/ Forside / Teknologi / Netværk / TCP/IP / Nyhedsindlæg
Login
Glemt dit kodeord?
Brugernavn

Kodeord


Reklame
Top 10 brugere
TCP/IP
#NavnPoint
Per.Frede.. 4668
BjarneD 4017
severino 2804
pallebhan.. 1680
EXTERMINA.. 1525
xou 1455
strarup 1430
Manse9933 1419
o.v.n. 1400
10  Fijala 1204
PIX to PIX VPN tunnel ?
Fra : Brian Ipsen


Dato : 08-10-03 09:17

Hej!

Jeg forsøger at få en VPN tunnel op at køre mellem 2 PIX'er,,, men når man
laver ping fra en maskine (192.168.19.34) på site 1 til site 2 skriver site
1 pix'en på konsollen: IPSEC(sa_initiate): ACL = deny; no sa created

Site1 Pix (har 192.168.19.1 på inside):
access-list 110 permit ip host 192.168.19.34 host 192.168.1.2
access-list 110 permit ip host 192.168.19.34 host 192.168.1.3
access-list 110 permit ip host 192.168.19.34 host 192.168.2.2
access-list 100 permit ip host 192.168.19.34 host 192.168.1.2
access-list 100 permit ip host 192.168.19.34 host 192.168.1.3
access-list 100 permit ip host 192.168.19.34 host 192.168.2.2
nat (inside) 0 access-list 110
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 100
crypto map mymap 5 set peer W.X.Y.Z
crypto map mymap 5 set transform-set vpnset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address W.X.Y.Z netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800


Site2 Pix (har 192.168.1.1 på DMZ og 192.168.2.1 på inside):
access-list 100 line 1 permit ip host 192.168.1.2 host 172.21.19.34
access-list 100 line 2 permit ip host 192.168.1.3 host 172.21.19.34
access-list 100 line 3 permit ip host 192.168.2.2 host 172.21.19.34
access-list dmz_nonat permit ip host 192.168.1.2 host 192.168.19.34
access-list dmz_nonat permit ip host 192.168.1.3 host 192.168.19.34
access-list inside_nonat permit ip host 192.168.2.2 host 192.168.19.34
nat (inside) 0 access-list inside_nonat
nat (dmz) 0 access-list dmz_nonat
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto map mymap 5 ipsec-isakmp
crypto map mymap 5 match address 100
crypto map mymap 5 set peer A.B.C.D
crypto map mymap 5 set transform-set vpnset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address A.B.C.D netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

Hvorfor får jeg den fejl på oprettelse af tunellen ?

/Brian



 
 
Brian Ipsen (08-10-2003)
Kommentar
Fra : Brian Ipsen


Dato : 08-10-03 09:36


"Brian Ipsen" <bipsen@andebakken.dk> wrote in message
news:3f83c824$0$13209$edfadb0f@dread15.news.tele.dk...

> Site2 Pix (har 192.168.1.1 på DMZ og 192.168.2.1 på inside):
> access-list 100 line 1 permit ip host 192.168.1.2 host 172.21.19.34
> access-list 100 line 2 permit ip host 192.168.1.3 host 172.21.19.34
> access-list 100 line 3 permit ip host 192.168.2.2 host 172.21.19.34

Skulle have været (er det også i pix'en) - blot en trykfejl fra min side:
access-list 100 line 1 permit ip host 192.168.1.2 host 192.168.19.34
access-list 100 line 2 permit ip host 192.168.1.3 host 192.168.19.34
access-list 100 line 3 permit ip host 192.168.2.2 host 192.168.19.34

/Brian



Søg
Reklame
Statistik
Spørgsmål : 177560
Tips : 31968
Nyheder : 719565
Indlæg : 6408946
Brugere : 218888

Månedens bedste
Årets bedste
Sidste års bedste