Pagina 1 di 1

Vpn Pix-Router 877 (router con indirizzo dinamico e NAT)

Inviato: mer 09 mag , 2007 5:27 pm
da baol
Ciao a tutti, sono di fronte a questo problema.

Devo connettere in VPN L2L:
1 Pix 525, IOS version 6.3-4, indirizzo statico, sul quale ci sono già 9 connessioni L2L e una dynamic per Vpn Client
1 Router 877, IOS Version 12.4(4)T7, con "ip address negotiated" sull'interfaccia esterna....

Devo per forza ricorrere ad una ISAKMP policy di questo tipo "isakmp key xxxxx address 0.0.0.0 netmask 0.0.0.0" oppure c'é una via d'uscita piu' sicura ed 'elegante' ?

Vi ringrazio anticipatamente.

Inviato: gio 10 mag , 2007 10:06 am
da Wizard
Mi sa di si:

Router#show running-config
Current configuration : 1354 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!


!--- Configuration for IKE policies.
!--- Enables the IKE policy configuration (config-isakmp)
!--- command mode, where you can specify the parameters that
!--- are used during an IKE negotiation.


crypto isakmp policy 10
hash md5
authentication pre-share


!--- Specifies the preshared key "cisco123" which should
!--- be identical at both peers. This is a global
!--- configuration mode command. It accepts any peer which matches
!--- the pre-shared key.

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!

!--- Configuration for IPsec policies.
!--- Enables the crypto transform configuration mode,
!--- where you can specify the transform sets that are used
!--- during an IPsec negotiation.


crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac


!--- IPsec policy, Phase 2.


crypto dynamic-map DYN 10



!--- Configures IPsec to use the transform-set
!--- "DYN-TS" defined earlier in this configuration.


set transform-set DYN-TS


!--- Specifies the interesting traffic to be encrypted.


match address 101

crypto map IPSEC 10 ipsec-isakmp dynamic DYN
!
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
half-duplex

!--- Configures the interface to use the
!--- crypto map "IPSEC" for IPsec.

crypto map IPSEC
!
interface FastEthernet1/0
ip address 10.2.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
no fair-queue
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip nat inside source list 100 interface Ethernet0/0 overload
!

!--- This ACL 100 identifies the traffic flows and be PATed
!--- via the outside interface( Ethernet0/0).


access-list 100 deny ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.2.1.0 0.0.0.255 any


!--- This crypto ACL 101 permit identifies the
!--- matching traffic flows to be protected via encryption.


access-list 101 permit ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255

control-plane
!

!
line con 0
line aux 0
line vty 0 4
!
!
end

http://www.cisco.com/en/US/customer/pro ... bdc8.shtml

Inviato: gio 10 mag , 2007 2:08 pm
da baol
Speravo di evitarmela. Nel mio caso é il router ad non avere indirizzo pubblico fisso quindi immagino dovro' prendere esempio da:

http://www.cisco.com/en/US/customer/tec ... 4a87.shtml

e trattandosi di un firewall sul quale atterrano diverse vpn L2L e qualche vpn-client, il mio timore é che si abbassi un po' il livello di sicurezza.

Non ho bisogno di ACL che facciano il "match" con la VPN giusto ?
Per contro, l'aggiunta di questa istruzione: sysopt connection permit-ipsec non impatta con l'altra dynamic-map che uso per i client vpn ?

Ancora grazie...

Inviato: gio 10 mag , 2007 2:32 pm
da Wizard
"sysopt connection permit-ipsec" permette di gestire le acl "classiche" applicate alle interfaccie in modo indipendente dalle vpn quindi direi che non ti da fastidio.
Il fatto di fare una vpn l2l con una linea con ip dinamico non è mai consigliabile! Anzi!

Inviato: gio 10 mag , 2007 3:47 pm
da baol
Infatti é quello che volevo evitare.
Che alternativa ho con questa configurazione ?

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname tdo
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxx
ip name-server x.y.w.z
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address x.y.w.z
!
!
crypto ipsec transform-set vpnsec esp-des esp-sha-hmac
!
crypto map FW 10 ipsec-isakmp
set peer x.y.w.z
set transform-set vpnsec
match address 110
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname x@y
ppp chap password 7 xxx
crypto map FW
!
interface BVI1
description $ES_LAN$
ip address x.y.w.225 255.255.255.248 secondary
ip address 10.10.1.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.10.1.0 255.255.255.248 BVI1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool poolnav x.y.w.226 x.y.w.226 netmask 255.255.255.248
ip nat inside source route-map donat pool poolnav overload
ip nat inside source static x.y.w.225 x.y.w.225
!
logging trap debugging
access-list 110 permit ip 10.10.1.0 0.0.0.7 10.1.0.0 0.0.255.255
access-list 115 deny ip 10.10.1.0 0.0.0.7 10.1.0.0 0.0.255.255
access-list 115 permit ip 10.10.1.0 0.0.0.7 any
dialer-list 1 protocol ip permit
no cdp run
route-map donat permit 10
match ip address 115
!
!
control-plane
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Inviato: gio 10 mag , 2007 3:50 pm
da Wizard
Se la cosa non ha tempi biblici io mi farei dare dal provider una linea con ip statici, altrimenti se non è troppo scomodo ci si collega alla sede con il pix con il vpn client.

Inviato: gio 10 mag , 2007 5:12 pm
da baol
Chiedo al provider i tempi, nel frattempo vado di Vpn Client.

GRAZIE CIAO
:)