Configurazione PIX 501
Inviato: mer 12 apr , 2006 1:41 pm
Salve,
ho un pix configurato come segue...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X3ok8rplPB8VlJrh encrypted
passwd X3ok8rplPB8VlJrh encrypted
hostname PIX-501-10
domain-name mvi.local
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out2in remark *** ICMP ***
access-list out2in deny icmp any any unreachable
access-list out2in deny icmp any any redirect
access-list out2in permit icmp any any
pager lines 20
mtu outside 1500
mtu inside 1500
ip address outside 83.211.116.125 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNCLIENT 192.168.10.1-192.168.10.20 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 83.211.116.124 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 65000 set transform-set myset
crypto map vpn 65000 ipsec-isakmp dynamic dynmap
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 300
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
vpngroup VPN-CLIENT address-pool VPNCLIENT
vpngroup VPN-CLIENT idle-time 600
vpngroup VPN-CLIENT password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 88.36.67.96 255.255.255.240 outside
ssh 88.34.60.160 255.255.255.224 outside
ssh 85.44.127.120 255.255.255.248 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
username xxxx password UJPp9fFdBeu0wEsM encrypted privilege 5
terminal width 80
Cryptochecksum:1f92f51b1b7521be301e164f54310f27
Però quando tento di collegarmi col VPN Client non si collega... il log dice:
28 14:42:05.698 04/12/06 Sev=Info/4 CM/0x63100002
Begin connection process
29 14:42:05.708 04/12/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
30 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
31 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "83.211.116.125"
32 14:42:05.718 04/12/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 83.211.116.125.
33 14:42:05.738 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 83.211.116.125
34 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 83.211.116.125
35 14:42:07.640 04/12/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 83.211.116.125
36 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
37 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD
38 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
39 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
40 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
41 14:42:07.650 04/12/06 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
42 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
43 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
44 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 83.211.116.125
45 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 83.211.116.125
46 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
47 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED
48 14:42:08.341 04/12/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED
49 14:42:08.341 04/12/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "83.211.116.125" because of "DEL_REASON_IKE_NEG_FAILED"
50 14:42:08.341 04/12/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
51 14:42:08.351 04/12/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
52 14:42:08.361 04/12/06 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
AIUTO!!
Grazie!
ho un pix configurato come segue...
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X3ok8rplPB8VlJrh encrypted
passwd X3ok8rplPB8VlJrh encrypted
hostname PIX-501-10
domain-name mvi.local
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out2in remark *** ICMP ***
access-list out2in deny icmp any any unreachable
access-list out2in deny icmp any any redirect
access-list out2in permit icmp any any
pager lines 20
mtu outside 1500
mtu inside 1500
ip address outside 83.211.116.125 255.255.255.248
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNCLIENT 192.168.10.1-192.168.10.20 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 83.211.116.124 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 65000 set transform-set myset
crypto map vpn 65000 ipsec-isakmp dynamic dynmap
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp identity address
isakmp keepalive 300
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
vpngroup VPN-CLIENT address-pool VPNCLIENT
vpngroup VPN-CLIENT idle-time 600
vpngroup VPN-CLIENT password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 88.36.67.96 255.255.255.240 outside
ssh 88.34.60.160 255.255.255.224 outside
ssh 85.44.127.120 255.255.255.248 inside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
username xxxx password UJPp9fFdBeu0wEsM encrypted privilege 5
terminal width 80
Cryptochecksum:1f92f51b1b7521be301e164f54310f27
Però quando tento di collegarmi col VPN Client non si collega... il log dice:
28 14:42:05.698 04/12/06 Sev=Info/4 CM/0x63100002
Begin connection process
29 14:42:05.708 04/12/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
30 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
31 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "83.211.116.125"
32 14:42:05.718 04/12/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 83.211.116.125.
33 14:42:05.738 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 83.211.116.125
34 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 83.211.116.125
35 14:42:07.640 04/12/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 83.211.116.125
36 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
37 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD
38 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
39 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
40 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
41 14:42:07.650 04/12/06 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
42 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
43 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
44 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 83.211.116.125
45 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 83.211.116.125
46 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
47 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED
48 14:42:08.341 04/12/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED
49 14:42:08.341 04/12/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "83.211.116.125" because of "DEL_REASON_IKE_NEG_FAILED"
50 14:42:08.341 04/12/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
51 14:42:08.351 04/12/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
52 14:42:08.361 04/12/06 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
AIUTO!!
Grazie!
non siamo compilatori ... se ci dici il problema o magari cosa vuoi fare ti aiutiamo...altrimenti non è che ho la bacchetta magica 
