Cisco Forum — Allgemein

Uli_87 · 09.03.2009, 08:47

Guten Tag,

Ich wollte in meinem ASA eine VPN Verbindung einrichten, durch den SSL VPN Wizard habe ich die Verbindung einwandfrei konfiguriert. Das Verbinden duch Anyconnect ans VPN aus dem Netzwerk outside funktioniert problemlos, aber leider kann ich den netzwerk 10.4.3.0 nicht pingen.

Ich schreibe da mal die konfiguration und hoffe dass mich jemand helfen kann!

Code:

: Saved
:
ASA Version 8.0(4) 
!
hostname robasa1
domain-name iit.re
enable password 1IXqTFxrMVIPL/Vp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.10.0.64 sptt-p-workers-poschiavo
name 10.10.4.64 sptt-workers-robbia
name 10.4.3.0 ids-network1
!
interface Ethernet0/0
 description INTERNET ACCESS
 nameif outside
 security-level 10
 ip address 192.168.1.10 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/1
 description INDUSTRIE IT
 nameif inside
 security-level 10
 ip address 10.10.128.254 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/2
 description DMZ PORT
 shutdown
 nameif dmz
 security-level 0
 no ip address
 ospf cost 10
!
interface Ethernet0/3
 description IDS VPN ACCESS PORT
 nameif ids
 security-level 10
 ip address 10.4.3.5 255.255.255.192 
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
 ospf cost 10
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name iit.re
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark Permit all traffic from outside to inside
access-list outside_access_in extended permit ip any any 
access-list inside_access_in remark Permit all traffic from inside to outside
access-list inside_access_in extended permit ip any any 
access-list inside_access_out extended permit ip any any 
access-list outside_access_out extended permit ip any any

Vielen Dank
Uli

Uli_87 · 09.03.2009, 08:48

CONFIG Part 2

Code:

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu ids 1500
mtu management 1500
ip local pool IDS_VPNpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 sptt-p-workers-poschiavo 255.255.255.192 dns
nat (inside) 1 sptt-workers-robbia 255.255.255.192 dns
nat (management) 0 0.0.0.0 0.0.0.0 dns
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside sptt-p-workers-poschiavo 255.255.255.192 10.10.128.195 1
route inside sptt-workers-robbia 255.255.255.192 10.10.128.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.128.128 255.255.255.255 inside
http sptt-workers-robbia 255.255.255.192 inside
http 10.10.128.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 management
http sptt-p-workers-poschiavo 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set

Uli_87 · 09.03.2009, 08:49

CONFIG Part 3

Code:

transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map ids_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ids_map interface ids
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable ids
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username nls2005@XXXX.ch password ********* 
dhcpd address 192.168.1.32-192.168.1.64 outside
dhcpd enable outside
!
dhcpd address 192.168.10.2-192.168.10.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 enable ids
 svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  svc ask none default svc
group-policy Policy_IDS_VPN internal
group-policy Policy_IDS_VPN attributes
 vpn-tunnel-protocol svc 
 address-pools value IDS_VPNpool
username ids-remote password .onZxguIuB8Kxn9u encrypted privilege 15
username ids-remote attributes
 vpn-group-policy Policy_IDS_VPN
 service-type remote-access
tunnel-group RE_VPN type remote-access
tunnel-group RE_VPN general-attributes
 address-pool (outside) IDS_VPNpool
 address-pool IDS_VPNpool
 authentication-server-group (outside) LOCAL
 authorization-server-group (outside) LOCAL
 default-group-policy Policy_IDS_VPN
tunnel-group RE_VPN webvpn-attributes
 group-alias IDS enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d3dd9bfc25c4486db5a4e578408844df
: end
asdm image disk0:/asdm-613.bin
asdm location sptt-workers-robbia 255.255.255.192 management
asdm location sptt-p-workers-poschiavo 255.255.255.192 management
no asdm history enable

Cisco Forum — Allgemein

Cisco Forum: Alles zum Thema CISCO Zertifizierungen CCNA, CCNP, CCSP, CCIE etc. — Q & A zum Thema CISCO Router, Switches und Firewalls