» »

VPN povezava dveh PIX 501

VPN povezava dveh PIX 501

Mlinko ::

Zdravo,

Cisco PIX 501 sta povezani preko switcha med njima. Pingam lahko oba outside IP naslova. Zanima me kaj je narobe v konfiguraciji, da PIX-i ne vzpostavita VPN povezave...

Če kdo vidi kakšno napako mi naj prosim pomaga!

Show crypto isakmp sa ne pokaže nobene vzpostavljene povezave...

Tukaj sta obe konfiguraciji pix:

PIX 1:

PIX Version 6.3(5)125
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6O5yhV/MjI8faCG6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname RokPix
domain-name Rok.pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.165.1.0 255.255.255.0
access-list NoNat permit ip 192.168.1.0 255.255.255.0 192.165.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging host inside 10.10.1.2
logging host inside 10.10.1.1
mtu outside 1500
mtu inside 1500
ip address outside 10.10.1.1 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNat
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 7200
crypto map testiranje 1 ipsec-isakmp
crypto map testiranje 1 match address 101
crypto map testiranje 1 set peer 10.10.1.2
crypto map testiranje 1 set transform-set test
crypto map testiranje interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 10.10.1.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 21600
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

PIX 2:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 6O5yhV/MjI8faCG6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pix2
domain-name pix2.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.165.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNat permit ip 192.165.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap informational
mtu outside 1500
mtu inside 1500
ip address outside 10.10.1.2 255.255.0.0
ip address inside 192.165.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNat
route outside 0.0.0.0 0.0.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set test esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 7200
crypto map testiranje 1 ipsec-isakmp
crypto map testiranje 1 match address 101
crypto map testiranje 1 set peer 10.10.1.1
crypto map testiranje 1 set transform-set test
crypto map testiranje interface outside
isakmp enable outside
isakmp key ******** address 10.10.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 21600
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

Hvala, za pomoč!

NeMeTko ::

Sicer nisem Cisco expert, vendar že na daleč vidim, da ti v pix2 konfiguraciji manjkata dve vrstici, ki ju imaš na pix1:

isakmp enable inside
isakmp identity address

Mlinko ::

Hvala za odgovor, vendar to še vedno ne reši težave :(

NeMeTko ::

Nekam sumljiv je meni tvoj routing.

Ker imaš direktno povezavo med škatlama, bi moral biti tvoj gw IP od drugega PIXa.

Pix1:
ip address outside 10.10.1.1 255.255.0.0
route outside 0.0.0.0 0.0.0.0 10.10.1.2 1

Pix2:
ip address outside 10.10.1.2 255.255.0.0
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1

Mlinko ::

Zdravo NeMeTko,

sem popravil te zadeve, vendar povezava še vedno ne deluje...

NeMeTko ::

Poglej si tale link, kjer imaš podobno konfiguracijo, pa malo prečekiraj, kaj si še spregledal.

(Kje so tisti Cisco profeti, ki so sicer tako glasni? Ko jih rabiš, jih ni nikjer?)

Daedalus ::

Ena taka iz glave - preveri če je čas na obeh PIX-ih syncan. Pa pingata se med sabo na zunanjem IP-ju?
Man is condemned to be free; because once thrown into the world,
he is responsible for everything he does.
[J.P.Sartre]

Mlinko ::

Bom preveril glede casa, obe napravi lahko pingam brez problema... javi, ce bo delalo

amigo_no1 ::

Comparing files pix1.txt and PIX2.TXT:
***** pix1.txt
PIX Version 6.3(5)125
interface ethernet0 auto
***** PIX2.TXT
PIX Version 6.3(5)
interface ethernet0 auto
*****

***** pix1.txt
passwd 2KFQnbNIdI.2KYOU encrypted
hostname RokPix
domain-name Rok.pix.com
fixup protocol dns maximum-length 512
***** PIX2.TXT
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Pix2
domain-name pix2.com
fixup protocol dns maximum-length 512
*****

***** pix1.txt
names
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.165.1.0 255.255.255.0
access-list NoNat permit ip 192.168.1.0 255.255.255.0 192.165.1.0 255.255.255.0
pager lines 24
***** PIX2.TXT
names
access-list 101 permit ip 192.165.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNat permit ip 192.165.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
*****

***** pix1.txt
logging timestamp
logging host inside 10.10.1.2
logging host inside 10.10.1.1
mtu outside 1500
***** PIX2.TXT
logging timestamp
logging buffered debugging
logging trap informational
mtu outside 1500
*****

***** pix1.txt
mtu inside 1500
ip address outside 10.10.1.1 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
***** PIX2.TXT
mtu inside 1500
ip address outside 10.10.1.2 255.255.0.0
ip address inside 192.165.1.1 255.255.255.0
ip audit info action alarm
*****

***** pix1.txt
nat (inside) 0 access-list NoNat
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
***** PIX2.TXT
nat (inside) 0 access-list NoNat
route outside 0.0.0.0 0.0.0.0 10.10.1.2 1
timeout xlate 3:00:00
*****

***** pix1.txt
http server enable
http 192.168.1.20 255.255.255.255 inside
no snmp-server location
***** PIX2.TXT
http server enable
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
*****

***** pix1.txt
crypto map testiranje 1 match address 101
crypto map testiranje 1 set peer 10.10.1.2
crypto map testiranje 1 set transform-set test
***** PIX2.TXT
crypto map testiranje 1 match address 101
crypto map testiranje 1 set peer 10.10.1.1
crypto map testiranje 1 set transform-set test
*****

***** pix1.txt
isakmp enable outside
isakmp enable inside
isakmp key ******** address 10.10.1.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
***** PIX2.TXT
isakmp enable outside
isakmp key ******** address 10.10.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
*****

tony1 ::

Sorry, nimam časa brati v detajle.

Povezljivost med zunanjima IPjema firewallov imaš?

Da se bo tunel vzpostavil, mora vanj iti nekaj "interesting" prometa (najlažje ga sprožiš iz LANa zadaj za pixom). Dokler prometa ni, ne bo komanda sh isa sa pokazala ničesar.

Za učenje osnov lahko priporočam tale članek, ko ga boš preštudiral, ti bo zadeva jasna:
http://packetlife.net/blog/2011/jul/11/...

tony1 ::

Še to: katera verzija Pixosa laufa na kištah?

Pred verzijo 7.0 je bil nat-control obvezen - gre za to, da pixos v tako starih verzijah ni znal zroutati prometa od bolj varnega interfejsa v manj varnega brez da bi vmes naredil tudi NAT translacijo. Zato je to v verzijah pod 7.0 treba obvezno nastaviti.

V verzijah 7.0 in višjih je takšna NAT nastavitev obvezna le, če je v konfiguraciji komanda "nat-control". Če tega nočeš delati, vneseš "no nat-control". (Prejšnje verzije te komande niso poznale.) Ampak Pix 501 verzije 7.0 tako ali tako ne more laufati, ker ima premalo RAMa.

Pa še malo popiham na dušo (v luči sosednje teme, kjer smo se naučili, da je smrtno nevarno danes živeti z internetnim priključkom brez firewalla z vključeno DPI funkcionalnostjo): zavedaj se, da je PIX platforma že leta end of life in zanjo ni nobenih popravkov, niti varnostnih ne.

NeMeTko ::

@toni1

Po občutku bi rekel, da se Mlinko s to rečjo igra v izobraževalne namene (glede na to, da ima oba pixa direktno povezana brez česarkoli vmes - vsaj sodeče po konfiguraciji).

Če mu je namen osvojit Cisco tehnologijo in naresti kakšen izpit, sta stara Pix-a za moje pojme čisto sprejemljiva začetna platforma (sploh, če ju je kje dobil zastonj). Vsekakor pa bo moral kasneje povohati še kakšno novejšo varianto.

jl ::

Daj izbrisi isakmp enable inside na prvem PIX-u. Pa probaj vklopiti debug (debug crypto isakmp), mogoce ti kaj uporabnega izljune. Preveri tudi PSK, ce se ti faza 1 ne postavi bi lahko bilo tudi to.

Mlinko ::

@ NeMeTko: Ja za izobraževalne namene hočem vzpostaviti povezavo. Pa malo testirat...

@jl: Bom izbrisal isakmp enable inside, samo problem je v tem da mi pixa ne izpiše nič, če uporabim debug crypto isakmp... Ukaz vzame samo takoj prikaže vrstico za novi ukaz...

jl ::

Ce si remote povezan (ssh, telnet) vpisi komando 'terminal monitor' (oz 'terminal no monitor' za izklop).


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

tretji router

Oddelek: Pomoč in nasveti
8440 (331) boogie_xlr
»

USAIP

Oddelek: Omrežja in internet
302460 (1876) Pesimist
»

Cisco Soho 851 router in msn messenger ne dela

Oddelek: Omrežja in internet
111637 (1475) bacho
»

Cisco 2621 router

Oddelek: Strojna oprema
81420 (1283) Djuro
»

problem pri postavitvi omrežja

Oddelek: Omrežja in internet
151321 (1221) Meamoto

Več podobnih tem