haurg1
Goto Top

Cisco VPN (IPSec) mit Firewall konfigurieren 886VA

Hallo zusammen,

ich versuche eine VPN-Verbindung (IPSEC) durch die Firewall des 886VA zu konfigurieren. Leider den ganzen Tag schon erfolglos. Die VPN Verbindung über Cisco VPN Client kommt zustande, wenn die Firewall nicht konfiguriert ist. Die Konfiguration kommt von Cisco Configuration Professional (CCP). Es ist vermutlich irgendwo eine ACL nicht korrekt, nur ich finde es leider nicht. Ich muss gestehen, dass ich auf diesem Gebiet noch einiges zu lernen habe.

Aber vielleicht kann mir jemand auf die Sprünge helfen. Hier ist meine Konfiguration.

Vielen Dank und Gruss

version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO886VA
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M.bin
boot-end-marker
!
logging buffered 30000 informational
enable secret 5 $1$NX.j$8FfdelIIziDorjtZE5ho7.
enable password 7 115849554F4A53
!
aaa new-model
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
aaa authorization network ciscocp_vpn_group_ml_2 local 
aaa authorization network ciscocp_vpn_group_ml_3 local 
!
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1 0
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1287469419
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1287469419
 revocation-check none
 rsakeypair TP-self-signed-1287469419
!
crypto pki certificate chain TP-self-signed-1287469419
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31323837 34363934 3139301E 170D3133 30333330 31313132 
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383734 
  36393431 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C14D 658EA234 6EFC411D E8DF4EF2 5FD70984 8B6A3CB5 140E9950 05BF966A 
  17CC20F8 506DB617 8CB3EF8E F1BB13A9 82FF0CDF 495EDCD0 261B3BBC B4840854 
  19187EB6 33A52B9C AE3ABC07 0530D8E4 548E74F9 5E6B8FA5 8595FF96 C628766B 
  458D6328 7525AFF9 240F1B2E 2A477CE7 96444971 43B0DC96 E0959ABE 96439B75 
  706D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 14AA1EEE 4BF30D88 DE0D9020 315D397D 8983D9F9 B1301D06 
  03551D0E 04160414 AA1EEE4B F30D88DE 0D902031 5D397D89 83D9F9B1 300D0609 
  2A864886 F70D0101 05050003 818100A0 C707736E 9BFDC1F3 1F052B1C 57BE877D 
  D1B8DA58 1130EB65 DCD215D3 B45180F5 375E81CF 5B617C42 4E535772 F8FD3E6F 
  E9114A9C 2EBF5576 A68226C8 1DC79F66 DC8A441B 7491B7AF F3023032 836BB609 
  0DBF6625 490EF327 54D12D25 7F99DAB4 9FFCFDE1 D0B7C86F A3DBCAE5 5AFC210E 
  E3E6E328 48A66730 CFEBB2C4 5F7C02
  	quit
!
ip name-server 194.25.2.129
ip name-server 212.82.226.212
ip cef
no ipv6 cef
!
parameter-map type regex ccp-regex-nonascii
 pattern [^\x00-\x80]

parameter-map type regex Google
 pattern google

parameter-map type regex ggg
 pattern .google.

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
...
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

!
cts logging verbose
license udi pid CISCO886VA-K9 sn FCZ1620C7HT
!
!
username XXX privilege 15 password 7 040A5B56577914
username XXX secret 5 $1$Ftwj$YkXyGZ669H4HMPxdluvyG/
!
controller VDSL 0
!
no ip ftp passive
!
class-map type inspect imap match-any ccp-app-imap
 match invalid-command
class-map type inspect smtp match-any ccp-app-smtp
 match data-length gt 5000000
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
 match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
 match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol tcp
 match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
 match invalid-command
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 102
class-map type inspect http match-any ccp-app-httpmethods
 match request method bcopy
 match request method bdelete
 match request method bmove
 match request method bpropfind
 match request method bproppatch
 match request method connect
 match request method copy
 match request method delete
 match request method edit
 match request method getattribute
 match request method getattributenames
 match request method getproperties
 match request method index
 match request method lock
 match request method mkcol
 match request method mkdir
 match request method move
 match request method notify
 match request method options
 match request method poll
 match request method post
 match request method propfind
 match request method proppatch
 match request method put
 match request method revadd
 match request method revlabel
 match request method revlog
 match request method revnum
 match request method save
 match request method search
 match request method setattribute
 match request method startrev
 match request method stoprev
 match request method subscribe
 match request method trace
 match request method unedit
 match request method unlock
 match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect http match-any ccp-http-blockparam
 match request port-misuse im
 match request port-misuse p2p
 match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-imap
 match protocol imap
class-map type inspect match-all ccp-protocol-smtp
 match protocol smtp
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-im
 match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
!
policy-map type inspect pop3 ccp-action-pop3
 class type inspect pop3 ccp-app-pop3
  log
  reset
policy-map type inspect imap ccp-action-imap
 class type inspect imap ccp-app-imap
  log
  reset
policy-map type inspect http ccp-action-app-http
 class type inspect http ccp-http-blockparam
  log
  reset
 class type inspect http ccp-app-httpmethods
  log
  reset
 class type inspect http ccp-app-nonascii
  log
  reset
policy-map type inspect smtp ccp-action-smtp
 class type inspect smtp ccp-app-smtp
  reset
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
  service-policy http ccp-action-app-http
 class type inspect ccp-protocol-smtp
  inspect 
  service-policy smtp ccp-action-smtp
 class type inspect ccp-protocol-imap
  inspect 
  service-policy imap ccp-action-imap
 class type inspect ccp-protocol-pop3
  inspect 
  service-policy pop3 ccp-action-pop3
 class type inspect ccp-protocol-im
  drop log
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
policy-map type inspect ccp-permit
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
! 
!
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group knothvpn
 key Kox3_Z&x91.
 pool VPN
 acl 100
 max-users 10
crypto isakmp profile ciscocp-ike-profile-2
   match identity group knothvpn
   client authentication list ciscocp_vpn_xauth_ml_3
   isakmp authorization list ciscocp_vpn_group_ml_3
   client configuration address respond
   virtual-template 3
!
crypto ipsec transform-set ESP-AES128-MD5 esp-aes esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile2
 set security-association idle-time 3540
 set transform-set ESP-AES128-MD5 
 set isakmp-profile ciscocp-ike-profile-2
!
interface Ethernet0
 no ip address
 shutdown
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description ATMEINWAHL
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 1/32 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport trunk allowed vlan 1,90,1002-1005
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Virtual-Template3 type tunnel
 ip unnumbered Vlan90
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
 description vl$FW_INSIDE$
 ip address 10.88.10.12 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Vlan90
 description $FW_INSIDE$
 ip address 10.88.90.12 255.255.255.0
 zone-member security in-zone
!
interface Dialer0
 description DSLEinwahl$FW_OUTSIDE$
 ip ddns update hostname XXX
 ip ddns update dyndns host xxx
 ip address negotiated
 ip access-group 111 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXX
 ppp chap password 7 154A585E52727B7679
 ppp pap sent-username XXX password 7 XX
 ppp ipcp dns request
 no cdp enable
!
ip local pool pptp_dialin 10.88.10.30 10.88.10.40
ip local pool SDM_POOL_2 10.88.10.51 10.88.10.55
ip local pool SDM_POOL_1 10.88.10.50
ip local pool SDM_POOL_3 10.88.10.110 10.88.10.112
ip local pool VPN 10.88.90.101 10.88.90.110
ip forward-protocol nd
ip http server
ip http secure-server
!
ip dns server
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.88.20.0 255.255.255.0 10.88.10.254
ip route 10.88.30.0 255.255.255.0 10.88.10.254
ip route 10.88.40.0 255.255.255.0 10.88.10.254
!
dialer-list 1 protocol ip list 101
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.88.10.0 0.0.0.255 any
access-list 101 permit ip 10.88.20.0 0.0.0.255 any
access-list 101 permit ip 10.88.30.0 0.0.0.255 any
access-list 101 permit ip 10.88.40.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
!
line con 0
 password 7 03550B5B5E5779
 no modem enable
line aux 0
line vty 0 4
 password 7 1446425B545C72
 transport input all
!
ntp update-calendar
ntp server 10.88.20.3 source Vlan1
!
end

Content-ID: 248543

Url: https://administrator.de/forum/cisco-vpn-ipsec-mit-firewall-konfigurieren-886va-248543.html

Ausgedruckt am: 22.12.2024 um 17:12 Uhr

catachan
catachan 07.09.2014 um 10:37:41 Uhr
Goto Top
Hi

du musst auf dem Outside Interface noch UDP Port 500 und Protokoll (nicht Port) 50 (ESP) und eventuell 51 (AH) freischalten.

Die Einrichtung wird hier beschrieben
http://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/ ...


LG
aqui
aqui 07.09.2014 aktualisiert um 11:22:13 Uhr
Goto Top
Es ist vermutlich irgendwo eine ACL nicht korrekt
In der Tat, genau so ist es... ! Kommt dabei raus wenn man solchen Unsinn wie CCP benutzt. Es gilt wie immer der goldene Grundsatz: "Real Networkers do CLI...!"

Dein Kardinalsfehler ist die ACL Nummer 111 die inbound auf dem Dialer 0 Interface konfiguriert ist. Diese ACL existiert aber in deiner gesamten Global Konfig gar nicht bzw. ist nicht definiert und damit gilt dann per Default ein deny any any, was alles blockt.
Hättest du mal den Cisco CLI Debugger mit "debug access-list 111" benutzt hättest du es auch sofort selber gesehen und den Thread hier obsolet gemacht !
Richte also die fehlende ACL 111 entsprechend ein, dann funktioniert das auch auf Anhieb.
IPsec nutzt die folgenden Ports: UDP 500 (IKE), UDP 4500 (NAT-T und das ESP Protokoll mit der Nummer 50 (kein UDP oder TCP !)

Ein funktionierendes Beispiel dieser ACL beschreibt dir das hiesige Cisco 886va Tutorial im Kapitel VPN:
Cisco 880, 890 und ISR Router Konfiguration mit xDSL, Kabel oder FTTH Anschluss plus VPN und IP-TV