VPN NAT INTERNET §DISPERAZIONE§
Inviato: mer 30 apr , 2008 7:48 am
Ciao Ragazzi io ho questa configurazione su di un CISCO PIX-506E:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 90 permit ip 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0
access-list 90 permit udp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0 eq isakmp
access-list 90 permit udp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0 eq 4500
access-list 90 permit esp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.224
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.5
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 90 in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.6 1
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map map1 30 ipsec-isakmp
crypto map map1 30 match address 90
crypto map map1 30 set peer 99.99.99.99
crypto map map1 30 set transform-set strong
crypto map map1 interface outside
isakmp enable outside
isakmp key ***************** address 99.99.99.99 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup management split-tunnel 90
vpngroup management idle-time 1800
vpngroup fnmc idle-time 1800
Io dovrei nattare tutto il traffico in uscita con un indirizzo di classe 10.19.10.19 255.255.255.248 in quanto la mia rete è incompatibile con quella del cliente. Il mio problema è che su questo FW c'è già un NAT (1) che devo utilizzarlo per la navigazione.
HELP ME PLEASE.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 90 permit ip 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0
access-list 90 permit udp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0 eq isakmp
access-list 90 permit udp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0 eq 4500
access-list 90 permit esp 192.168.1.0 255.255.255.0 131.33.0.0 255.255.0.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.224
ip address inside 192.168.1.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 1.2.3.5
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 90 in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.6 1
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map map1 30 ipsec-isakmp
crypto map map1 30 match address 90
crypto map map1 30 set peer 99.99.99.99
crypto map map1 30 set transform-set strong
crypto map map1 interface outside
isakmp enable outside
isakmp key ***************** address 99.99.99.99 netmask 255.255.255.255
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup management split-tunnel 90
vpngroup management idle-time 1800
vpngroup fnmc idle-time 1800
Io dovrei nattare tutto il traffico in uscita con un indirizzo di classe 10.19.10.19 255.255.255.248 in quanto la mia rete è incompatibile con quella del cliente. Il mio problema è che su questo FW c'è già un NAT (1) che devo utilizzarlo per la navigazione.
HELP ME PLEASE.
