注册 | 登录 忘记密码? 51cto首页 | 博客 | 论坛 | 招聘
热点文章 IB客座主编(四)美国西蒙公..
 帮助
《案例精解企业级网络构建》赠书活动开始啦!  最新活动:“Web安全大家谈”有奖征文 博主的更多文章>>

CISCO PIX515上IPSEC的排除过程

2008-05-23 18:01:59
 标签:网络 cisco   [推送到技术圈]

版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://28917.blog.51cto.com/18917/78480
       公司由于原来网段IP不够,在防火墙级级联的三层交换上划分VLAN,VLAN划分好后,测试通过。
        第二天有人反映说是没有不能访问外地的服务器了,测试下,不通??问外地同事,访问我们这边可以不,说是没有问题,怎么会这样。
        在防火墙的IPSEC只能外地访问本地了,本地无法访问外地网络??
        查看当时在三层上的访问规划,没有问题呀,
        上防火墙上SH RUN下,想起增加过两命令:
        nat (inside) 1 192.168.0.0 255.255.0.0 0 0
        route inside 192.168.0.0 255.255.0.0 192.168.20.254 1
       于是把route inside 192.168.0.0 255.255.0.0 192.168.20.254 1去掉,IPSEC能通了,但是其他VLAN无法上网,问题找到了。
        原来是route inside 192.168.0.0 255.255.0.0 192.168.20.254  1包含了VPN对端的地址,
        更改为下面三条:
        route inside 192.168.201.0 255.255.255.0 192.168.20.254 1
        route inside 192.168.202.0 255.255.255.0 192.168.20.254 1
        route inside 192.168.203.0 255.255.255.0 192.168.20.254 1
       全部ok。

 附防火墙全部配置:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x82aRes.pjqJ4dth encrypted
passwd jCEEIEX17NiCkPTM encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 3142
fixup protocol sqlnet 6592
fixup protocol tftp 69
names
access-list acl-out permit icmp any any
access-list vpn permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn1 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn1 permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 192.168.20.88 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 192.168.29.1-192.168.29.254
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*-*.*.*.* netmask 255.255.255.224
global (outside) 1 *.*.*.*
nat (inside) 0 access-list nonat
alias (inside) 192.168.20.11 *.*.*.* 255.255.255.255
static (inside,outside) *.*.*.* 192.168.20.111 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.23.0 255.255.255.0 192.168.20.254 1
route inside 192.168.21.0 255.255.255.0 192.168.20.254 1
route inside 192.168.22.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address vpn
crypto map vpn 10 set peer *.*.*.*
crypto map vpn 10 set transform-set vpn
crypto map vpn 20 ipsec-isakmp
crypto map vpn 20 match address vpn1
crypto map vpn 20 set peer *.*.*.*
crypto map vpn 20 set transform-set vpn
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address *.*.*.*  netmask 255.255.255.255
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local pptp outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 client configuration dns 202.106.148.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username geng password *********
vpdn enable outside
terminal width 80
Cryptochecksum:0a4e314cd4cd52bcb26bff122b11fefa
: end
 
 
 

本文出自 “skyline” 博客,请务必保留此出处http://28917.blog.51cto.com/18917/78480





    相关文章
关于补充《网络管理规定》“上网权限管理”..
网络盒子可以与iis相媲美
“单向网闸”技术介绍-网络隔离的新型产品
上海DNS问题引起的公司网络不通
非对称网络不通 子网掩码是“祸首”
实战局域网络打印共享
关于对网络学习方法的一点见解
电子书:网络医院的故事(pdf)
如何把握网络工程师的“钱”途,专访文字。
配置交换机的优先级,实现网络的负载分担,..
    文章评论
 
2008-05-25 19:02:17
学习一下了。

 

发表评论

昵   称:
验证码:  点击图片可刷新验证码  博客过2级,无需填写验证码
内   容: