Aiuto per configurare routing tra vpn con PIX

[arosa]

Salve a tutti,

Grazie anticipatamente per il Vs interesse.

Ho un problema con un PIX 515e Version 7.2(1)
Device Manager Version 5.2(1), vi spiego :

Nel pix ci sono configurate 5 vpn site-to-site ed una connessione client-to-site per la connessione con il client vpn cisco.
Il problema è che non riesco a configurare il routing tra le vpn per far in modo che dal client vpn venga ruotato nelle vpn site-to-site.

Grazie
Alessandro

[Wizard]

Intanto aggiorna la ios alla 7.2.2, la 7.2.1 aveva qualche problemino...
Tu vuoi che tutte le vpn vedano tutte le reti in vpn?

[arosa]

Ciao Wizard,

non vorrei che tutte le vpn fossero visibili tra di loro ma sola dal client vpn.
è indispensabile aggiornare la ios ? o può funzionare bene con la 7.2.1 ?

Grazie
Alessandro

[Wizard]

X la ios è consigliato per tutta una serie di buchi che ha quella ma non indispensabile per il tuo problema.
Per il resto si può fare: fare vedere tutte le reti in vpn l2l quando ti connetti in vpn client: oltre ad abilitare il routing tra vpn devi anche mettere a poste le acl dello spilt tunnel e le crypto.

[arosa]

Wizard se ti posto la conf del pix puoi aiutarmi a fare la configurazione del routing ?

Grazie
Ale.

[arosa]

Wizard questa è la conf, per ragioni di privacy ho omesso gli ip e le password.


: Saved
: Written by enable_15 at 12:41:23.191 UTC Mon Jul 9 2007
!
PIX Version 7.2(1)
!
hostname fwds02
domain-name dynamic
enable password xxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 83.211.xxx.yyy 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.2.2 255.255.255.0
!
passwd xxxx encrypted
banner exec FWDS02
banner login Immettere l'Autenticazione
ftp mode passive
dns server-group DefaultDNS
domain-name dynamic
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 194.228.90.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 101 extended permit ip 10.1.0.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 extended permit ip 172.16.128.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 172.16.128.0 255.255.255.0
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.1.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 102 extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 extended permit ip 10.1.2.0 255.255.255.0 194.228.90.0 255.255.255.0
access-list 104 extended permit ip 10.1.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 105 extended permit ip 10.1.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 106 extended permit ip 10.1.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 171 extended permit ip 10.1.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.2.84 255.255.255.252
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 194.228.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 extended permit icmp 10.1.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_cryptomap extended permit ip any 10.1.2.84 255.255.255.252
access-list outside_40_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_60_cryptomap extended permit ip 10.1.2.0 255.255.255.0 194.228.90.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip any 10.1.2.84 255.255.255.252
access-list outside_80_cryptomap extended permit ip 10.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool admin 10.1.2.84-10.1.2.86 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
asdm image flash:/pdm
asdm group 10.1.2.0 inside
asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 83.211.xxx.yyy 1
route inside 172.16.128.0 255.255.255.0 10.1.2.1 1
route inside 10.1.0.0 255.255.255.0 10.1.2.189 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server local protocol radius
group-policy admin internal
group-policy admin attributes
wins-server value 10.1.2.55 10.1.0.8
dns-server value 10.1.2.184 10.1.2.185
vpn-tunnel-protocol IPSec
default-domain value dynamic
group-policy admin1 internal
group-policy admin1 attributes
wins-server value 10.1.2.55 10.1.0.8
dns-server value 10.1.2.184 10.1.2.185
vpn-tunnel-protocol IPSec
split-tunnel-network-list value 101
default-domain value dynamic
username 62.94.xxx.yyy nopassword
username xxxx password yyyy encrypted privilege 15
username xxxx attributes
vpn-group-policy admin
username xxxx password yyyy encrypted privilege 0
username xxxx attributes
vpn-group-policy admin
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Accesso Eseguito su FWDS02
auth-prompt accept Autenticazione avvenuta con successo
auth-prompt reject Non Autorizzato
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set vpn
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map0 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 81.73.xxx.100
crypto map outside_map 20 set transform-set vpn
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 62.94.xxx.197
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 82.57.xxx.220
crypto map outside_map 60 set transform-set ESP-DES-MD5 vpn
crypto map outside_map 80 match address outside_80_cryptomap
crypto map outside_map 80 set peer 82.91.xxx.115
crypto map outside_map 80 set transform-set vpn
crypto map outside_map 100 ipsec-isakmp dynamic outside_dyn_map0
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 81.73.xxx.100 type ipsec-l2l
tunnel-group 81.73.xxx.100 ipsec-attributes
pre-shared-key *
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool admin
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *
tunnel-group 62.94.xxx.197 type ipsec-l2l
tunnel-group 62.94.xxx.197 ipsec-attributes
pre-shared-key *
tunnel-group 82.57.xxx.220 type ipsec-l2l
tunnel-group 82.57.xxx.220 ipsec-attributes
pre-shared-key *
tunnel-group admin1 type ipsec-ra
tunnel-group admin1 general-attributes
address-pool admin
default-group-policy admin1
tunnel-group admin1 ipsec-attributes
pre-shared-key *
tunnel-group 82.91.xxx.115 type ipsec-l2l
tunnel-group 82.91.xxx.115 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.2.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
l2tp tunnel hello 200
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
smtp-server 172.16.128.91
prompt hostname context

[Wizard]

Intanto verifica collegandoti in vpn client se lo split tunnel è configurato correttamente:

- click destro sul lucchetto chiuso
- statistiche
- secure route

Ci dovrebbero essere tutte le reti che vuoi vedere

[Wizard]

Intanto verifica collegandoti in vpn client se lo split tunnel è configurato correttamente:

- click destro sul lucchetto chiuso
- statistiche
- secure route

Ci dovrebbero essere tutte le reti che vuoi vedere

[arosa]

ho verificato ed ho soltanto 0.0.0.0.0 0.0.0.0.0 e niente altro !!!

[Wizard]

Chiaramente non va bene, o meglio, non è assolutamente l'ideale.
Controlla la acl per lo split tunnel che è la 101.

[Wizard]

Aggiorna alla ios 7.2.2
Con quella versione basta configurare bene le acl per lo split tunnel.

[arosa]

Grazie Wizard provvederò al più presto.