Salve a tutti,
Spero riuscirete ad aiutarmi !!!!!
Sede 1
Pix 515e connesso direttamente ad internet ( ip 83.211.xxx.yyy )
sede 2
Router cisco 827 con contratto telecom ad un ip publico ed un pix 515e, non riesco a far passare il traffico vpn dal router al pix.......
Ecco le configurazioni :
Router
Using 1583 out of 131072 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname gwsspmr01
!
enable secret 5
enable password
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 192.168.50.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 81.73.xxx.yyy 255.255.255.254
ip nat outside
pvc 8/35
encapsulation aal5snap
!
!
ip nat translation timeout 420
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 120
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.50.4 5900 interface ATM0.1 5900
ip nat inside source static tcp 192.168.50.4 5800 interface ATM0.1 5800
ip nat inside source static tcp 192.168.50.4 3389 interface ATM0.1 3389
ip nat inside source static udp 192.168.50.2 50 interface ATM0.1 50
ip nat inside source static tcp 192.168.50.2 50 interface ATM0.1 50
ip nat inside source static udp 192.168.50.2 4500 interface ATM0.1 4500
ip nat inside source static udp 192.168.50.2 500 interface ATM0.1 500
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
!
!
access-list 1 permit 192.168.50.0 0.0.0.255
!
line con 0
stopbits 1
line vty 0 4
password
login
!
scheduler max-task-time 5000
end
Firewall 515e
: Saved
: Written by enable_15 at 13:39:43.206 UTC Tue Mar 6 2007
!
PIX Version 7.2(1)
!
hostname fwsspmr01
domain-name sspmr.it
enable password
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.50.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.15.10 255.255.255.0
!
passwd
ftp mode passive
dns server-group DefaultDNS
domain-name sspmr.it
access-list inside standard permit any
access-list outside_access_out extended permit udp any any log
access-list outside_access_out extended permit tcp any any log
access-list outside_access_out extended permit icmp any any
access-list outside_access_out extended permit tcp 192.168.15.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_access_out extended permit tcp 192.168.50.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.15.0 255.255.255.0 host 83.211.xxx.yyy
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 host 83.211.xxx.yyy
access-list outside_access_in extended permit tcp any eq 5900 host 192.168.15 eq 5900
access-list outside_access_in extended permit tcp any eq 5800 host 192.168.15 eq 5800
access-list inside_access_in extended permit tcp 192.168.50.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_access_in_1 extended permit tcp 192.168.50.0 255.255.255.0 192.168.15.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp permit any outside
icmp permit any inside
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns norandomseq
static (inside,outside) tcp 192.168.50.4 3389 192.168.15.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 192.168.50.4 5800 192.168.15.2 5800 netmask 255.255.255.255
static (inside,outside) tcp 192.168.50.4 5900 192.168.15.2 5900 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:0
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:
timeout uauth 0:05:00 absolute
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 83.211.xxx.yyy
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 83.211.xxx.yyy type ipsec-l2l
tunnel-group 83.211.xxx.yyy ipsec-attributes
pre-shared-key *
telnet 192.168.15.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.15.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea126b198ee517356e4db9c25b12cf81
Grazie per la Vs collaborazione.
Alesandro
