.6 и cisco 2800. Ниже приводятся конфиги обоих устройств. взгляните острым глазом если можно.
Pix:
LAN-192.168.103.1 255.255.255.240
WAN-a.a.a.61 255.255.255.240
Router:
Lan-189.141.1.252 255.255.0.0
Wan-b.b.b.2 255.255.255.252
-------------------
Pix:
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname NacBank
domain-name aaa
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0
access-list nonat permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside a.a.a.61 255.255.255.240
ip address inside 192.168.103.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.103.0 255.255.255.240 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 a.a.a.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map forsberg 21 ipsec-isakmp
crypto map forsberg 21 match address ipsec
crypto map forsberg 21 set peer b.b.b.2
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside
isakmp enable outside
isakmp enable outside
isakmp key ******** address b.b.b.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:470836fa592db376008d5aa353b8ce53
: end
------------------------------------------------------
------------------------------------------------------
Router:
D#sh run
Building configuration...
Current configuration : 11503 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname D
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect name 232323 http urlfilter
!
!
ip domain name yourdomain.com
ip urlfilter exclusive-domain deny www.sex.ru
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4105601128
revocation-check none
rsakeypair TP-self-signed-4105601128
!
!
crypto pki certificate chain TP-self-signed-4105601128
certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  AC581219 0EBF123B D097BC5B E5CFCB10 55F75CB7 6CDBCF86
  quit
username fff privilege 15 secret 5 $1$0roh$nMMRrBNOk7k6Bh8Dc.Frt1
username dsd password 0 vvv
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key 123 address a.a.a.61
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
!
crypto map vpnmap1 local-address FastEthernet0/0
crypto map vpnmap1 90 ipsec-isakmp
set peer a.a.a.61
set transform-set trans2
match address 109
!
!
!
interface FastEthernet0/0
description to_internet
ip address b.b.b.2 255.255.255.252
ip nat outside
ip virtual-reassembly
ip policy route-map bank
duplex auto
speed auto
crypto map vpnmap2
!
interface FastEthernet0/1
description to_local_network
ip address 189.141.1.252 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip unnumbered FastEthernet0/0
peer default ip address pool testpool
ppp authentication pap chap
!
ip local pool testpool 192.168.111.1 192.168.111.10
ip classless
ip route 0.0.0.0 0.0.0.0 b.b.b.1
!
ip http access-class 24
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 160 interface FastEthernet0/0 overload
!
access-list 23 deny   any
access-list 24 permit 189.141.1.13
access-list 109 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255
access-list 160 deny   ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15
access-list 160 permit ip 189.141.0.0 0.0.255.255 any
route-map bank permit 10
match ip address 165
set ip next-hop 192.168.4.62
!
!
!
control-plane
!
!
banner login ^C
-----------------------------------------------------------------------
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
access-class 23 in
privilege level 15
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
--------------------------------------------------
Причём если послать пакеты (ping) из подсети PIX-а то видно как эти пакеты приходят к маршрутизатору и даже судя по всему компьютеры из подсети router-a отвечают, но пакеты не возвращаются... =(
Router:
----------------------
D#sh access-lists 160
Extended IP access list 160
    10 deny ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15 (175 matches)
    20 permit ip 189.141.0.0 0.0.255.255 any (130 matches)
D#sh access-lists 109
Extended IP access list 109
    10 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255 (358 matches)
D#
--------------------------
Спасибо

Исходное сообщение
"IPsec Pix-Router" Отправлено Regnalos, 22-Июн-07 08:25
Друзья, несколько дней не вылазию из cisco.com, перечитал на opennet.ru похожие темы, но никак не получается поднять ipsec между pix 501 v.6 и cisco 2800. Ниже приводятся конфиги обоих устройств. взгляните острым глазом если можно. Pix: LAN-192.168.103.1 255.255.255.240 WAN-a.a.a.61 255.255.255.240 Router: Lan-189.141.1.252 255.255.0.0 Wan-b.b.b.2 255.255.255.252 ------------------- Pix: : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname NacBank domain-name aaa fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list ipsec permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0 access-list nonat permit ip 192.168.103.0 255.255.255.240 189.141.0.0 255.255.0.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.61 255.255.255.240 ip address inside 192.168.103.1 255.255.255.240 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.103.0 255.255.255.240 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 a.a.a.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set avalanche esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto map forsberg 21 ipsec-isakmp crypto map forsberg 21 match address ipsec crypto map forsberg 21 set peer b.b.b.2 crypto map forsberg 21 set transform-set avalanche crypto map forsberg interface outside isakmp enable outside isakmp enable outside isakmp key ******** address b.b.b.2 netmask 255.255.255.255 isakmp identity address isakmp policy 21 authentication pre-share isakmp policy 21 encryption des isakmp policy 21 hash md5 isakmp policy 21 group 1 isakmp policy 21 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:470836fa592db376008d5aa353b8ce53 : end ------------------------------------------------------ ------------------------------------------------------ Router: D#sh run Building configuration... Current configuration : 11503 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname D ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization network default local ! aaa session-id common resource policy ! ip subnet-zero ! ! ip cef ip inspect name 232323 http urlfilter ! ! ip domain name yourdomain.com ip urlfilter exclusive-domain deny www.sex.ru vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! ! enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4105601128 revocation-check none rsakeypair TP-self-signed-4105601128 ! ! crypto pki certificate chain TP-self-signed-4105601128 certificate self-signed 01 30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030 AC581219 0EBF123B D097BC5B E5CFCB10 55F75CB7 6CDBCF86 quit username fff privilege 15 secret 5 $1$0roh$nMMRrBNOk7k6Bh8Dc.Frt1 username dsd password 0 vvv ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 3600 crypto isakmp key 123 address a.a.a.61 ! ! crypto ipsec transform-set trans2 esp-des esp-md5-hmac mode transport ! ! crypto map vpnmap1 local-address FastEthernet0/0 crypto map vpnmap1 90 ipsec-isakmp set peer a.a.a.61 set transform-set trans2 match address 109 ! ! ! interface FastEthernet0/0 description to_internet ip address b.b.b.2 255.255.255.252 ip nat outside ip virtual-reassembly ip policy route-map bank duplex auto speed auto crypto map vpnmap2 ! interface FastEthernet0/1 description to_local_network ip address 189.141.1.252 255.255.0.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip unnumbered FastEthernet0/0 peer default ip address pool testpool ppp authentication pap chap ! ip local pool testpool 192.168.111.1 192.168.111.10 ip classless ip route 0.0.0.0 0.0.0.0 b.b.b.1 ! ip http access-class 24 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 160 interface FastEthernet0/0 overload ! access-list 23 deny any access-list 24 permit 189.141.1.13 access-list 109 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255 access-list 160 deny ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15 access-list 160 permit ip 189.141.0.0 0.0.255.255 any route-map bank permit 10 match ip address 165 set ip next-hop 192.168.4.62 ! ! ! control-plane ! ! banner login ^C ----------------------------------------------------------------------- GUIDE for your router or go to http://www.cisco.com/go/sdm ----------------------------------------------------------------------- ^C ! line con 0 line aux 0 access-class 23 in privilege level 15 transport input ssh line vty 5 15 access-class 23 in privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ! end -------------------------------------------------- Причём если послать пакеты (ping) из подсети PIX-а то видно как эти пакеты приходят к маршрутизатору и даже судя по всему компьютеры из подсети router-a отвечают, но пакеты не возвращаются... =( Router: ---------------------- D#sh access-lists 160 Extended IP access list 160 10 deny ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.15 (175 matches) 20 permit ip 189.141.0.0 0.0.255.255 any (130 matches) D#sh access-lists 109 Extended IP access list 109 10 permit ip 189.141.0.0 0.0.255.255 192.168.103.0 0.0.0.255 (358 matches) D# -------------------------- Спасибо

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру