Configurazione pix501 con modem alice gate plus wifi

[zorro77]

Salve a tutti
ho necessità di configurare un pix501 per un uso domestico, collegato ad un mrouter alice gate plus wifi, in modo di potermi collega
La configurazione è la seguente:

Ip pubblico dinamico
Router alice gate Pc1
192.168.1.1 192.168.1.10
| |
|_________________|
|
EthEXT 192.168.0.254
Pix501
EthINT 10.0.0.254
|
|
10.0.0.10
Pc2


Attualmente la conf è la seguente, ma non riesco:
- dal pc2 a pingare il pc1 e tantomeno il router e viceversa
- arrivare in telnet sulla ethExt da pc1

Premetto che il mio primo intento è far vedere le due reti (10.0.0.0 e 192.168.1.0) e la 10.0.0.0 farla uscire su internet


pix501(config)# sh conf
: Saved
: Written by enable_15 at 23:53:38.357 UTC Tue Aug 10 2010
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pix501
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.200
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.201
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.202
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.203
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.204
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.205
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.254 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool poolIP_VPN 192.168.1.200-192.168.1.205
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum: xxxxxxxxxxxxxxxxxxxx

Ringrazio tutti per le risposte

[zorro77]

Vorrei precisare, che l'inserimento del pix501 nella rete, è prettamente per potermi collegare in VPN ed avere un indirizzo della classe 192.168.1.X.
Che il PC2 sia dietro il pix mi interessa ben poco (al contrario, se fosse possibile vorrei evitarlo).
Questo non toglie che mi interessa sapere come far vedere le due LAN(192.168.1.0 e 10.0.0.0) per eventuali usi futuri.

Infatti chiedo se quanto segue è corretto per poter accettare collegamenti VPN dall'esterno:


crypto ipsec transform-set VPNHome esp-3des esp-md5-hmac
crypto dynamic-map MAPPAHome_dinamica 10 set transform-set VPNHome
crypto map MAPPAHome 10 ipsec-isakmp dynamic MAPPAHome_dinamica
crypto map MAPPAHome client configuration address initiate
crypto map MAPPAHome interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local pool_indirizziHome outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nome_gruppo idle-time 1800
vpngroup gruppoVPN dns-server 192.168.1.1
vpngroup gruppoVPN wins-server 192.168.1.1
vpngroup gruppoVPN default-domain intranet
vpngroup gruppoVPN idle-time 1800
vpngroup gruppoVPN password ********

[nazgul25]

Ciao

non sono un esperto ma la prima cosa che pare evidente è: le interfacce outside ed inside le hai configurate?


ciao.

[zorro77]

Ciao

non sono un esperto ma la prima cosa che pare evidente è: le interfacce outside ed inside le hai configurate?


ciao.

Ciao
si si, sono configurate. Il problema era che il pix dietro alcuni router (tipo il dlink che stavo usando per delle prove) non negozia l'ip outside. Pertanto ho sostituito il router con il pirelli con cui dovrà funzionare, e ora riesco a navigare senza problemi.
La configurazione è la seguente


pixfirewall# sh conf
: Saved
: Written by enable_15 at 00:51:26.431 UTC Fri Aug 13 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx
hostname pixfirewall
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 lanIn
name 192.168.1.0 lanOut
access-list ping_acl permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool_indirizziCasa 192.168.1.20-192.168.1.30
pdm logging informational 100
pdm history enable
arp timeout 60
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ping_acl in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http lanIn 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPNCasa esp-3des esp-md5-hmac
crypto dynamic-map MAPPACasa_dinamica 10 set transform-set VPNCasa
crypto map MAPPACasa 10 ipsec-isakmp dynamic MAPPACasa_dinamica
crypto map MAPPACasa client configuration address initiate
crypto map MAPPACasa interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local pool_indirizziCasa outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup nome_gruppo idle-time 1800
vpngroup gruppoVPN dns-server gw
vpngroup gruppoVPN wins-server gw
vpngroup gruppoVPN default-domain intranet
vpngroup gruppoVPN idle-time 1800
vpngroup gruppoVPN password ********
telnet lanIn 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.100-10.0.0.105 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXX
pixfirewall#



pixfirewall# sh ip
System IP Addresses:
ip address outside 192.168.1.200 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0
Current IP Addresses:
ip address outside 192.168.1.200 255.255.255.0
ip address inside 10.0.0.254 255.255.255.0

pixfirewall# sh route
outside 0.0.0.0 0.0.0.0 192.168.1.199 1 DHCP static
inside lanIn 255.255.255.0 10.0.0.254 1 CONNECT static
outside lanOut 255.255.255.0 192.168.1.200 1 CONNECT static

Ora sto provando a collegarmi dall'esterno in VPN ma non va....sto cercando di capire bene prima di tutto quali porte aprire sul router, ovviamente con destinazione 192.168.1.200 (192.168.1.199 è l'indirizzo del router alice)

[nazgul25]

Ciao

Credo la 500 per le comunicazioni ipsec.
Ma il router deve essere vpn pass-through altrimenti non va.

leggi qui http://www.zeroshell.net/faq/vpn/#vpn.faq0b

Ciao

[zorro77]

Ciao

Credo la 500 per le comunicazioni ipsec.
Ma il router deve essere vpn pass-through altrimenti non va.

leggi qui http://www.zeroshell.net/faq/vpn/#vpn.faq0b

Ciao

Finalmente ho risolto alcuni prob, ma ho alcune domande e ancora dei prob che di seguito riporto dopo aver postato la conf:

pix501# sh conf
: Saved
: Written by enable_15 at 23:56:48.368 UTC Sat Aug 14 2010
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXX encrypted
passwd XXXXXX encrypted
hostname pix501
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ping_acl permit icmp any any
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.180
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.181
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.182
access-list 101 permit ip 10.0.0.0 255.255.255.0 host 192.168.1.183
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool poolVPN_Home 192.168.1.180-192.168.1.183
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group ping_acl in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.100 255.255.255.255 inside
http 10.0.0.101 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set setVPN_Home esp-3des esp-md5-hmac
crypto dynamic-map mapDinVPN_Home 10 set transform-set setVPN_Home
crypto map mapVPN_Home 10 ipsec-isakmp dynamic mapDinVPN_Home
crypto map mapVPN_Home client configuration address initiate
crypto map mapVPN_Home client configuration address respond
crypto map mapVPN_Home client authentication LOCAL
crypto map mapVPN_Home interface outside
isakmp enable outside
isakmp key XXXXX address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local poolVPN_Home outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup gruppoVPN_Home address-pool poolVPN_Home
vpngroup gruppoVPN_Home dns-server 192.168.1.1
vpngroup gruppoVPN_Home wins-server 192.168.1.1
vpngroup gruppoVPN_Home default-domain intranet
vpngroup gruppoVPN_Home idle-time 1800
vpngroup gruppoVPN_Home password XXXXXXX
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.100-10.0.0.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username test password XXXXX encrypted privilege 3
terminal width 80
Cryptochecksum:XXXXXX

1) se imposto l'eth0 come dhcp, dalla lan_in navigo senza problemi, se invece, come sarebbe preferibile, imposto un ip statico, non riesco più a navigare: come devo risolvere il problema? che altri comandi devo inserire?
2) dalla lan_in pingo l'esterno, dalla lan_out non pingo la lan_in
3) per come ho configurato la VPN, mi collego, inserisco le credenziali locali dell'utente TEST ed il collegamento va up e mi assegna l'indirizzo IP però:
- non navigo
- non pingo il resto dalla lan_in e tantomeno lan_out
- il gateway risulta lo stesso dell'indirizzo negoziato (nella conf ho inserito quelli del router)

Ho provato a seguire lo script di Wizard "Script config VPN Client IPsec su PIX 6.3.x" modificando qualcosa...ma non è filato tutto liscio

Grazie ancora per l'aiuto.

[zorro77]

Nessuno riesce ad aiutarmi a riguardo?

[zorro77]

Riuscito a risolvere i punti 1 e 2...riuscendo a far partire la pdm e completando la configurazione...ma il punto 3 non sono riuscito ancora a risolverlo

[zorro77]

Help me
non riesco proprio a navigare tramitre la vpn sulla lan remota e tantomeno su internet uscendo con l'ip della rete remota

[beherenow84]

Devi apportare queste modifiche alla tua conf

1.
access-list inside_nat0_outbound extended permit ip "lan da far conoscere" "relativa subnet" "lan pool vpn" "relativa subnet"

nat (inside) 0 access-list inside_nat0_outbound

access-list "nome access-list vpn" standard permit 192.168.0.0 255.255.0.0 - questa rete inserita così ti permette di raggiungere tutta la tua rete interna

-------------------------------------------------------------

2.
group policy internal
group policy "nome vpn" attribute
split-tunnel-policy tunnelspecified
split-tunnel-network-list value "nome access-list vpn"


1.
tutto questo serve per fare il NO NAT della RETE VPN altrimenti il pix continuerà a nattare sulla outside la tua vpn in quanto non conosce l'origine del pacchetto, perchè il NAT viene espletato prima del routing.
Quindi si crea una regola di NO natting e poi ci pensa la tabella di routing a fare il resto. Questo è importante perchè ti serve per conoscere i servizi che hai all'interno della tua rete altrimenti non vedrai mai niente, e quindi oltre a questa cosa si abilita la/e rete/i specifica/che attraverso delle ACL alla visione sul canale VPN.

2.
questi comandi ti servono a fare lo SPLIT della rete, in poche parole suddivide le reti VPN e remota da dove ti stai collegando in due rami distinti e differenti attraverso delle regole di routing, così facendo ti permette di navigare con la linea remota e nel frattempo poter vedere tutta la rete vpn remota alla quale sei collegato.

Spero di averti aiutato.

A presto

Maicol

[zorro77]

Ciao Maicol
Grazie mille per il tuo aiuto. Domani sera provo con i tuoi suggerimenti e ti aggirno.
Mi raccomando, rimani collegato su questo canale, non abbandonarmi col mio povero pix:-)

Grazie ancora per il tuo aiuto

[zorro77]

Ciao Maicol....

purtroppo i comandi indicati non sono supportati dal mio pix
Come posso risolvere?



pix501(config)# ?

At the end of show <command>, use the pipe character '|' followed by:
begin|include|exclude|grep [-v] <regular_exp>, to filter show output.

aaa Enable, disable, or view TACACS+, RADIUS or LOCAL
user authentication, authorization and accounting
aaa-server Define AAA Server group
access-group Bind an access-list to an interface to filter inbound traffic
access-list Add an access list
activation-key Modify activation-key.
age This command is deprecated. See ipsec, isakmp, map, ca commands
alias Administer overlapping addresses with dual NAT.
apply Apply outbound lists to source or destination IP addresses
arp Change or view arp table, set arp timeout value, view statistics
auth-prompt Customize authentication challenge, reject or acceptance prompt
auto-update Configure auto update support
banner Configure login/session banners
ca CEP (Certificate Enrollment Protocol)
Create and enroll RSA key pairs into a PKI
(Public Key Infrastructure).
capture Capture inbound and outbound packets on one or more interfaces
clock Show and set the date and time of PIX
conduit Add conduit access to higher security level network or ICMP
configure Configure from terminal, floppy, memory, network, or
factory-default. The configuration will be merged with the
active configuration except for factory-default in which case
the active configuration is cleared first.
copy Copy image or PDM file from TFTP server into flash.
console Set idle timeout for the serial console of the PIX
cpu Display cpu usage and cpu profiling operations
Crashinfo Read, write and configure crash write to flash. Force a crash.
crypto Configure IPsec, IKE, and CA
debug Debug packets or ICMP tracings through the PIX Firewall.
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
disable Exit from privileged mode
domain-name Change domain name
dynamic-map Specify a dynamic crypto map template
eeprom show or reprogram the 525 onboard i82559 devices
enable Configure enable passwords
established Allow inbound connections based on established connections
failover Enable/disable PIX failover feature to a standby PIX
filter Enable, disable, or view URL, FTP, HTTPS, Java, and ActiveX filtering
fixup Add or delete PIX service and feature defaults
flashfs Show, destroy, or preserve filesystem information
fragment Configure the IP fragment database
global Specify, delete or view global address pools,
or designate a PAT(Port Address Translated) address
help Help list
hostname Change host name
http Configure HTTP server
icmp Configure access for ICMP traffic that terminates at an interface
interface Set network interface paremeters and configure VLANs
ip Set the ip address and mask for an interface
Define a local address pool
Configure Unicast RPF on an interface
Configure the Intrusion Detection System
ipsec Configure IPSEC policy
isakmp Configure ISAKMP policy
kill Terminate a telnet session
logout Exit from current user profile, and to unprivileged mode
logging Enable logging facility
mac-list Add a list of mac addresses using first match search
map Configure IPsec crypto map
memory System memory utilization
mgcp Configure the Media Gateway Control Protocol fixup
management-access Enable access to internal management interface
mroute Configure a multicast route
mtu Specify MTU(Maximum Transmission Unit) for an interface
multicast Configure multicast on an interface
name Associate a name with an IP address
nameif Assign a name to an interface
names Enable, disable or display IP address to name conversion
nat Associate a network with a pool of global IP addresses
ntp Configure Network Time Protocol
object-group Create an object group for use in 'access-list', 'conduit', etc
outbound Create an outbound access list
pager Control page length for pagination
passwd Change Telnet console access password
pdm Configure PIX Device Manager
ping Test connectivity from specified interface to <ip>
prefix-list Configure a prefix-list
privilege Configure/Display privilege levels for commands
quit Quit from the current mode, end configuration or logout
reload Halt and reload system
rip Broadcast default route or passive RIP
route Enter a static route for an interface
route-map Create a route-map.
router Create/configure OSPF routing process
routing Configure interface specific unicast routing parameters.
service Enable system services
setup Pre-configure PIX
shun Manages the filtering of packets from undesired hosts
sip Configure IP Address Privacy, show the current data stored for
each SIP session.
snmp-server Provide SNMP and event information
snmp Configure the SNMP fixup
ssh Add SSH access to PIX console, set idle timeout, display
list of active SSH sessions & terminate a SSH session
static Configure one-to-one address translation rule
sysopt Set system functional option
telnet Add telnet access to PIX console and set idle timeout
terminal Set terminal line parameters
tftp-server Specify default TFTP server address and directory
timeout Set the maximum idle times
url-cache Enable URL caching
url-block Enable URL pending block buffer and long URL support
url-server Specify a URL filter server
username Configure user authentication local database
virtual Set address for authentication virtual servers
vpdn Configure VPDN (PPTP, L2TP, PPPoE) Policy
vpnclient Configure Easy VPN Remote
vpngroup Configure group settings for Cisco VPN Clients and
Cisco Easy VPN Remote products
who Show active administration sessions on PIX
write Write config to net, flash, floppy, or terminal, or erase flash
pix501(config)#

[beherenow84]

Prova in questo modo, ho preparato questi comandi basandomi sulla tua conf:

access-list 80 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 80


vpngroup gruppoVPN_Home split-tunnel 80