volevo sottoporvi un quesito:
Il pix 515 Version 7.0(4) all'interno della mia azienda l'ho configurato così:
- LAN interna 10.0.0.x
- WAN che punta al router
- un nat statico
- una vpn che accetta connessione dai client vpn per lavorare da remoto.
Tutto sembra funzionare bene.
Quando mi collego da remoto (ad es. da casa) con il client vpn la sessione vpn va su perchè riesco tranquillamente a pingare i pc dietro la mia lan nonchè ad accedervi in desktop remoto.
Dopo un pò di tempo però il pix esce pazzo perchè perde la connettività nel senso che gli utenti della lan 10.0.0.x che afferiscono al pix non riescono più a navigare in rete e bisogna riavviare il pix.
Ora vi chiedo:
- che voi sappiate, può essere un bug della versione 7.0(4) relativamente alle vpn?
- c'è qualche timeout nella configurazione (che adesso vado a postare) che in qualche modo fa cadere la connessione lato azienda non appena mi collego io da casa in vpn?
- altre soluzioni?
Ecco la conf:
sh run
: Saved
:
PIX Version 7.0(4)
!
hostname my_pix_515
domain-name default.domain.invalid
enable password YyIDjb762/W75M2s encrypted
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 87.45.127.60 255.255.255.248
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list external extended permit tcp any host 88.45.127.61 eq smtp
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list mygroup_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool mypool 192.168.1.1-192.168.1.10 mask 255.255.255.0
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image flash:/asdm
no asdm history enable
<--- More --->
arp timeout 14400
global (outside) 1 87.45.127.62
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.254.0
static (inside,outside) tcp 88.45.127.61 smtp 10.0.0.1 smtp netmask 255.255.255.255
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 87.45.127.63 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mygroup internal
group-policy mygroup attributes
dns-server value 151.99.125.1 151.99.0.100
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mygroup_splitTunnelAcl
<--- More --->
username myuser password xecYJQ3UE4xV3X7U encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group mygroup type ipsec-ra
tunnel-group mygroup general-attributes
address-pool mypool
default-group-policy mygroup
tunnel-group mygroup ipsec-attributes
<--- More --->
pre-shared-key *
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
<--- More --->
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:59dc90819a30efa94frfb3785h999586
: end
