[RISOLTO]ASA 8.2.5 problema a instaurare connessioni VPN

Mettete al sicuro la vostra rete!

Moderatore: Federico.Lagni

Rispondi
coteaz
Cisco power user
Messaggi: 109
Iscritto il: ven 01 mag , 2009 11:59 am

Salve, ho un ASA 5510, e ho problemi a effettuare connessioni vpn dall'interno verso l'estenro.

non c'è nessuna regola che blocca le porte PPTP o L2TP ma dai client win all'interno della rete non riesco proprio a connettermi.

qulcuno sa dirmi perchè? Grazie

Codice: Seleziona tutto

FIREWALLP01# show running-config

: Saved

:

ASA Version 8.2(5)

!

hostname FIREWALLP01

domain-name MAIOR.local

enable password 28kg/dOQX80WtMHA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 79.xx.xx.73 ROUTERP01

name 79.xx.xx.75 Pubblica_HTTP

name 79.xx.xx.76 Pubblica_VOIP

name 192.168.90.2 SERVERP02

name 192.168.90.3 SERVERP03

name 192.168.92.4 SERVERP04

!

interface Ethernet0/0

nameif Pubblica_SIADSL

security-level 0

ip address 79.xx.xx.74 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.90.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 98

ip address 192.168.92.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Pubblica_SIADSL

dns domain-lookup LAN

dns domain-lookup DMZ

dns domain-lookup management

dns server-group DefaultDNS

name-server SERVERP02

domain-name MAIOR.local

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service rtp udp

port-object range 9000 9049

access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip

access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_HTTP eq sip

access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Pubblica_SIADSL 1500

mtu LAN 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (Pubblica_SIADSL) 1 interface

global (DMZ) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 0.0.0.0 0.0.0.0

static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255

static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255

access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL

route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Link

aaa-server SERVERP02 protocol ldap

aaa-server SERVERP02 (LAN) host SERVERP02

ldap-base-dn DC=MAIOR,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=Administrator,CN=Users,DC=MAIOR,DC=local

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  TRANS_ESP_3DES_SHA ESP-3DES-SHA

crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_ MAP

crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL

crypto isakmp enable Pubblica_SIADSL

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Pubblica_SIADSL

enable LAN

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.90.2

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value MAIOR.local

username test password P4ttSyrm33SV8TYp encrypted

username test attributes

service-type remote-access

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_pool

authentication-server-group SERVERP02

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

no authentication chap

no authentication ms-chap-v1

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group SERVERP02

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4774f1e5b912c7f299328746e2fa3c1e

: end

FIREWALLP01#
Ultima modifica di coteaz il mer 21 set , 2011 11:02 am, modificato 1 volta in totale.
blublublu
Cisco power user
Messaggi: 82
Iscritto il: mer 11 mag , 2011 6:14 pm

il local pool è in overlapping con l'interfaccia inside
coteaz
Cisco power user
Messaggi: 109
Iscritto il: ven 01 mag , 2009 11:59 am

potresti x favore spiegarmi meglio il problema e magari se è pissibile trovare la soluzione?

grazie 8)
Avatar utente
rain3
Network Emperor
Messaggi: 266
Iscritto il: gio 31 lug , 2008 4:55 pm
Località: Battipaglia (SA)

Letto male il post cancello la risposta .
Ultima modifica di rain3 il mer 21 set , 2011 5:24 pm, modificato 1 volta in totale.
CCNA 640-802
CCNP SWITCH 642-813
blublublu
Cisco power user
Messaggi: 82
Iscritto il: mer 11 mag , 2011 6:14 pm

non vedo perché l'ASA debba rispondere a richieste ARP degli host interni per PC connessi in VPN. Lo puoi verificare tranquillamente con un arp -a
coteaz
Cisco power user
Messaggi: 109
Iscritto il: ven 01 mag , 2009 11:59 am

scusa ma cosa centra che c'è un overlaps? io sto provando dall'interno verso l'esterno...

quello che evidenzi tu forse è un altro problema :)
blublublu
Cisco power user
Messaggi: 82
Iscritto il: mer 11 mag , 2011 6:14 pm

se un host vuole comunicare su ethernet con un altro host che si trova sullo stesso segmento fa una richiesta ARP. Se non riceve risposta niente comunicazione.
coteaz
Cisco power user
Messaggi: 109
Iscritto il: ven 01 mag , 2009 11:59 am

ragazzi il problema è stato risolto
Very simple, PPTP uses GRE as an escpsulation protocol, which means that it will not let the firewall see the ports or the TCP sessions carried on int the VPN connection. Since the firewall cannot see the ports, it will only see IP protocol 47, which are the GRE packets.
If you put your logs on the ASDM you will see that the firewall will say portmap translation creation failed for IP protocol 47.
What you need to do is to add the inspection for PPTP, that will allow the firewall to pre-allocate a channel for PPTP traffic and GRE in order to let it pass thru, here is what you can do :

policy-map global_policy

class inspection_default

inspect pptp
Rispondi