Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
damiankga
fresh
Posty: 2 Rejestracja: 09 lut 2017, 10:38
#1
#1
Post
autor: damiankga » 09 lut 2017, 11:24
Witam,
Posiadam Cisco ASA 5505 ASA Version 7.2(3) które odpowiada za router u mnie w pracy oraz do połączeń VPN z filiami.
Ściągnąłem z niego konfigurację i wgrałem na inne urządzenie Cisco ASA 5505 ASA Version 9.0.(1)
Po wgraniu konfiguracji na nowy router, u mnie w firmie sieć i internet działa, natomiast jest problem z połączeniami VPN z filiami.
Spojrzałem na konfigurację i pierwsze co się rzuca w oczy to :
R1 stary:
Kod: Zaznacz cały
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
pre-shared-key jakieshaslo
R2 nowy:
Kod: Zaznacz cały
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
ikev1 pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
ikev1 pre-shared-key jakieshaslo
Jeśli chodzi o Cisco to jestem ciemny w tej materii i prosiłbym o pomoc jak zmienić konfigurację na nowym routerze aby pozbyć się w konfiguracji nowego routera "
ikev1 " aby zostało tylko "pre-shared-key"
Pozdrawiam
damiankga
fresh
Posty: 2 Rejestracja: 09 lut 2017, 10:38
#2
#2
Post
autor: damiankga » 09 lut 2017, 12:35
R1 stary:
Kod: Zaznacz cały
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 111.222.11.22 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 354TRe5dT.ttee encrypted
regex list1 "\.yahoo\.com"
regex list2 "nk\.pl"
regex list3 "youtube"
regex list4 "sex"
regex list5 "porn"
regex list6 "redtube"
regex list7 "fotka"
regex list8 "sympatia"
regex list9 "allegro\.pl"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list BLOKS extended permit tcp any any eq www
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0
access-list 190 extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.222.11.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MOJA esp-3des esp-sha-hmac
crypto map toFilia 10 match address 100
crypto map toFilia 10 set peer 88.77.222.111
crypto map toFilia 10 set transform-set MOJA
crypto map toFilia 11 match address 135
crypto map toFilia 11 set peer 77.88.111.222
crypto map toFilia 11 set transform-set MOJA
crypto map toFilia interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
console timeout 0
!
class-map type regex match-any BLOKC
match regex list1
match regex list2
match regex list3
match regex list4
match regex list5
match regex list6
match regex list7
match regex list8
match regex list9
class-map type inspect http match-all BLOKLIST
match request header host regex class BLOKC
class-map BLOKHTTP
match access-list BLOKS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http HTTP_INSPEKCJA
parameters
class BLOKLIST
reset log
policy-map global_policy
policy-map WEWNETRZNA
class BLOKHTTP
inspect http HTTP_INSPEKCJA
!
service-policy global_policy global
username ktos password opfdsfRT.RTuyEW encrypted
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
pre-shared-key jakieshaslo
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
pre-shared-key jakieshaslo
prompt hostname context
R2 nowy:
Kod: Zaznacz cały
passwd 354TRe5dT.ttee encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 111.222.11.22 255.255.255.240
ospf cost 10
!
regex list1 "\.yahoo\.com"
regex list2 "nk\.pl"
regex list3 "youtube"
regex list4 "sex"
regex list5 "porn"
regex list6 "redtube"
regex list7 "fotka"
regex list8 "sympatia"
regex list9 "allegro\.pl"
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list BLOKS extended permit tcp any any eq www
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 10.22.100.0 255.255.255.0
access-list 190 extended permit ip 192.168.1.0 255.255.255.0 10.250.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 111.222.11.21 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MOJA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map toFilia 10 match address 100
crypto map toFilia 10 set peer 88.77.222.111
crypto map toFilia 10 set ikev1 transform-set MOJA
crypto map toFilia 11 match address 135
crypto map toFilia 11 set peer 77.88.111.222
crypto map toFilia 11 set ikev1 transform-set MOJA
crypto map toFilia interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec ssl-clientless
username ktos password opfdsfRT.RTuyEW encrypted
tunnel-group 88.77.222.111 type ipsec-l2l
tunnel-group 88.77.222.111 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 77.88.111.222 type ipsec-l2l
tunnel-group 77.88.111.222 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map type regex match-any BLOKC
match regex list1
match regex list2
match regex list3
match regex list4
match regex list5
match regex list6
match regex list7
match regex list8
match regex list9
class-map type inspect http match-all BLOKLIST
match request header host regex class BLOKC
class-map BLOKHTTP
match access-list BLOKS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http HTTP_INSPEKCJA
parameters
class BLOKLIST
reset log
policy-map global_policy
policy-map WEWNETRZNA
class BLOKHTTP
inspect http HTTP_INSPEKCJA
!
service-policy global_policy global
prompt hostname context
Nie uruchamiałem debugowania.