herrzwerg
Goto Top

Probleme - Cisco Pix 501 VPN

Wieder mal eine Frage zu meinem absoluten Lieblingsgerät! Dem PIX 501!

Möchte den PIX als VPN-Server konfigurieren, der alle Anfragen auf die interne IP 192.168.1.72, speziell port 81 soll weitergeleitet werden.

Hab schon alle Beiträge aus diesem Forum & alle sonstigen Googleanfragen probiert. Ich komme einfach nicht weiter.

hab den VPN-Zugang mittels VPN-Wizard konfiguriert. hat ohne probleme funktioniert. kann mich auch problemlos mittels datenkarte am laptop und Cisco VPN Client einwählen.

Allerdings weiss ich dann nicht weiter. Ich kann weder die anderen internen IP-Adressen pingen, noch irgendwelche seiten/dokumente aufrufen, noch irgendwas am port 81 machen.

ich weiss, dass ist sicher eine komplette deppenfrage, aber ich bin echt ratlos

auf jeden fall dicken dank schon fürs lesen!

liebe grüsse

Herr Zwerg

hier das logfile von der PIX

710005: UDP request discarded from 178.112.79.10/63320 to outside:93.83.XX.XX/62515
702208: ISAKMP Phase 1 exchange started (local 93.83.XX.XX (responder), remote 178.112.79.10)
702202: ISAKMP Phase 1 delete sent (local 93.83.XX.XX (responder), remote 195.168.208.50)
702210: ISAKMP Phase 1 exchange completed (local 93.83.XX.XX (responder), remote 178.112.79.10)
602202: ISAKMP session connected (local 93.83.XX.XX (responder), remote 178.112.79.10)
602201: ISAKMP Phase 1 SA created (local 93.83.XX.XX/500 (responder), remote 178.112.79.10/63321, authentication=pre-share, encryption=AES-CBC, hash=SHA, group=2, lifetime=86400s)
702205: ISAKMP Phase 2 retransmission (local 93.83.XX.XX (initiator), remote 178.112.79.10, message-ID 871523363)
702205: ISAKMP Phase 2 retransmission (local 93.83.XX.XX (initiator), remote 178.112.79.10, message-ID 871523363)
109005: Authentication succeeded for user 'EXXXXXXXX' from 178.112.79.10/0 to 93.83.XX.XX/0 on interface outside  
611101: User authentication succeeded: Uname: EXXXXXXXX
702206: ISAKMP malformed payload received (local 93.83.XX.XX (responder), remote 178.112.79.10, message-ID 871523363)
702209: ISAKMP Phase 2 exchange started (local 93.83.XX.XX (responder), remote 178.112.79.10, message-ID 4170283566)
602301: sa created, (sa) sa_dest= 93.83.XX.XX, sa_prot= 50, sa_spi= 0x9c71f0ac(2624712876), sa_trans= esp-aes-256 esp-sha-hmac , sa_conn_id= 4
602301: sa created, (sa) sa_dest= 178.112.79.10, sa_prot= 50, sa_spi= 0x28f0f0ac(686878892), sa_trans= esp-aes-256 esp-sha-hmac , sa_conn_id= 3
109011: Authen Session Start: user 'EXXXXXXXX', sid 13  
702211: ISAKMP Phase 2 exchange completed (local 93.83.XX.XX (responder), remote 178.112.79.10, message-ID 4170283566)
710005: UDP request discarded from 178.112.79.10/62515 to outside:93.83.XX.XX/62515
710001: TCP access requested from 192.168.1.70/23361 to inside:192.168.1.1/https
710002: TCP access permitted from 192.168.1.70/23361 to inside:192.168.1.1/https
710005: UDP request discarded from 192.168.1.70/137 to inside:192.168.1.1/netbios-ns
710005: UDP request discarded from 192.168.1.70/137 to inside:192.168.1.1/netbios-ns
710005: UDP request discarded from 192.168.1.70/137 to inside:192.168.1.1/netbios-ns


und hier die config.
 

Result of firewall command: "show config"  
 
: Saved
: Written by enable_15 at 08:29:23.081 UTC Tue Oct 12 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
hostname home
domain-name XXXXXXXXXXXXXXXXX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.72 Host
name 77.119.12.75 laptop
access-list inside_access_in permit ip any any 
access-list NoNAT2 permit ip host 93.83.XX.XX 172.31.255.128 255.255.255.128 
access-list NoNAT2 permit ip host 192.168.1.5 172.31.255.128 255.255.255.128 
access-list NoNAT2 permit ip host Host 192.168.1.64 255.255.255.240 
access-list outside_cryptomap_21 permit ip host 192.168.1.5 172.31.255.128 255.255.255.128 
access-list E1480001_splitTunnelAcl permit ip host Host any 
access-list 102 permit tcp interface outside eq 81 host Host eq 81 
pager lines 24
logging on
logging standby
logging console debugging
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 93.83.XX.XX 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Hobex 192.168.1.75-192.168.1.78
pdm location 172.31.255.128 255.255.255.128 outside
pdm location 172.31.255.0 255.255.255.128 outside
pdm location 172.31.255.251 255.255.255.255 outside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.248 inside
pdm location 172.17.208.32 255.255.255.248 inside
pdm location 172.17.208.33 255.255.255.255 outside
pdm location 93.83.0.0 255.255.0.0 outside
pdm location 93.83.XX.XX 255.255.255.255 inside
pdm location 192.168.1.6 255.255.255.255 inside
pdm location Host 255.255.255.255 inside
pdm location 178.113.173.35 255.255.255.255 outside
pdm location 192.168.1.64 255.255.255.240 outside
pdm location laptop 255.255.255.255 outside
pdm location 192.168.1.75 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 81 Host 81 netmask 255.255.255.255 0 0 
static (inside,outside) 172.17.208.33 192.168.1.5 netmask 255.255.255.255 0 0 
access-group 102 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 93.83.31.17 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set chevelle esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map transam 21 ipsec-isakmp
crypto map transam 21 match address outside_cryptomap_21
crypto map transam 21 set pfs group2
crypto map transam 21 set peer 195.168.208.50
crypto map transam 21 set transform-set chevelle
crypto map transam 21 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map transam 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 195.168.208.50 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity key-idisakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash sha
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup E1480001 address-pool Hobex
vpngroup E1480001 dns-server 195.3.96.67 195.3.96.68
vpngroup E1480001 split-tunnel E1480001_splitTunnelAcl
vpngroup E1480001 idle-time 1800
vpngroup E1480001 password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 213.33.99.70 80.120.17.70
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username Zwergi password QWV8TJnb7ADGb1YS encrypted privilege 15
terminal width 80
Cryptochecksum:8bb7ac7df5d48e15ec1a61418cf98b7b

Content-ID: 152966

Url: https://administrator.de/contentid/152966

Ausgedruckt am: 22.11.2024 um 10:11 Uhr

aqui
aqui 15.10.2010, aktualisiert am 18.10.2012 um 18:43:47 Uhr
Goto Top
Dein Problem ist schlicht und einfach eine fehlende Accessliste !! Bedenke das auf einer Firewall IMMER alles verboten ist was nicht explizit erlaubt ist.
Bei dir fehlt die Accessliste die das VPN IP Netz als Quell IP den Zugriff auf dein lokales IP Netz als Ziel erlaubt.
Wenn du das hinzufügst funktioniert es auf Anhieb.
Vielleicht kannst du hier etwas "abgucken" !!
Cisco PIX Firewall IPsec VPN Tunnel auf pfsense Firewall
Da steht wie es geht !
Außerdem: Ein simples ACL Debugging mit der hervorragenden Debug Funktion auf dem Cisco zeigt dir im Handumdrehen genau dies Problem !
krachtor
krachtor 16.10.2010 um 12:19:49 Uhr
Goto Top
access-list 102 permit tcp interface outside eq 81 host Host eq 81

Hi HerrZwerg,

diese ACL 102 ist nicht korrekt. Hier muessen die DHCP-IP's der IPSec-Client freigeschaltet werden.

Setze :
access-list 102 permit tcp host 192.168.1.75 gt 1023 host Host eq 81
access-list 102 permit tcp host 192.168.1.76 gt 1023 host Host eq 81
access-list 102 permit tcp host 192.168.1.77 gt 1023 host Host eq 81
access-list 102 permit tcp host 192.168.1.78 gt 1023 host Host eq 81
Streiche:
access-list 102 permit tcp interface outside eq 81 host Host eq 81

NAT sieht OK aus.

MfG,
krachtor
HerrZwerg
HerrZwerg 18.10.2010 um 11:45:03 Uhr
Goto Top
Super!

Danke für die schnelle Hilfe!

lg
Herr Zwerg