Pix 515 VPN-Server, aber kein Zugriff auf LAN
Hallo,
wir haben bei uns eine PIX 515 als VPN-Server eingerichtet.
Wir wollen remote access mit Cisco VPN-Clients realisieren.
Der Tunnel funktioniert soweit, aber wir können auf das LAN nicht zugreifen.
Ich meine das LAN, wo der VPN-Tunnel endet, nicht das LAN, von dem der VPN-Client zugreift.
Die lokalen Netze heissen 192.168.50.0 und 172.16.1.0 /24.
Kann mir jemand helfen? das wäre super.
Poste mal die config der Pix.
Gruss Roland
PIX Version 7.2(2)
!
hostname pix515E
domain-name mgs.me
enable password * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.50.254 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.1.254 255.255.255.0
!
passwd GAuZbM/1OT1ILyMp encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name mgs.me
access-list acl-inside extended permit ip 172.16.1.0 255.255.255.0 any
access-list acl-inside extended permit ip 192.168.50.0 255.255.255.0 any
access-list inside-nat0 extended permit ip 192.168.50.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz-nat0 extended permit ip 172.16.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz-nat0 extended permit ip host 80.152.212.35 172.16.1.0 255.255.255.0
access-list Local_LAN_Access standard permit 192.168.50.0 255.255.255.0
access-list Local_LAN_Access standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-client-ips 192.168.6.1-192.168.6.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.200.253 netmask 255.255.255.0
nat (inside) 0 access-list inside-nat0
nat (inside) 1 192.168.50.0 255.255.255.0 dns
nat (dmz) 0 access-list dmz-nat0
nat (dmz) 1 172.16.1.0 255.255.255.0 dns
access-group acl-inside in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy mgs internal
group-policy mgs attributes
wins-server value 192.168.50.1 172.16.1.1
dns-server value 192.168.50.1 217.237.148.22
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain value mgs.me
username mein-vpn-user password privilege 0
username mein-vpn-user attributes
vpn-group-policy mgs
http server enable
http 172.16.1.1 255.255.255.255 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group mgs type ipsec-ra
tunnel-group mgs general-attributes
address-pool vpn-client-ips
default-group-policy mgs
tunnel-group mgs ipsec-attributes
pre-shared-key ***
tunnel-group-map enable rules
tunnel-group-map DefaultCertificateMap 10 mgs
telnet timeout 5
ssh 192.168.50.13 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
!
tftp-server inside 192.168.50.1 pix515-cfg
prompt hostname context
Cryptochecksum:2e0dad82fecd7dd135a8e54365a31b57
: end
wir haben bei uns eine PIX 515 als VPN-Server eingerichtet.
Wir wollen remote access mit Cisco VPN-Clients realisieren.
Der Tunnel funktioniert soweit, aber wir können auf das LAN nicht zugreifen.
Ich meine das LAN, wo der VPN-Tunnel endet, nicht das LAN, von dem der VPN-Client zugreift.
Die lokalen Netze heissen 192.168.50.0 und 172.16.1.0 /24.
Kann mir jemand helfen? das wäre super.
Poste mal die config der Pix.
Gruss Roland
PIX Version 7.2(2)
!
hostname pix515E
domain-name mgs.me
enable password * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.50.254 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 172.16.1.254 255.255.255.0
!
passwd GAuZbM/1OT1ILyMp encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name mgs.me
access-list acl-inside extended permit ip 172.16.1.0 255.255.255.0 any
access-list acl-inside extended permit ip 192.168.50.0 255.255.255.0 any
access-list inside-nat0 extended permit ip 192.168.50.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz-nat0 extended permit ip 172.16.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list dmz-nat0 extended permit ip host 80.152.212.35 172.16.1.0 255.255.255.0
access-list Local_LAN_Access standard permit 192.168.50.0 255.255.255.0
access-list Local_LAN_Access standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-client-ips 192.168.6.1-192.168.6.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.200.253 netmask 255.255.255.0
nat (inside) 0 access-list inside-nat0
nat (inside) 1 192.168.50.0 255.255.255.0 dns
nat (dmz) 0 access-list dmz-nat0
nat (dmz) 1 172.16.1.0 255.255.255.0 dns
access-group acl-inside in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy mgs internal
group-policy mgs attributes
wins-server value 192.168.50.1 172.16.1.1
dns-server value 192.168.50.1 217.237.148.22
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain value mgs.me
username mein-vpn-user password privilege 0
username mein-vpn-user attributes
vpn-group-policy mgs
http server enable
http 172.16.1.1 255.255.255.255 dmz
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group mgs type ipsec-ra
tunnel-group mgs general-attributes
address-pool vpn-client-ips
default-group-policy mgs
tunnel-group mgs ipsec-attributes
pre-shared-key ***
tunnel-group-map enable rules
tunnel-group-map DefaultCertificateMap 10 mgs
telnet timeout 5
ssh 192.168.50.13 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
!
tftp-server inside 192.168.50.1 pix515-cfg
prompt hostname context
Cryptochecksum:2e0dad82fecd7dd135a8e54365a31b57
: end
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 74123
Url: https://administrator.de/forum/pix-515-vpn-server-aber-kein-zugriff-auf-lan-74123.html
Ausgedruckt am: 26.12.2024 um 10:12 Uhr