?
dbug ekte gelmemis
ayrica soylemek istedigim bir sey var 101 access-list'inin birebir aynisinin mutlaka karsidaki cp de tanimli olmasi lazim

Karsi taraf 4.1 ise sunu..

[url]http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml[/url]

NG ise sunu temel alirmisin ben cok yaptim sorun da yasamadim ama soyle birsey yasamamistim tunel up oldugu halde trafik gecmiyordu
ben benim tarafta sadece denemeyaptigim makineyi acl'ye eklemistim Fransa tarafinda butun subnet'e verilmisti ve de bu yuzden o tarafa ulasamiyordum kendi tarafimdaki acl'yi tum network olarak verince sorun duzelmisti


Ancak subnetler ve enc.domainler ayni lafini bir acarmisin yani senin subetten iki ayri yere vpn yapmakistiyorsun ve karsi tarafdakiiki networkde aynisubnet'i mi kullaniyor eger boyleyse acl hep ilk map'e match edecek ve digerine hic bir zaman gecmeyecek

________________________________

Kimden: YAVUZ TEMIZKAN [mailto:[email protected]]
GönderilmiÅY: Cum 05.11.2004 16:00
Kime: [email][email protected][/email]
Konu: RE: [cisco-ttl] bir cisco pix sorusu


iki ayri sirkete ait iki ayri CPde sonlandiriyorum. Yalniz versiyonlari farkli. Oradaki config'de enc.schemes ayarlari yok. Ancak subnetler ve enc.domainler ayni. Cisco.com'da verilen hata da enc.domain mismatch ile ilgili..
Config asagida:

access-list 101 permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.255.0
access-list nonat permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.0.0
access-list nonat permit ip y.y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
access-list 130 permit ip y.y.y.y 255.255.255.0 y.y.y.y 255.255.255.0
nat (inside) 0 access-list nonat
nat (intf2) 0 access-list nonat
traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aaa esp-des esp-md5-hmac
crypto ipsec transform-set bbb esp-des esp-md5-hmac
crypto map bbb 10 ipsec-isakmp
crypto map bbb 10 match address 101
crypto map bbb 10 set pfs group2
crypto map bbb 10 set peer x.x.x.x
crypto map bbb 10 set transform-set rtptac
crypto map bbb 30 ipsec-isakmp
crypto map bbb 30 match address 130
crypto map bbb 30 set peer y.y.y.y
crypto map bbb 30 set transform-set tempotac
crypto map bbb interface outside
isakmp enable outside
isakmp enable intf3
isakmp key ******** address x.x.x.x netmask 255.255.255.0 no-xauth no-confi
isakmp key ******** address y.y.y.y netmask 255.255.255.255 no-xauth no-c
isakmp keepalive 60 10
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption des
isakmp policy 4 hash md5
isakmp policy 4 group 1
isakmp policy 4 lifetime 86400

Ekte debug ç©«tisi da var...










-----Original Message-----
From: Serkan Ustundag - (G?k ve Ag M?si -Tepum Secura) [mailto:[email protected]]
Sent: 05 Kasim 2004 Cuma 14:35
To: [email][email protected][/email]
Subject: YNT: [cisco-ttl] bir cisco pix sorusu


?
Hayır gerekmiyor elbette ayni interface'de 2 ayri tunel olusturabilirsin
sen karsida iki ayri checkpointte mi sonlandiriyorsun yoksa tek cp mi var
aslinda access-listler dahil tum vpn configurasyonunu gonderirsen daha iyiyardimci olabiliriz

________________________________

Kimden: YAVUZ TEMIZKAN [mailto:[email protected]]
GönderilmiÅY: Cum 05.11.2004 14:10
Kime: [email][email protected][/email]
Konu: [cisco-ttl] bir cisco pix sorusu




Merhaba,

Bir pix'te ayni interfaceden 2 ayri t?urabiliyor muyuz? cisco.com sayfasini check ettim ve ?k bir konf. buldum ve bunu fw'umuza uyguladim.

crypto ipsec transform-set aaa esp-des esp-md5-hmac
crypto ipsec transform-set bbb esp-des esp-md5-hmac
crypto map bbbrules 10 ipsec-isakmp
crypto map bbbrules 10 match address 101
crypto map bbbrules 10 set pfs group2
crypto map bbbrules 10 set peer xxx.xxx.xxx.xxx
crypto map bbbrules 10 set transform-set aaa
crypto map bbbrules 30 ipsec-isakmp
crypto map bbbrules 30 match address 130
crypto map bbbrules 30 set peer yyy.yyy.yyy.yyy
crypto map bbbrules 30 set transform-set bbb
crypto map bbbrules interface outside

Ancak bu konf'u yaptiktan sonra 10 no'lu y?privilege'li vpn 硬ismaya devam etti ancak digerini 硬istiramadik. Dahasi makineyi restart ettigimizde bu sefer ilk vpn de down oldu. 2. vpn ile ilgili tanimlari silince d?..
karsidaki cihaz Checkpoint bir FW. Ayni interfaceden t?urarken transform-set'lerin farkli mi olmasi gerekir?

pix'in sh ver ç©«tisini da veriyorum:

EApixAnkara# sh ver

Cisco PIX Firewall Version 6.3(1)

Cisco PIX Device Manager Version 3.0(1)



Compiled on Wed 19-Mar-03 11:49 by morlee

EApixAnkara up 42 mins 39 secs



Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 2048KB, HW:1.0, CGXROM:1.9, FW:6.5

0: ethernet0: address is 000d.bd3c.035f, irq 10

1: ethernet1: address is 000d.bd3c.0360, irq 11

2: ethernet2: address is 0005.5d18.37dc, irq 11

3: ethernet3: address is 0005.5d18.37dd, irq 10

4: ethernet4: address is 0005.5d18.37de, irq 9

5: ethernet5: address is 0005.5d18.37df, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Disabled

Maximum Interfaces: 6

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 807320295 (0x301ebae7)

Configuration last modified by enable_15 at 12:53:09.597 Turkey Fri Nov 52004










Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak iç©® [email][email protected][/email] adresine bir e-posta g?rebilirsiniz.



Yahoo! Groups Sponsor
ADVERTISEMENT
click here <http://us.ard.yahoo.com/SIG=129hue9rk/M=315388.5543473.6613715.3001176/D=groups/S=1705004726:HM/EXP=1099742990/A=2372354/R=0/SIG=12id813k2/*https://www.orchardbank.com/hcs/hcsapplication?pf=PLApply&media=EMYHNL40F21004SS>



________________________________

Yahoo! Groups Links


* To visit your group on the web, go to:
[url]http://groups.yahoo.com/group/cisco-ttl/[/url]

* To unsubscribe from this group, send an email to:
[email][email protected][/email] <mailto:[email protected]?subject=Unsubscribe>

* Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .




Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak iin [email][email protected][/email] adresine bir e-posta gnderebilirsiniz.



Yahoo! Groups Sponsor
<http://us.ard.yahoo.com/SIG=129oaqjku/M=281955.5530326.6602771.3001176/D=groups/S=1705004726:HM/EXP=1099749670/A=2343726/R=0/SIG=12i4dlg5a/*http://clk.atdmt.com/VON/go/yhxxxvon01900091von/direct/01/&time=1099663270421100> <http://us.ard.yahoo.com/SIG=129oaqjku/M=281955.5530326.6602771.3001176/D=groups/S=1705004726:HM/EXP=1099749670/A=2343726/R=1/SIG=12i4dlg5a/*http://clk.atdmt.com/VON/go/yhxxxvon01900091von/direct/01/&time=1099663270421100>

Get unlimited calls to

U.S./Canada




________________________________

Yahoo! Groups Links


* To visit your group on the web, go to:
[url]http://groups.yahoo.com/group/cisco-ttl/[/url]

* To unsubscribe from this group, send an email to:
[email][email protected][/email] <mailto:[email protected]?subject=Unsubscribe>

* Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .




------------------------ Yahoo! Groups Sponsor --------------------~-->
$9.95 domain names from Yahoo!. Register anything.
[url]http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/26EolB/TM[/url]
--------------------------------------------------------------------~->

Bu listenin Cisco Systems ile herhangi bir baglantisi bulunmamaktadir.

Listeden cikmak için [email][email protected][/email] adresine bir e-posta gönderebilirsiniz.
Yahoo! Groups Links

<*> To visit your group on the web, go to:
[url]http://groups.yahoo.com/group/cisco-ttl/[/url]

<*> To unsubscribe from this group, send an email to:
[email][email protected][/email]

<*> Your use of Yahoo! Groups is subject to:
[url]http://docs.yahoo.com/info/terms/[/url]