Collegamento con assistenza SAP... PROBLEMA PIX 515!!!!!

BALOCCO · mer 18 ott , 2006 3:12 pm

Salve,
Abbiamo nella nostra ditta un FW PIX 515 e gestionale SAP. L'assistenza SAP ha la possibilità di potersi collegare al nostro sistema tramite internet.
Durante l'apertura della connessione ricevo un messaggio di Warning in cui mi segnala che l'host non risponde... L'assistenza SAP, mi ha detto che per togliere il warning devo fare così:

Once you've opened the service connection for SAP to logon to one of
your systems, the SAP Support Server 'sapserv2' (194.39.131.34) will
send icmp packets (echo-requests) to your machine running SAProuter
(217.57.147.139) to check the condition of the line and to keep the
link up and running.
You'll receive the message "Host did not respond 'x' times: Connection
cancelled..", since your firewall is blocking these icmp packets.

In order to avoid this warning message and to get a proper (green:
successful) connection status displayed in the SAP Service Marketplace,
your firewall would have to allow only the following additional rules:

194.39.131.34 -> 217.57.147.139:icmp (echo-request, type
217.57.147.139 -> 194.39.131.34:icmp (echo-reply, type 0)

CHE ISTRUZIONI DEVO INSERIRE ALL'INTERNO DEL MIO FIREWALL??
GRAZIE MILLE IN ANTICIPO DELL'AIUTO!!
MARCO

MaiO · mer 18 ott , 2006 9:51 pm

Visto che avete le possibilità economiche per acquistare SAP, certamente avrete delle risorse per pagare un tecnico cisco per 1 ora.

A parte gli scherzi, troppo poche le info che ci hai dato. Posta la conf del pix.

Ciao

BALOCCO · gio 19 ott , 2006 8:00 am

QUesta è la mia configurazione. L'assistenza sap accede tramite un router in dmz...

: Saved
: Written by enable_15 at 11:19:30.744 CEDT Fri Sep 22 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password mdoillqq.abBsHGn encrypted
passwd Ehl6jeEn0WYT1WlH encrypted
hostname ArpaFW
domain-name arpaindustriale.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 125.125.1.0 lan-inside
name 125.125.1.254 int-inside
name 192.168.0.0 VPN
name 194.39.131.34 SAPSERV2
access-list inside_outbound_nat0_acl remark VPN Pix To Pix
access-list inside_outbound_nat0_acl permit ip 125.125.0.0 255.255.254.0 192.168.0.0 255.255.252.0
access-list inside_outbound_nat0_acl remark Client Cisco VPN Remote 3Des
access-list inside_outbound_nat0_acl permit ip 125.125.0.0 255.255.254.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl remark VPN Pix To Pix
access-list inside_outbound_nat0_acl remark Client Cisco VPN Remote 3Des
access-list from-inside permit ip host 125.125.1.7 any
access-list from-inside permit ip host 125.125.1.82 any
access-list from-inside permit ip host 125.125.1.5 any
access-list from-inside permit ip host 125.125.1.9 any
access-list from-inside permit ip host 125.125.1.4 any
access-list from-inside remark Permette a tutti i PC della LAN di collegarsi al saprouter in dmz (172.16.0.2) e quindi di usare OSS
access-list inside_outbound_nat0_acl remark VPN Pix To Pix
access-list inside_outbound_nat0_acl permit ip 125.125.0.0 255.255.254.0 192.168.0.0 255.255.252.0
access-list inside_outbound_nat0_acl remark Client Cisco VPN Remote 3Des
access-list inside_outbound_nat0_acl permit ip 125.125.0.0 255.255.254.0 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.100.0 255.255.255.0
access-list inside_outbound_nat0_acl remark VPN Pix To Pix
access-list inside_outbound_nat0_acl remark Client Cisco VPN Remote 3Des
access-list from-inside permit ip host 125.125.1.7 any
access-list from-inside permit ip host 125.125.1.82 any
access-list from-inside permit ip host 125.125.1.5 any
access-list from-inside permit ip host 125.125.1.9 any
access-list from-inside permit ip host 125.125.1.4 any
access-list from-inside remark Permette a tutti i PC della LAN di collegarsi al saprouter in dmz (172.16.0.2) e quindi di usare OSS
access-list from-inside permit ip any host 172.16.0.2
access-list from-inside permit tcp host 125.125.1.46 any
access-list from-inside permit tcp host 125.125.1.30 any
access-list from-inside permit tcp host 125.125.1.26 host 151.9.170.7
access-list from-inside permit tcp host 125.125.1.141 host 151.9.170.7
access-list from-inside remark Regola che consente tutto IP per macchina Proxy
access-list from-inside permit ip host 125.125.1.253 any
access-list from-inside remark Regola che consente a BDC_1 tutto
access-list from-inside permit ip host 125.125.1.3 any
access-list from-inside remark Permette a tutti i PC della LAN di collegarsi al saprouter in dmz (172.16.0.2) e quindi di usare OSS
access-list from-inside remark Permette a tutti i PC della LAN di collegarsi a mailex sistemitre
access-list from-inside permit tcp 125.125.0.0 255.255.254.0 host 151.9.170.3
access-list from-inside permit ip host 125.125.1.85 any
access-list from-inside permit tcp host 125.125.1.94 host 151.9.170.7
access-list from-inside permit ip any host 193.9.159.71
access-list from-inside permit ip any host 193.9.159.91
access-list from-inside remark gli indirizzi 193.9.159.71 e 193.9.159.91 servono per l'utilizzo del software SPAMFIGHTER
access-list from-inside permit ip any host 87.248.208.50
access-list from-inside permit tcp any host 193.9.159.71
access-list from-inside permit tcp any host 193.9.159.91
access-list from-inside permit ip host 125.125.1.100 any
access-list from-inside permit ip host 125.125.1.48 any
access-list from-inside permit ip host 125.125.1.140 any
access-list outside_cryptomap_20 permit ip 125.125.1.0 255.255.255.0 192.168.0.0 255.255.252.0
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any host 217.57.147.140 eq pcanywhere-data
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in permit udp any host 217.57.147.140 eq pcanywhere-status
access-list outside_access_in permit tcp host 194.39.131.34 host 217.57.147.139 eq 3299
access-list outside_inbound_nat0_acl permit ip 192.168.1.192 255.255.255.192 125.125.1.0 255.255.255.0
access-list dmz_access_in permit icmp any any echo-reply
access-list dmz_access_in permit ip host 172.16.0.2 host 194.39.131.34
access-list dmz_access_in permit tcp host 172.16.0.2 host 125.125.1.4 eq 3200
access-list dmz_access_in permit tcp host 172.16.0.2 host 125.125.1.9 eq 3200
access-list dmz_access_in permit tcp host 172.16.0.2 host 125.125.1.82 eq 3200
access-list outside_cryptomap_dyn_80 permit ip any 192.168.100.0 255.255.255.0
pager lines 23
logging on
logging timestamp
logging console emergencies
logging monitor warnings
logging buffered debugging
logging trap warnings
logging history emergencies
logging host inside 125.125.1.253
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 217.57.147.138 255.255.255.248
ip address inside 125.125.1.254 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-net 192.168.100.1-192.168.100.254
pdm location 151.4.77.11 255.255.255.255 outside
pdm location 125.125.0.0 255.255.255.0 inside
pdm location 125.125.1.1 255.255.255.255 inside
pdm location 125.125.1.3 255.255.255.255 inside
pdm location 125.125.1.5 255.255.255.255 inside
pdm location 125.125.1.15 255.255.255.255 inside
pdm location 125.125.1.28 255.255.255.255 inside
pdm location 125.125.1.90 255.255.255.255 inside
pdm location 125.125.1.253 255.255.255.255 inside
pdm location 125.125.0.0 255.255.254.0 inside
pdm location 217.57.147.139 255.255.255.255 dmz
pdm location 217.57.147.140 255.255.255.255 dmz
pdm location 80.206.119.10 255.255.255.255 outside
pdm location 80.206.129.98 255.255.255.255 outside
pdm location 192.168.0.0 255.255.252.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 125.125.1.147 255.255.255.255 inside
pdm location 172.16.0.2 255.255.255.255 dmz
pdm location 125.125.0.0 255.255.254.0 dmz
pdm location 125.125.1.4 255.255.255.255 inside
pdm location 194.39.131.34 255.255.255.255 outside
pdm location 125.125.1.7 255.255.255.255 inside
pdm location 125.125.1.9 255.255.255.255 inside
pdm location 125.125.1.78 255.255.255.255 inside
pdm location 125.125.1.252 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 217.57.147.141
global (dmz) 1 172.16.0.250-172.16.0.254
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 125.125.0.0 255.255.254.0 0 0
nat (dmz) 1 172.16.0.0 255.255.255.0 0 0
static (inside,outside) udp 217.57.147.140 pcanywhere-status 125.125.1.48 pcanywhere-status netmask 255.255.255.255 0 0
here-status netmask 255.255.255.255 0 0
static (inside,outside) tcp 217.57.147.140 pcanywhere-data 125.125.1.48 pcanywhere-data netmask 255.255.255.255 0 0
static (dmz,outside) 217.57.147.139 172.16.0.2 netmask 255.255.255.255 0 0
static (inside,dmz) 125.125.1.4 125.125.1.4 netmask 255.255.255.255 0 0
static (inside,dmz) 125.125.1.9 125.125.1.9 netmask 255.255.255.255 0 0
static (inside,dmz) 125.125.1.82 125.125.1.82 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group from-inside in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 217.57.147.137 1
route inside 125.125.0.0 255.255.255.0 125.125.1.1 1
route inside 125.125.0.0 255.255.255.0 125.125.1.3 2
timeout xlate 0:10:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 193.204.114.233 source outside prefer
http server enable
http 125.125.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt prompt ARPAIndustriale Authentication Area
auth-prompt accept Authentication Succeded!!!
auth-prompt reject ACCESS DENYED!! THIS INCIDENT WILL BE REPORTED !!
crypto ipsec transform-set AH-DES-MD5 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address outside_cryptomap_20
crypto map VPN 20 set peer 81.116.93.253
crypto map VPN 20 set transform-set ESP-3DES-MD5
crypto map VPN 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map VPN client configuration address initiate
crypto map VPN client configuration address respond
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 81.116.93.253 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup realtech address-pool vpn-net
vpngroup realtech dns-server 125.125.1.5 125.125.1.1
vpngroup realtech wins-server 125.125.1.5 125.125.1.1
vpngroup realtech default-domain arpa.locale
vpngroup realtech idle-time 1800
vpngroup realtech password ********
vpngroup baky address-pool vpn-net
vpngroup baky dns-server 125.125.1.7 125.125.1.5
vpngroup baky wins-server 125.125.1.5 125.125.1.1
vpngroup baky default-domain arpa.locale
vpngroup baky idle-time 1800
vpngroup baky password ********
vpngroup arpa address-pool vpn-net
vpngroup arpa dns-server 125.125.1.1 125.125.1.5
vpngroup arpa wins-server 125.125.1.1 125.125.1.5
vpngroup arpa default-domain arpa.locale
vpngroup arpa idle-time 1800
vpngroup arpa password ********
vpngroup migliore address-pool vpn-net
vpngroup migliore dns-server 125.125.1.7 125.125.1.5
vpngroup migliore wins-server 125.125.1.5 125.125.1.7
vpngroup migliore default-domain arpa.locale
vpngroup migliore idle-time 1800
vpngroup migliore password ********
vpngroup di_venuta address-pool vpn-net
vpngroup di_venuta dns-server 125.125.1.7 125.125.1.5
vpngroup di_venuta wins-server 125.125.1.5 125.125.1.7
vpngroup di_venuta default-domain arpa.locale
vpngroup di_venuta idle-time 1800
vpngroup di_venuta password ********
vpngroup barzaghi address-pool vpn-net
vpngroup barzaghi dns-server 125.125.1.7 125.125.1.5
vpngroup barzaghi wins-server 125.125.1.5 125.125.1.7
vpngroup barzaghi default-domain arpa.locale
vpngroup barzaghi idle-time 1800
vpngroup barzaghi password ********
vpngroup fisone address-pool vpn-net
vpngroup fisone dns-server 125.125.1.7 125.125.1.5
vpngroup fisone wins-server 125.125.1.5 125.125.1.7
vpngroup fisone default-domain arpa.locale
vpngroup fisone idle-time 1800
vpngroup fisone password ********
vpngroup tarantino address-pool vpn-net
vpngroup tarantino dns-server 125.125.1.7 125.125.1.5
vpngroup tarantino wins-server 125.125.1.5 125.125.1.7
vpngroup tarantino default-domain arpa.locale
vpngroup tarantino idle-time 1800
vpngroup tarantino password ********
vpngroup malano address-pool vpn-net
vpngroup malano dns-server 125.125.1.7 125.125.1.5
vpngroup malano wins-server 125.125.1.5 125.125.1.7
vpngroup malano default-domain arpa.locale
vpngroup malano idle-time 1800
vpngroup malano password ********
vpngroup ferravante address-pool vpn-net
vpngroup ferravante dns-server 125.125.1.7 125.125.1.5
vpngroup ferravante wins-server 125.125.1.5 125.125.1.7
vpngroup ferravante default-domain arpa.locale
vpngroup ferravante idle-time 1800
vpngroup ferravante password ********
vpngroup longhi idle-time 1800
vpngroup schivazappa address-pool vpn-net
vpngroup schivazappa dns-server 125.125.1.7 125.125.1.5
vpngroup schivazappa wins-server 125.125.1.5 125.125.1.1
vpngroup schivazappa default-domain arpa.locale
vpngroup schivazappa idle-time 1800
vpngroup schivazappa password ********
vpngroup met address-pool vpn-net
vpngroup met dns-server 125.125.1.7 125.125.1.5
vpngroup met wins-server 125.125.1.5 125.125.1.7
vpngroup met default-domain arpa.locale
vpngroup met idle-time 1800
vpngroup met password ********
vpngroup airoldi address-pool vpn-net
vpngroup airoldi dns-server 125.125.1.7 125.125.1.5
vpngroup airoldi wins-server 125.125.1.5 125.125.1.7
vpngroup airoldi default-domain arpa.locale
vpngroup airoldi idle-time 1800
vpngroup airoldi password ********
vpngroup verga-rtc address-pool vpn-net
vpngroup verga-rtc dns-server 125.125.1.7 125.125.1.5
vpngroup verga-rtc wins-server 125.125.1.5 125.125.1.7
vpngroup verga-rtc default-domain arpa.locale
vpngroup verga-rtc idle-time 1800
vpngroup verga-rtc password ********
vpngroup sistemitre address-pool vpn-net
vpngroup sistemitre dns-server 125.125.1.7 125.125.1.5
vpngroup sistemitre wins-server 125.125.1.5 125.125.1.7
vpngroup sistemitre default-domain arpa.locale
vpngroup sistemitre idle-time 1800
vpngroup sistemitre password ********
vpngroup marco address-pool vpn-net
vpngroup marco dns-server 125.125.1.7 125.125.1.5
vpngroup marco wins-server 125.125.1.5 125.125.1.7
vpngroup marco default-domain arpa.locale
vpngroup marco idle-time 1800
vpngroup marco password ********
vpngroup gen_remote address-pool vpn-net
vpngroup gen_remote dns-server 125.125.1.7 125.125.1.5
vpngroup gen_remote wins-server 125.125.1.5 125.125.1.7
vpngroup gen_remote default-domain arpa.locale
vpngroup gen_remote idle-time 1800
vpngroup gen_remote password ********
telnet 125.125.1.0 255.255.255.0 inside
telnet timeout 60
ssh 125.125.1.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0

Collegamento con assistenza SAP... PROBLEMA PIX 515!!!!!

Login • Iscriviti