PIX 501 VPN - kein Kontakt zu den Clients

[Stephan-Wild 10]

Hallo Leute,

 

Ich habe ein kleines oder vielleicht ein großes Problem und ich kanns einfach nicht finden.

Ich bekomme über den Cisco VPN-Client 4.7 einen Tunnel zur PIX aufgebaut. ich kann dann auch per ssh oder http auf sie zugreifen. Wenn ich aber einen Server bzw. Client dahinter nutzen will bekomme ich keine Verbindung. Woran kann das liegen? Ich habe unten die Konfig mit angehängt.

 

Danke schon mal

 

 

Stephan

 

 

 

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password oZ2r/XCIdkztjEl7 encrypted

passwd oZ2r/XCIdkztjEl7 encrypted

hostname PIX501

domain-name wild.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list VPN_splitTunnelAcl permit ip any any

access-list inside_cryptomap_dyn_20 permit ip any 192.168.0.192 255.255.255.224

access-list inside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.224

access-list VPN.Test_splitTunnelAcl permit ip any any

access-list inbound permit tcp any any eq 900

access-list inbound permit udp any any eq 900

access-list inbound permit tcp any any eq 8080

access-list inbound permit tcp any any eq 8333

access-list inbound permit tcp any any eq 873

pager lines 24

logging on

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 192.168.0.200-192.168.0.210

pdm location 0.0.0.0 0.0.0.0 inside

pdm location 192.168.0.100 255.255.255.255 inside

pdm location 192.168.0.50 255.255.255.255 inside

pdm location 192.168.0.51 255.255.255.255 inside

pdm location 192.168.0.52 255.255.255.255 inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 900 192.168.0.100 900 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 900 192.168.0.100 900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8080 192.168.0.50 8080 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8333 192.168.0.100 8333 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 873 192.168.0.52 873 netmask 255.255.255.255 0 0

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

[Stephan-Wild 10]

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

auth-prompt prompt Please identify yourself!

auth-prompt accept Welcome to the Cisco PIX 501 Firewall

auth-prompt reject You do not have any permission to this Network-Device. Your IP-adress is logged.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map inside_dyn_map 40 match address inside_cryptomap_dyn_40

crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map client authentication LOCAL

crypto map inside_map interface inside

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address 192.168.0.254 netmask 255.255.255.0 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp nat-traversal 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup VPN address-pool VPN

vpngroup VPN dns-server 217.237.151.97 217.237.151.161

vpngroup VPN default-domain wild.net

vpngroup VPN split-tunnel VPN_splitTunnelAcl

vpngroup VPN idle-time 1800

vpngroup VPN password ********

vpngroup Stephan.Wild address-pool VPN

vpngroup Stephan.Wild dns-server 217.237.151.97 217.237.151.161

vpngroup Stephan.Wild default-domain wild.net

vpngroup Stephan.Wild idle-time 1800

vpngroup Stephan.Wild password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

management-access inside

console timeout 0

vpdn group L2TP accept dialin l2tp

vpdn group L2TP ppp authentication chap

vpdn group L2TP client configuration address local VPN

vpdn group L2TP client configuration dns 192.168.0.1

vpdn group L2TP client authentication local

vpdn group L2TP l2tp tunnel hello 60

vpdn group PPTP accept dialin pptp

vpdn group PPTP ppp authentication pap

vpdn group PPTP client configuration address local VPN

vpdn group PPTP client configuration dns 217.237.151.97 217.237.151.161

vpdn group PPTP pptp echo 60

vpdn group PPTP client authentication local

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname XXXXXXXXXXX@t-online.de

vpdn group pppoe_group ppp authentication pap

vpdn username stephan.wild password *********

vpdn username swild password *********

vpdn username XXXXXXXXX@t-online.de password *********

vpdn enable inside

dhcpd address 192.168.0.101-192.168.0.132 inside

dhcpd dns 217.237.151.161 217.237.151.97

dhcpd lease 1048575

dhcpd ping_timeout 750

dhcpd domain wild.net

dhcpd enable inside

username VPN-Fremd password FoMSUAClgPoCTKdD encrypted privilege 2

username Stephan.Wild password 1NZJNXTmtXp3XkxI encrypted privilege 15

terminal width 80

Cryptochecksum:d17721b1c85e2751ac31f6c6a5337d64

: end

[Wordo 11]

Sicher das die Regel fuer split-tunnel stimmt? Wenn du eh alles erlaubst kannst es auch ganz rausnehmen. Bekommst du die korrekte IP zugewiesen? Und kennen die Rechner im Netz die die Route dahin? Steht was tolles in "sh logg"?

[Stephan-Wild 10]

Also im "sh logg" steht nicht wirklich was interessantes drin. Nach dem Aufbau des Tunnels bin ich im gleichen IP-Bereich wie meine Clients und Server. Mit dem Split-Tunnel habe leider keine Ahnung, aber die kann ich rausnehmen.

 

 

Sephan

[Wordo 11]

Das schreit ja foermlich nach proxy-arp. Gib den Clients doch eine IP aus einem anderen Netz und auf dem Server eine Route dahin. Nur zum testen vorerst ...