|
|
 |
|
|
| 1. pix vpn 建立问题 |
  |
|
 |
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
建立pix vpn , 用客户端连接始终停留在 securing communications channel......
我把我的配置贴出来, 大家帮我看看啊 ,谢谢了 啊
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname DMB-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.16.80.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 210.21.94.73 255.255.255.0
ip address inside 172.16.80.4 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all split-tunnel 101
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password ********
telnet 172.16.80.0 255.255.255.0 inside
telnet 172.16.80.4 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username test password P4ttSyrm33SV8TYp encrypted privilege 2
terminal width 80
Cryptochecksum:757c32487fd2169db42ae612c354cb02
: end
|
|
|
|
| 2. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
这个是连接时的跟踪
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 210.21.94.74
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:210.21.94.74/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:210.21.94.74/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP: peer is a remote access client
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 210.21.94.74. ID = 1623746145 (0x60c86661)
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 210.21.94.74. message ID = 57363748
ISAKMP: Config payload CFG_REPLY
ISAKMP (0:0): initiating peer config to 210.21.94.74. ID = 386732931 (0x170d1383)
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 210.21.94.74. message ID = 57363748
ISAKMP: Config payload CFG_ACK
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 210.21.94.74. message ID = 57363748
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from 210.21.94.74. ID = 235466795
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3004152898
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3771485718
ISAMKP (0): received DPD_R_U_THERE from peer 210.21.94.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3791263119, spi size = 4IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
return status is IKMP_NO_ERR_NO_TRANS
DMB-PIX#
DMB-PIX#
DMB-PIX#
DMB-PIX# sh v
crypto_isakmp_process_block:src:210.21.94.74, dest:210.21.94.73 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3305118076, spi size = 16
ISAKMP (0): deleting SA: src 210.21.94.74, dst 210.21.94.73
return status is IKMP_NO_ERR_NO_TRANSer
ISADB: reaper checking SA 0x36b089c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:210.21.94.74/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:210.21.94.74/500 Total VPN peers:0IPSEC(key_engine): got a queue
event... |
|
|
|
| 3. Re:pix vpn 建立问题 |
|
|
 |
|
HP : 250 / 1254
MP : 1625 / 21993
EXP : 16%
|
|
迟则生变
成员等级: 51
发表总数: 4877
金币总数: 308
所属组别: 管理员
注册日期: 2003/01/9
|
好象isakmp参数对不上。
show version
最好把3DES功能激活并更改相应参数到3DES 模式。
没有谁能像一座孤岛/在大海里独踞/每个人都像一块小小的泥土/连接成整个陆地/如果一块泥土被海水冲去/欧洲将缺其一隅/这如同一座山岬/也如同你的朋友和你自己/无论谁死了/都是自己的一部分在死去/因为我包含在人类这个概念里/因此我从不问丧钟为谁而鸣/它为我,也为你
No man is an Island, entire of itself; every man is a piece of the Continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a man or of thy friends or of thine own were; any man's death diminishes me, because I am involved in Mankind; And therefore never send to know for whom the bell tolls; It tolls for thee.
|
|
|
|
| 4. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
已经激活了
show ver
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 8
Maximum Interfaces: 12
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
具体应该怎么改呢 我是个菜鸟. 能不能说的详细一点啊 |
|
|
|
| 5. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
请麦子再指点一下了 |
|
|
|
| 6. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 250 / 1254
MP : 1625 / 21993
EXP : 16%
|
|
迟则生变
成员等级: 51
发表总数: 4877
金币总数: 308
所属组别: 管理员
注册日期: 2003/01/9
|
isakmp policy 10 encryption 3des
crypto ipsec transform-set myset esp-3des esp-md5-hmac
没有谁能像一座孤岛/在大海里独踞/每个人都像一块小小的泥土/连接成整个陆地/如果一块泥土被海水冲去/欧洲将缺其一隅/这如同一座山岬/也如同你的朋友和你自己/无论谁死了/都是自己的一部分在死去/因为我包含在人类这个概念里/因此我从不问丧钟为谁而鸣/它为我,也为你
No man is an Island, entire of itself; every man is a piece of the Continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a man or of thy friends or of thine own were; any man's death diminishes me, because I am involved in Mankind; And therefore never send to know for whom the bell tolls; It tolls for thee.
|
|
|
|
| 7. Re:pix vpn 建立问题 |
|
|
 |
|
HP : 0 / 192
MP : 31 / 2432
EXP : 68%
|
|
武林侠客
成员等级: 8
发表总数: 94
金币总数: 146
所属组别: 普通成员
注册日期: 2004/09/9
|
我的vpn出现的问题很奇怪。ADSL就拔不上,但是其它线路却能拔上。
show run
Building configuration...
Current configuration : 9255 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname lab_2610
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9.Nf$/Qc/cQr55PYbgnAaH28JV0
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network foo local
!
aaa session-id common
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
ip cef
ip tcp intercept max-incomplete high 100
!
ip nbar pdlm flash:bittorrent.pdlm
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.240
!
ip dhcp pool wireless
network 192.168.1.0 255.255.255.0
domain-name sign.com
default-router 192.168.1.3
dns-server 211.162.130.8 211.162.130.9
!
!
no ip bootp server
ip domain name sign.com
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/0.2
ip ssh rsa keypair-name lab_2610.sign.com
ip inspect tcp max-incomplete host 100 block-time 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 ftp
ip ips notify SDEE
ip ips name sign
ip address-pool dhcp-pool
ip dhcp-server 192.168.1.3
!
username hlj password 7 104D0D0A0C101C53545C
!
!
class-map match-all bittorrent
class-map match-all p2p
class-map match-any http-hacks
match protocol http url "*readme.eml*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
!
!
policy-map deny-p2p
class p2p
drop
policy-map bi
class bittorrent
policy-map drop-bittorrent
class bittorrent
drop
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group ******
key ******
domain sign.com
pool signpool
acl 120
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set foo esp-3des esp-sha-hmac
!
crypto ipsec profile qreprotect
!
! no mop enabled
no clns route-cache
crypto map clientmap
!
interface FastEthernet0/0.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 192.168.1.3 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sign in
ip virtual-reassembly
no snmp trap link-status
no cdp enable
service-policy input drop-bittorrent
service-policy output drop-bittorrent
!
interface FastEthernet0/0.3
description $FW_OUTSIDE$
encapsulation dot1Q 3
ip dhcp relay information trusted
ip address x.x.x.x 255.255.255.192
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip ips sign out
ip virtual-reassembly
no snmp trap link-status
no cdp enable
crypto map clientmap
!
ip local pool signpool 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.254
!
!
ip http server
ip http access-class 1
no ip http secure-server
ip nat translation max-entries all-host 100
ip nat inside source list 100 interface FastEthernet0/0.3 overload
ip nat inside source static 192.168.1.4 x.x.x.245 route-map test
ip nat inside source static 192.168.1.2 x.x.x.248 route-map test
!
logging trap debugging
logging facility local5
logging 192.168.1.4
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark SDM_ACL Category=18
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip host 192.168.1.4 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip x.x.x.192 0.0.0.63 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip x.x.x.192 0.0.0.63 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny tcp any any eq 1433
access-list 104 deny tcp any any eq 1434
access-list 104 deny tcp any any eq 135
access-list 104 deny tcp any any eq 137
access-list 104 deny tcp any any eq 139
access-list 104 deny tcp any any eq 445
access-list 104 deny tcp any any eq 593
access-list 104 deny tcp any any eq 4444
access-list 104 deny tcp any any eq echo
access-list 104 deny tcp any any eq chargen
access-list 104 deny udp any any eq tftp
access-list 104 deny udp any any eq 1433
access-list 104 deny udp any any eq 1434
access-list 104 deny udp any any eq netbios-ns
access-list 104 deny udp any any eq netbios-dgm
access-list 104 deny udp any any eq 445
access-list 104 deny udp any any eq 1025
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any host x.x.x.245 eq pop3
access-list 105 permit tcp any host x.x.x.245 eq smtp
access-list 105 permit tcp any host x.x.x.245 eq www
access-list 105 permit tcp any host x.x.x.245 eq ftp
access-list 105 permit tcp any host x.x.x.245 range 9980 9990
access-list 105 permit tcp any host x.x.x.245 eq 1080
access-list 105 permit tcp any host x.x.x.245 eq 8080
access-list 105 permit tcp any host x.x.x.248 eq www
access-list 105 deny ip any host x.x.x.245
access-list 105 deny ip any host x.x.x.248
access-list 105 permit ahp any host x.x.x.246
access-list 105 permit esp any host x.x.x.246
access-list 105 permit udp any host x.x.x.246 eq isakmp
access-list 105 permit udp any host x.x.x.246 eq non500-isakmp
access-list 105 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 105 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 151 permit ip 192.168.1.0 0.0.0.255 any
access-list 171 deny pim any any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 permit ip host x.x.x.246 192.168.2.0 0.0.0.255
no cdp run
!
route-map test deny 10
match ip address 150
!
route-map test permit 20
match ip address 151
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CCWelcome you login Sign Network Co.Ltd Router^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
line vty 5 15
access-class 101 in
transport input telnet ssh
!
scheduler allocate 4000 1000
!
end
lab_2610# |
|
|
|
| 8. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
还是 不行啊 同样的错误啊 |
|
|
|
| 9. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
麦子 是不是还有什么别的问题啊 帮忙看看了 不胜感激啊 |
|
|
|
| 10. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
这个错误
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local a
ddress 210.21.94.73
是什么原因造成的啊
是不是和加密协议没有什么关系啊 |
|
|
|
| 11. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 250 / 1254
MP : 1625 / 21993
EXP : 16%
|
|
迟则生变
成员等级: 51
发表总数: 4877
金币总数: 308
所属组别: 管理员
注册日期: 2003/01/9
|
去掉:
crypto map mymap client authentication LOCAL
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
增加:
isakmp nat-traversal 120
如果还不行再贴一个debug.
没有谁能像一座孤岛/在大海里独踞/每个人都像一块小小的泥土/连接成整个陆地/如果一块泥土被海水冲去/欧洲将缺其一隅/这如同一座山岬/也如同你的朋友和你自己/无论谁死了/都是自己的一部分在死去/因为我包含在人类这个概念里/因此我从不问丧钟为谁而鸣/它为我,也为你
No man is an Island, entire of itself; every man is a piece of the Continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a man or of thy friends or of thine own were; any man's death diminishes me, because I am involved in Mankind; And therefore never send to know for whom the bell tolls; It tolls for thee.
|
|
|
|
| 12. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
我的pix 6.3(4) client是 3.0
和client端没有关系吧 |
|
|
|
| 13. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 250 / 1254
MP : 1625 / 21993
EXP : 16%
|
|
迟则生变
成员等级: 51
发表总数: 4877
金币总数: 308
所属组别: 管理员
注册日期: 2003/01/9
|
我现在用的版本:
Cisco Systems VPN Client Version 4.6.04.0043
已经是去年发行的版本了,3.0是什么时候的版本?还是不同一个系列?
没有谁能像一座孤岛/在大海里独踞/每个人都像一块小小的泥土/连接成整个陆地/如果一块泥土被海水冲去/欧洲将缺其一隅/这如同一座山岬/也如同你的朋友和你自己/无论谁死了/都是自己的一部分在死去/因为我包含在人类这个概念里/因此我从不问丧钟为谁而鸣/它为我,也为你
No man is an Island, entire of itself; every man is a piece of the Continent, a part of the main; if a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a man or of thy friends or of thine own were; any man's death diminishes me, because I am involved in Mankind; And therefore never send to know for whom the bell tolls; It tolls for thee.
|
|
|
|
| 14. Re:pix vpn 建立问题 |
|
|
|
|
|
HP : 0 / 49
MP : 6 / 571
EXP : 97%
|
|
初涉江湖
成员等级: 2
发表总数: 18
金币总数: 68
所属组别: 普通成员
注册日期: 2005/01/26
|
能不能给我一个啊 我的版本可能是太旧了 谢谢了 |
|
|
|
|
