Ik ben al een tijdje bezig om op een Cisco PIX het volgende voor elkaar te krijgen:
1. een IP-Sec LAN-to-LAN verbinding met een Netopia 4542 router.
2. Het accepteren van connecties die opgezet worden met de Cisco VPN-client.
Ik heb dit allebei werkend gekregen in verschillende configuraties, maar het is dus de bedoeling dat dit naast elkaar gaat werken. De Lan-to-LAN altijd open, en clients die op dat moment ook gewoon een verbinding op kunnen zetten.
Dit is de configuratie die ik op dit moment heb, en dus niet werkt:
1. een IP-Sec LAN-to-LAN verbinding met een Netopia 4542 router.
2. Het accepteren van connecties die opgezet worden met de Cisco VPN-client.
Ik heb dit allebei werkend gekregen in verschillende configuraties, maar het is dus de bedoeling dat dit naast elkaar gaat werken. De Lan-to-LAN altijd open, en clients die op dat moment ook gewoon een verbinding op kunnen zetten.
Dit is de configuratie die ik op dit moment heb, en dus niet werkt:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
| User Access Verification Password: Type help or '?' for a list of available commands. Router1> en Password: ****** Router1# sh run : Saved : PIX Version 6.2(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password G.9g5ghYKzkhGg1N encrypted passwd G.9g5ghYKzkhGg1N encrypted hostname Router1 domain-name xxxxxxxxxxx.local clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol h323 ras 1718-1719 no fixup protocol ils 389 names name 10.50.50.10 server1 name 10.50.100.0 vpn object-group service server tcp-udp description serverports tbv server1 port-object eq 25 port-object eq 80 port-object eq 110 port-object eq 443 access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit tcp any host 10.19.19.51 object-group server access-list 110 permit ip any 10.50.51.0 255.255.255.0 access-list 110 permit ip 10.19.19.0 255.255.255.0 10.50.50.0 255.255.255.0 access-list ipsec permit ip 10.19.19.0 255.255.255.0 10.50.50.0 255.255.255.0 pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute retry 5 ip address inside 10.50.50.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool vpn-pool 10.50.100.1-10.50.100.254 pdm location 10.50.50.0 255.255.255.0 inside pdm location 10.50.100.0 255.255.255.0 inside pdm location 10.50.100.0 255.255.255.0 outside pdm location 10.50.50.0 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 110 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 83.162.23.243 smtp server1 smtp netmask 255.255.255.255 0 0 static (inside,outside) udp 83.162.23.243 25 server1 25 netmask 255.255.255.255 0 0 static (inside,outside) tcp 83.162.23.243 www server1 www netmask 255.255.255.255 0 0 static (inside,outside) tcp 83.162.23.243 pop3 server1 pop3 netmask 255.255.255.255 0 0 norandomseq static (inside,outside) tcp 83.162.23.243 https server1 https netmask 255.255.255.255 0 0 static (inside,outside) udp 83.162.23.243 80 server1 80 netmask 255.255.255.255 0 0 static (inside,outside) udp 83.162.23.243 110 server1 110 netmask 255.255.255.255 0 0 static (inside,outside) udp 83.162.23.243 443 server1 443 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.50.50.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set netopiavpn esp-des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set strong crypto map mymap 65535 ipsec-isakmp dynamic dynmap crypto map mymap interface outside crypto map 4542 10 ipsec-isakmp crypto map 4542 10 match address ipsec crypto map 4542 10 set peer <ip remote router> crypto map 4542 10 set transform-set netopiavpn isakmp enable outside isakmp key ******** address <ip remote router> netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 isakmp policy 21 authentication pre-share isakmp policy 21 encryption des isakmp policy 21 hash md5 isakmp policy 21 group 2 isakmp policy 21 lifetime 28800 vpngroup vpn address-pool vpn-pool vpngroup vpn default-domain xxxxxxxxxxx.local vpngroup vpn idle-time 1800 vpngroup vpn password ******** telnet 10.50.50.0 255.255.255.0 inside telnet timeout 30 ssh 10.50.50.0 255.255.255.0 inside ssh timeout 5 dhcpd address 10.50.50.250-10.50.50.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain xxxxxxxxxxx.local dhcpd auto_config outside terminal width 80 Cryptochecksum:f053f87f21fcbd7454343cbf9de5a211 : end |