Hallo zusammen,
ich habe bis dato eine Cisco 1710 für den ZUgrif per VPN auf unser internes Netz konfiguriert.
Problem es sind keine ACL Regeln definiert, um den eingehenden Verkehr zu regeln, durch ein bisschen Herumprobieren lief zum Schluss nichts mehr, never change ... ;--)
hier erstmal die Konfig:
urrent configuration : 3710 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname w*****
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 ********************************
!
memory-size iomem 15
clock timezone Berlin -1
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name *************
ip name-server 192.168.*****
ip name-server 21********
ip name-server 2************
!
no ip bootp server
ip vrf forward
!
ip cef
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip dhcp-server 192.168.*****
no ftp-server write-enable
!
!
username hier
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 3600
crypto isakmp xauth timeout 20
!
crypto isakmp client configuration group w************
key ***************
dns 192.168.****** 192.168.****
domain ********************
pool vpnips
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 86400
set transform-set myset
reverse-route remote-peer 2**************
!
!
crypto map vpnclientmap client authentication list userauthen
crypto map vpnclientmap isakmp authorization list groupauthor
crypto map vpnclientmap client configuration address respond
crypto map vpnclientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 21******************************
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
half-duplex
no cdp enable
crypto map vpnclientmap
!
interface FastEthernet0
description $FW_INSIDE$$ETH-00 255.255.255.0
ip address 192.168.****************************
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
speed auto
no cdp enable
!
ip local pool vpnips 192.168.*********************
ip classless
ip route 0.0.0.0 0.0.0.0 2**********************
no ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
!
!
access-list 101 permit ip 192.168.*********** 0.0.0.255 192.168.********** 0.0.0.255
no cdp run
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
line aux 0
line vty 0 4
access-class 103 in
privilege level 15
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
logging trap debugging
Die Frage ist nun, wie ich für den Tunnel nur die Exchange Ports ( bekannt ) und Proxy Access (http , https ) zulasse, alles andere blocke ...
Die bei Cisco veröffenlichten Descriptons habe da nicht wirklich geholfen.
MFG