1
cisco PIX VPN IP Problem
Falsches Gateway beim VPN Remote access auf dem Remote Rechner
Also die Einwahl Via VPN CLient funzt nun teilweise die conntetion steht aber ich bekomme als Gateway auf dem Remote PC mit dem ich mich einwähele immer eine Private IP anstelle der ip von der PIx mit der die am DSL anschluß hängt. Die Private ip ist genau aus dem Ranger dem ich der USER Gruppe zugewiesen habe. Und somit bekomme ich keinen daten durch den tunnel , wie auch mit dem falschen gateway .
hat da veileicht noch jemand einen tipp für mich.
hier meine config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 128.23.23.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Admins 192.168.10.1-192.168.10.5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 128.23.23.0 255.255.255.0 0 512
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 128.23.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Admins address-pool Admins
vpngroup Admins idle-time 1800
vpngroup Admins password
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname 0016157483565200420037940001@t-online.de
vpdn group ISP ppp authentication pap
vpdn username 0016157483565200420037940001@t-online.de password * store-
local
username Helpdesk password HDPXrMvr39cnPN95 encrypted privilege 15
terminal width 80
Cryptochecksum:162ccfe294f5eade5aaf9af198f4dbe2
hat da veileicht noch jemand einen tipp für mich.
hier meine config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 128.23.23.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Admins 192.168.10.1-192.168.10.5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 128.23.23.0 255.255.255.0 0 512
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 128.23.23.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Admins address-pool Admins
vpngroup Admins idle-time 1800
vpngroup Admins password
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname 0016157483565200420037940001@t-online.de
vpdn group ISP ppp authentication pap
vpdn username 0016157483565200420037940001@t-online.de password * store-
local
username Helpdesk password HDPXrMvr39cnPN95 encrypted privilege 15
terminal width 80
Cryptochecksum:162ccfe294f5eade5aaf9af198f4dbe2
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 57409
Url: https://administrator.de/contentid/57409
Printed on: April 24, 2024 at 22:04 o'clock
1 Comment
Hallo,
ist dein Problem schon gelöst ?
Was mir an deiner config auffällt, du hast gar keine nat 0 access-list, die
dein "ip local pool Admins 192.168.10.1-192.168.10.5" am NAT vorbei führt.
Die ipsec Pakete deiner VPN-Client IPs dürfen nicht durchs NAT gehechselt werden.
Gruss Roland
ist dein Problem schon gelöst ?
Was mir an deiner config auffällt, du hast gar keine nat 0 access-list, die
dein "ip local pool Admins 192.168.10.1-192.168.10.5" am NAT vorbei führt.
Die ipsec Pakete deiner VPN-Client IPs dürfen nicht durchs NAT gehechselt werden.
Gruss Roland
