Aiuto configurazione VPN L2L con PIX501

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
mik.linux
Cisco fan
Messaggi: 28
Iscritto il: mer 15 ott , 2008 8:14 pm

Salve a tutti,
premetto che conosco poco/niente della configurazione dei pix, ma mi è capitato di doverne configurare uno per una vpn Lan to Lan.

Praticamente la vpn è già stata fatta (e funziona) su due punti (principale e sede1). Quello che sto cercando di fare io è aggiungere un terzo punto (sede2). La cosa più semplice che uno possa fare è replicare la configurazione funzionante, ma non sono stato così fortunato... :(

Tutti e tre i punti dispongono di ADSL telecom multigroup con 8 ip pubblici (6 utilizzabili), e di una coppia di Router Cisco 827 con PIX 501. Su sede2, replicando la configurazione, sono riuscito a far andare la connessione ed il nat per la rete interna verso internet, ma non riesco a far andare su il tunnel vpn.

Ecco intanto gli indirizzi ip di tutti e tre i punti (ovviamente modificati per privacy)
PRINCIPALE (100.20.10.216/29)
Cisco 827 100.20.10.217 (100.20.10.219 standby ip)
Cisco Pix 501 100.20.10.220

SEDE1 (101.30.20.200/29)
Cisco 837 101.30.20.200 (101.30.20.202 standby ip)
Cisco Pix 501 101.30.20.204

SEDE2 (102.40.30.0/29)
Cisco 827 102.40.30.1 (102.40.30.3 standby ip)
Cisco Pix 501 102.40.30.4

E alcune domande per capirci qualcosa in più:

1) Cosa mi manca nella configurazione del PIX Principale (quello che fa da server VPN per intenderci...) per far andare su la vpn?

2) A che servono quel tunnel GRE (se servono..) da router a router ? E la direttiva router eigrp 42?

3) Come posso fare un portforward verso un host interno della lan dal pix?

4) Per quale motivo vengono configurati (si dice così?) degli ip di stanby sulle interfacce ethernet?

Grazie
Ultima modifica di mik.linux il lun 08 mar , 2010 3:21 pm, modificato 2 volte in totale.
Top
mik.linux
Cisco fan
Messaggi: 28
Iscritto il: mer 15 ott , 2008 8:14 pm

Router PRINCIPALE

Codice: Seleziona tutto

Current configuration : 1676 bytes
!
version 12.2
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router-principale
!
logging queue-limit 100
enable secret 5 ***********
!
ip subnet-zero
no ip domain lookup
ip host sco 192.168.30.230
!
!
!
!
!
interface Tunnel0
 description Tunnel GRE per EIGRP
 ip unnumbered Ethernet0
 tunnel source 100.20.10.217
 tunnel destination 101.30.20.201
!
interface Tunnel1
 description Tunnel GRE per EIGRP
 ip unnumbered Ethernet0
 tunnel source 100.20.10.217
 tunnel destination 102.40.30.1
!
interface Ethernet0
 ip address 100.20.10.217 255.255.255.248
 no cdp enable
 standby ip 100.20.10.219
 standby priority 105
 standby preempt
 standby track ATM0
 hold-queue 100 out
!
interface ATM0
 bandwidth 640
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 bandwidth 640
 ip address x.x.x.x 255.255.255.252
 pvc 8/35
  vbr-nrt 640 640 1
  encapsulation aal5snap
 !
!
router eigrp 42
 redistribute static
 passive-interface ATM0.1
 network 100.20.10.216 0.0.0.7
 no default-information in
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 102.40.30.1 255.255.255.255 ATM0.1 permanent
ip route 101.30.20.201 255.255.255.255 ATM0.1 permanent
no ip http server
!
!
no cdp run
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line vty 0 4
 password 7 ***********
 login
!
scheduler max-task-time 5000
end
Router SEDE1

Codice: Seleziona tutto

Current configuration : 1845 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router-sede1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
!
no aaa new-model
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp ccm
!
!
!
interface Tunnel0
 description Tunnel GRE per EIGRP
 ip unnumbered Ethernet0
 tunnel source 101.30.20.201
 tunnel destination 100.20.10.217
!
interface Ethernet0
 ip address 101.30.20.201 255.255.255.248
 no cdp enable
 standby ip 101.30.20.203
 standby priority 105
 standby preempt
 standby track ATM0
 hold-queue 100 out
!
interface ATM0
 bandwidth 608
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 bandwidth 640
 ip address x.x.x.x 255.255.255.252
 pvc 8/35
  encapsulation aal5snap
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
router eigrp 42
 redistribute static
 passive-interface ATM0.1
 network 101.30.20.200 0.0.0.7
 no default-information in
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 100.20.10.217 255.255.255.255 ATM0.1 permanent
!
no ip http server
no ip http secure-server
!
no cdp run
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 password 7 ***********
 login
!
scheduler max-task-time 5000
end
Router SEDE2

Codice: Seleziona tutto

Current configuration : 1424 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname router-sede2
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
!
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
!
!
!
!
!
!
interface Tunnel0
 description Tunnel GRE per EIGRP
 ip unnumbered Ethernet0
 tunnel source 102.40.30.1
 tunnel destination 100.20.10.217
!
interface Ethernet0
 ip address 102.40.30.1 255.255.255.248
 no cdp enable
 standby ip 102.40.30.3
 standby priority 105
 standby preempt
 standby track ATM0
 hold-queue 100 out
!
interface ATM0
 bandwidth 640
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 bandwidth 640
 ip address x.x.x.x 255.255.255.252
 pvc 8/35
  vbr-nrt 640 640 1
  encapsulation aal5snap
 !
!
router eigrp 42
 redistribute static
 network 102.40.30.0 0.0.0.7
 no default-information in
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 100.20.10.217 255.255.255.255 ATM0.1 permanent
no ip http server
no ip http secure-server
ip dns server
!
no cdp run
!
!
line con 0
 stopbits 1
line vty 0 4
 password 7 ***********
 login
!
scheduler max-task-time 5000
end
Ultima modifica di mik.linux il lun 08 mar , 2010 3:20 pm, modificato 1 volta in totale.
Top
mik.linux
Cisco fan
Messaggi: 28
Iscritto il: mer 15 ott , 2008 8:14 pm

PIX PRINCIPALE

Codice: Seleziona tutto

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********** encrypted
passwd *********** encrypted
hostname pix-principale
domain-name example.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.30.231 ADPsrv
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.31.0
 255.255.255.0 
access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.33.0
 255.255.255.0 
access-list out->in permit icmp any any unreachable 
access-list out->in permit icmp any any echo-reply 
access-list out->in permit icmp any any time-exceeded 
access-list out->in permit ip host 11.22.33.44 host 100.20.10.222 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 100.20.10.220 255.255.255.248
ip address inside 192.168.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 100.20.10.221
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 100.20.10.222 ADPsrv netmask 255.255.255.255 0 0
access-group out->in in interface outside
route outside 0.0.0.0 0.0.0.0 100.20.10.219 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set POLICY esp-des esp-md5-hmac 
crypto map sistema 20 ipsec-isakmp
crypto map sistema 20 match address 100
crypto map sistema 20 set peer 100.30.20.204
crypto map sistema 20 set peer 102.40.30.4
crypto map sistema 20 set transform-set POLICY
crypto map sistema interface outside
isakmp enable outside
isakmp key CHIAVE_VPN address 100.30.20.204 netmask 255.255.255.255 
isakmp key CHIAVE_VPN address 102.40.30.4 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80
PIX SEDE1

Codice: Seleziona tutto

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********** encrypted
passwd *********** encrypted
hostname pix-sede1
domain-name example.net
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit ip 192.168.31.0 255.255.255.0 192.168.30.0 255.255.255.0 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
ip address outside 101.30.20.204 255.255.255.248
ip address inside 192.168.31.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 101.30.20.205
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 101.30.20.203 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set POLICY esp-des esp-md5-hmac 
crypto map sistema 20 ipsec-isakmp
crypto map sistema 20 match address 100
crypto map sistema 20 set peer 100.20.10.220
crypto map sistema 20 set transform-set POLICY
crypto map sistema interface outside
isakmp enable outside
isakmp key CHIAVE_VPN address 100.20.10.220 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 101.30.20.200 255.255.255.248 outside
ssh 100.20.10.216 255.255.255.248 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
terminal width 80
PIX SEDE2

Codice: Seleziona tutto

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *********** encrypted
passwd *********** encrypted
hostname pix-sede2
domain-name example.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.33.0 255.255.255.0 192.168.30.0 255.255.255.0
pager lines 24
icmp permit any unreachable outside
icmp permit any echo outside
mtu outside 1500
mtu inside 1500
ip address outside 102.40.30.4 255.255.255.248
ip address inside 192.168.33.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 102.40.30.5
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 102.40.30.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set POLICY esp-des esp-md5-hmac
crypto map sistema 20 ipsec-isakmp
crypto map sistema 20 match address 100
crypto map sistema 20 set peer 100.20.10.220
crypto map sistema 20 set transform-set POLICY
crypto map sistema interface outside
isakmp enable outside
isakmp key CHIAVE_VPN address 100.20.10.220 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Top
mik.linux
Cisco fan
Messaggi: 28
Iscritto il: mer 15 ott , 2008 8:14 pm

non mi aiuta nessuno?? :cry:

Intanto sono riuscito ad effettuare il port forward per il momento...
Ma non riesco a far comunicare le due lan (solo il principale deve comunicare con le sedi, ma le sedi non devono comunicare tra di loro)..
Top
xtnet
n00b
Messaggi: 4
Iscritto il: mar 18 dic , 2007 5:16 pm

Ciao Michele, io proverei così nella sede principale:

access-list 100 permit ip 192.168.30.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list 110 permit ip 192.168.30.0 255.255.255.0 192.168.33.0 255.255.255.0
crypto map sistema 20 ipsec-isakmp
crypto map sistema 20 match address 100
crypto map sistema 20 set peer 100.30.20.204
crypto map sistema 20 set transform-set POLICY
crypto map sistema 30 ipsec-isakmp
crypto map sistema 30 match address 110
crypto map sistema 30 set peer 102.40.30.4
crypto map sistema 30 set transform-set POLICY
crypto map sistema interface outside

Il resto mi sembra ok.
Un cosiglio, dopo ogni cambiamento sul pix usa il comando: clear xlate
E prova a vedere cosa dice il pix usando i comandi di debug che hai nel sito cisco.

Buona fortuna.
Fammi sapere come và a finire.
Top
Rispondi

Torna a “VPN”