NAT Traversal (NAT-T)
CLI Guru - Cisco Eğitim ve Danışmanlık Merkezi |

+ Konuyu Cevapla
Toplam 3 sonuçtan 1 ile 3 arasındakiler gösteriliyor.
NAT Traversal (NAT-T)

Herkese selam. 11 şubeli bir ağın merkezinde PIX 506 kurduk. Şubelerin tamamı VPN Client yazılımı ile ADSL üzerinden merkeze bağlanıyor. Merkezdeki internet çıkışı ise LL. Sorunumuz ise tek kullanıcılı şubelerin

  1. #1
    ali tadir Guest

    Standart NAT Traversal (NAT-T)

    Herkese selam.

    11 şubeli bir ağın merkezinde PIX 506 kurduk. Şubelerin tamamı VPN Client yazılımı ile ADSL üzerinden merkeze bağlanıyor. Merkezdeki internet çıkışı ise LL.

    Sorunumuz ise tek kullanıcılı şubelerin saatlarce bağlanırken aynı şubedeki birden fazla kullanıcının birinin bağlanması durumunda diğerinin kopması.

    Konfigürasyon aşağıdaki gibidir. İlgilenen arkadaşlara şimdiden teşekkür ederim.

    Cisco PIX Firewall Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxxxxx encrypted
    hostname pix
    domain-name cisco.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name 10.8.1.2 VPN_Router
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq www
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq ftp
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq
    smtp
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq
    pop3
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq
    domain
    access-list inside_access_in permit udp 10.8.0.0
    255.255.0.0 any eq
    domain
    access-list inside_access_in permit icmp 10.8.0.0
    255.255.0.0 any echo
    access-list inside_access_in permit tcp 10.8.0.0
    255.255.0.0 any eq
    https
    access-list outside_access_in permit icmp any any
    echo-reply
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.1.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.2.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.3.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.4.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.5.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.6.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.7.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.8.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.9.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.10.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.11.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.12.0 255.255.255.0
    access-list 101 permit ip 10.8.0.0 255.255.0.0
    10.9.13.0 255.255.255.0
    pager lines 24
    logging on
    logging console critical
    logging monitor emergencies
    logging buffered alerts
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside x.x.x.x
    ip address inside 10.8.1.1 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool magaza1 10.9.1.1-10.9.1.14
    ip local pool magaza2 10.9.2.1-10.9.2.14
    ip local pool magaza3 10.9.3.1-10.9.3.14
    ip local pool magaza5 10.9.5.1-10.9.5.14
    ip local pool magaza6 10.9.6.1-10.9.6.14
    ip local pool magaza7 10.9.7.1-10.9.7.14
    ip local pool magaza8 10.9.8.1-10.9.8.14
    ip local pool magaza9 10.9.9.1-10.9.9.14
    ip local pool magaza10 10.9.10.1-10.9.10.14
    ip local pool magaza11 10.9.4.1-10.9.4.14
    ip local pool magaza12 10.9.11.1-10.9.11.14
    ip local pool magaza13 10.9.12.1-10.9.12.14
    ip local pool magaza14 10.9.13.1-10.9.13.14
    pdm location 10.8.0.0 255.255.0.0 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list 101
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
    sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.8.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpntransform esp-des
    esp-md5-hmac
    crypto dynamic-map vpndmap 10 set transform-set elet
    crypto map vpnmap 10 ipsec-isakmp dynamic elektrolet
    crypto map vpnmap interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup group1 address-pool magaza1
    vpngroup group1 dns-server 10.8.1.15
    vpngroup group1 default-domain cisco.com
    vpngroup group1 split-tunnel 101
    vpngroup group1 idle-time 1800
    vpngroup group1 password ********
    vpngroup group2 address-pool magaza2
    vpngroup group2 dns-server 10.8.1.15
    vpngroup group2 default-domain cisco.com
    vpngroup group2 split-tunnel 101
    vpngroup group2 idle-time 1800
    vpngroup group2 password ********
    vpngroup group3 address-pool magaza3
    vpngroup group3 dns-server 10.8.1.15
    vpngroup group3 split-tunnel 101
    vpngroup group3 idle-time 1800
    vpngroup group3 password ********
    vpngroup group4 address-pool magaza4
    vpngroup group4 dns-server 10.8.1.15
    vpngroup group4 split-tunnel 101
    vpngroup group4 password ********
    vpngroup group5 address-pool magaza5
    vpngroup group5 dns-server 10.8.1.15
    vpngroup group5 split-tunnel 101
    vpngroup group5 idle-time 1800
    vpngroup group5 password ********
    vpngroup group6 address-pool magaza6
    vpngroup group6 dns-server 10.8.1.15
    vpngroup group6 split-tunnel 101
    vpngroup group6 idle-time 1800
    vpngroup group6 password ********
    vpngroup group7 address-pool magaza7
    vpngroup group7 dns-server 10.8.1.15
    vpngroup group7 split-tunnel 101
    vpngroup group7 idle-time 1800
    vpngroup group7 password ********
    vpngroup group8 address-pool magaza8
    vpngroup group8 dns-server 10.8.1.15
    vpngroup group8 split-tunnel 101
    vpngroup group8 idle-time 1800
    vpngroup group8 password ********
    vpngroup group9 address-pool magaza9
    vpngroup group9 dns-server 10.8.1.15
    vpngroup group9 split-tunnel 101
    vpngroup group9 idle-time 1800
    vpngroup group9 password ********
    vpngroup group10 address-pool magaza10
    vpngroup group10 dns-server 10.8.1.15
    vpngroup group10 split-tunnel 101
    vpngroup group10 idle-time 1800
    vpngroup group10 password ********
    vpngroup group11 address-pool magaza11
    vpngroup group11 dns-server 10.8.1.15
    vpngroup group11 split-tunnel 101
    vpngroup group11 idle-time 1800
    vpngroup group11 password ********
    telnet 10.8.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
    Cryptochecksum:xxxxxxxxxx
    : end
    pix(config)#

  2. #2
    Cumhur / Yahoo Guest

    Standart RE: VPN Client Problemi

    Selamlar Ali,

    Bu birden fazla kullanici NAT'in arkadasinda ise " isakmp nat-traversal
    [natkeepalive] " tanimlaman problemini cozebilir.

    Kolay Gelsin,
    Cumhur

    Enabling IPSec over NAT-T

    NAT-T lets IPSec peers establish a connection through a NAT device. It does
    this by encapsulating IPSec traffic in UDP datagrams, using port 4500,
    thereby providing NAT devices with port information. NAT-T auto-detects any
    NAT devices, and only encapsulates IPSec traffic when necessary. This
    feature is disabled by default.

    •The security appliance can simultaneously support standard IPSec, IPSec
    over TCP, NAT-T, and IPSec over UDP, depending on the client with which it
    is exchanging data.

    •When both NAT-T and IPSec over UDP are enabled, NAT-T takes precedence.

    •When enabled, IPSec over TCP takes precedence over all other connection
    methods.

    •When you enable NAT-T, the security appliance automatically opens port 4500
    on all IPSec enabled interfaces.

    The security appliance implementation of NAT-T supports IPSec peers behind a
    single NAT/PAT device as follows:

    •One LAN-to-LAN connection.

    •Either a LAN-to-LAN connection or multiple remote access clients, but not a
    mixture of both.

    This restriction applies when you the IP address of the NAT device is the
    name of the tunnel group. This is because all peers behind that NAT device
    are likely to be associated with that same tunnel group. This may result in
    failed negotiations when connecting to multiple LAN-to-LAN peers behind the
    NAT device, or VPN clients being associated to a NAT device when there a
    mixture of remote access and LAN-to-LAN peers.
    Using NAT-T

    To use NAT-T you must perform three tasks:

    1. Enable IPSec over NAT-T globally on the security appliance.

    2. Select the "before-fragmentation" option for the IPSec fragmentation
    policy. This option lets traffic travel across NAT devices that do not
    support IP fragmentation. It does not impede the operation of NAT devices
    that do support IP fragmentation.

    3. Set a keepalive value, which can be from 10 to 3600 seconds. The default
    is 20 seconds.

    To enable NAT-T globally on the security appliance, enter the following
    command:

    isakmp nat-traversal natkeepalive


    This example sets enables NAT-T and sets the keepalive to one hour.

    hostname(config)# isakmp nat-traversal 3600

    Valid values for natkeepalive are 10 to 3600 seconds; the default is 20
    seconds.

  3. #3
    ali tadir Guest

    Standart VPN Client Problemi (virtual private network) VPN konfigurasyonu

    Tesekkurler Cumhur, sorun dun itibari ile cozuldu.

    Bahsettigin gibi nat-traversal enable edilmemis.

    Cok tesekkurler, iyi calismalar!

+ Konuyu Cevapla

Bu Konuyu Paylaşın !

Bu Konuyu Paylaşın !

Yetkileriniz

  • Konu Acma Yetkiniz Yok
  • Cevap Yazma Yetkiniz Yok
  • Eklenti Yükleme Yetkiniz Yok
  • Mesajınızı Değiştirme Yetkiniz Yok