VPN in anderes VLAN

[onedread 10]

HI

 

Wir haben über VPN eine andere Firma angebunden die auf unsere AS400 zugreifen darf. sonst nichts

 

Jetzt gibt es aber die Anforderung das die externe Firma auch auf einen LINUX Server darf der aber in einem anderen VLAN ist.

 

Wie muss ich das konfigurieren das es funktioniert?

 

AS400 VLAN1 10.10.0.0 255.255.0.0 Netz

LINUXSERVER VLAN6 10.0.0.1 255.255.0.0 Netz

 

mittels sh crypto ipsec sa sehe ich bei current_peer IP:0 statt IP:500 ?????? WARUM???

 

local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)

current_peer: 195.XX:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 3, #recv errors 0

 

local crypto endpt.: 195.XXX, remote crypto endpt.: 195.XX

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

 

local ident (addr/mask/prot/port): (10.10.10.100/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)

current_peer: 195.XXX:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 40809, #pkts encrypt: 40809, #pkts digest 40809

#pkts decaps: 37370, #pkts decrypt: 37370, #pkts verify 37372

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 4

 

local crypto endpt.: 195.XXX, remote crypto endpt.: 195.XX

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: ee0689af

 

inbound esp sas:

spi: 0xd28273a7(3531764647)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 18, crypto map: BECOM-MAP

sa timing: remaining key lifetime (k/sec): (4607987/5988)

IV size: 8 bytes

replay detection support: Y

 

 

Ich habe leider auf der PIX nicht soviel Erfahrung.

 

Falls ihr die ganze Konfig brauchts nur sagen.

 

thx

onedread

[Otaku19 33]

Config kann net schaden, und zwar den ganzen crypto krempel, ACL und nat

[blackbox 10]

Hallo,

 

du musst deinen IPSec Tunnel um die Policy für den Traffik 10.0.0.0/16 zu ... erweitern. Das muss auf beiden Seiten passieren. Kannst du bei de PIX auch über die Grafische Oberfläsche machen - für Anfänger evtl. hilfreich.

[onedread 10]

interface ethernet1 100full

interface ethernet1 vlan9 physical

interface ethernet1 vlan6 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan1 daten security99

nameif vlan6 schrack security8

access-list VPN-OUT permit ip 10.10.0.0 255.255.0.0 172.16.82.0 255.255.255.0

access-list VPN-OUT permit ip 10.20.0.0 255.255.0.0 172.16.82.0 255.255.255.0

access-list ACL-INSIDE permit icmp any any

access-list ACL-INSIDE permit udp host 10.10.10.12 any eq domain

access-list ACL-INSIDE permit udp host 10.10.10.21 any eq domain

access-list ACL-INSIDE permit udp host 10.10.10.22 any eq domain

access-list ACL-INSIDE permit tcp host 10.10.10.21 any eq smtp

access-list ACL-INSIDE permit tcp host 10.10.10.22 any eq smtp

access-list ACL-INSIDE permit tcp host 10.10.10.58 any eq smtp

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq www

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq www

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq https

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq https

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq telnet

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq telnet

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq ftp

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq ftp

access-list ACL-INSIDE permit udp 10.10.0.0 255.255.0.0 any eq isakmp

access-list ACL-INSIDE permit udp 172.16.81.0 255.255.255.0 any eq isakmp

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq pptp

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq pptp

access-list ACL-INSIDE permit udp 10.10.0.0 255.255.0.0 any eq ntp

access-list ACL-INSIDE permit udp 172.16.81.0 255.255.255.0 any eq ntp

access-list ACL-INSIDE permit tcp 10.10.0.0 255.255.0.0 any eq pop3

access-list ACL-INSIDE permit tcp 172.16.81.0 255.255.255.0 any eq pop3

access-list ACL-INSIDE deny ip any any log

access-list outside_cryptomap_20 permit ip daten_net_10 255.255.255.0 10.115.255.0 255.255.255.0

access-list VPN-MOBILE permit ip 10.10.0.0 255.255.0.0 172.16.83.0 255.255.255.0

access-list VPN-MOBILE permit ip 10.20.0.0 255.255.0.0 172.16.83.0 255.255.255.0

access-list VPN_NO_NAT permit ip 10.10.0.0 255.255.0.0 10.0.0.0 255.255.0.0

access-list VPN_NO_NAT permit ip 10.10.0.0 255.255.0.0 172.16.83.0 255.255.255.0

access-list VPN_NO_NAT permit ip 10.20.0.0 255.255.0.0 172.16.83.0 255.255.255.0

access-list VPN_NO_NAT permit ip 10.10.0.0 255.255.0.0 172.16.82.0 255.255.255.0

access-list VPN_NO_NAT permit ip 10.20.0.0 255.255.0.0 172.16.82.0 255.255.255.0

access-list VPN_NO_NAT permit tcp host 10.10.10.100 10.115.255.0 255.255.255.0 eq telnet

access-list VPN_NO_NAT permit tcp host 10.10.10.100 10.115.255.0 255.255.255.0 eq lpd

access-list VPN_NO_NAT permit ip host 10.10.10.100 10.112.0.0 255.255.0.0

access-list VPN_NO_NAT permit ip host 10.10.10.100 172.16.84.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.201.101 172.16.85.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.201.106 172.16.85.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.10.100 172.16.86.0 255.255.255.0

access-list VPN_NO_NAT permit ip 10.10.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list VPN_NO_NAT permit ip host 10.10.1.3 172.16.86.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.1.2 172.16.86.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.10.12 172.16.86.0 255.255.255.0

access-list VPN_NO_NAT permit ip host 10.10.11.12 172.16.86.0 255.255.255.0

[ access-list VPN_NO_NAT permit ip host 10.0.0.1 10.112.0.0 255.255.0.0

[onedread 10]

access-list VPN_NO_NAT permit ip host 10.0.0.1 host 10.10.111.200

access-list acl-seconet-out permit ip host 10.10.10.100 10.112.0.0 255.255.0.0

access-list acl-seconet-out permit ip host 10.0.0.1 10.112.0.0 255.255.0.0

access-list ACL-DATEN permit ip host 10.10.254.254 host 172.16.83.252

access-list ACL-DATEN permit ip host 10.10.10.24 172.16.82.252 255.255.255.252

access-list ACL-DATEN permit ip any any

access-list ACL-DATEN deny ip any host 172.16.83.252

no ip address inside

ip address webnet 192.168.2.254 255.255.255.0

ip address daten 10.10.10.7 255.255.0.0

ip address voice 10.20.10.7 255.255.0.0

ip address funk 10.30.10.7 255.255.0.0

ip address mobile 10.40.10.7 255.255.0.0

ip address intf8 10.50.10.7 255.255.0.0

ip address schrack 10.0.0.7 255.255.0.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

global (outside) 1 195.230.166.250-195.230.166.254 netmask 255.255.255.240

global (outside) 1 195.230.166.249 netmask 255.255.255.240

global (webnet) 1 192.168.2.100-192.168.2.164 netmask 255.255.255.0

nat (daten) 0 access-list VPN_NO_NAT

nat (daten) 1 172.16.81.0 255.255.255.0 0 0

nat (daten) 1 193.81.53.0 255.255.255.0 0 0

nat (daten) 1 10.10.0.0 255.255.0.0 0 0

nat (voice) 0 access-list VPN_NO_NAT

nat (mobile) 1 10.40.100.0 255.255.255.0 0 0

nat (intf8) 1 10.50.100.0 255.255.255.0 0 0

nat (schrack) 0 access-list VPN_NO_NAT

nat (schrack) 1 10.0.0.0 255.255.0.0 0 0

static (voice,funk) 10.20.0.0 10.20.0.0 netmask 255.255.0.0 0 0

static (daten,funk) 10.10.11.11 10.10.11.11 netmask 255.255.255.255 0 0

static (daten,schrack) 10.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0

static (schrack,daten) 10.0.0.1 10.0.0.1 netmask 255.255.255.255 0 0

access-group ACL-DATEN in interface daten

access-group pix_voice in interface voice

access-group pix_funk in interface funk

access-group pix_mobile in interface mobile

access-group pix-pda in interface intf8

route outside 0.0.0.0 0.0.0.0 195.XXX 1

route daten 172.16.81.0 255.255.255.0 10.10.10.1 1

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac

crypto ipsec transform-set seconet esp-3des

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map VPN-MAP 10 set transform-set VPN-SET

crypto dynamic-map dyn-MOBILE-MAP 10 set transform-set VPN-SET

crypto map BECOM-MAP 8 ipsec-isakmp

crypto map BECOM-MAP 8 match address acl-airam-out

crypto map BECOM-MAP 8 set peer 81.XXX

crypto map BECOM-MAP 8 set transform-set ESP-3DES-MD5

crypto map BECOM-MAP 9 ipsec-isakmp

crypto map BECOM-MAP 9 match address acl-seconet-out

crypto map BECOM-MAP 9 set peer 195.XXX

crypto map BECOM-MAP 9 set transform-set ESP-3DES-SHA

crypto map BECOM-MAP 10 ipsec-isakmp dynamic VPN-MAP

crypto map BECOM-MAP interface outside

crypto map MOBILE-MAP 10 ipsec-isakmp dynamic dyn-MOBILE-MAP

crypto map MOBILE-MAP interface mobile

isakmp enable outside

isakmp enable mobile

isakmp key ******** address 195.XXX netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash sha

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 2

isakmp policy 9 lifetime 7200

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

[onedread 10]

Also das mit den beiden ACLS hab ich ja schon gemacht des is 1. die VPN_NO_NAT und 2. die acl-seconet-out.

 

weil der Rechner in einem anderem VLAN ist muss man da nichts beachten?

 

mfg

onedread