公司由於原來網段IP不夠,在防火牆級級聯的三層交換上劃分VLAN,VLAN劃分好後,測試通過。
第二天有人反映說是沒有不能訪問外地的服務器了,測試下,不通??問外地同事,訪問我們這邊可以不,說是沒有問題,怎麼會這樣。
在防火牆的IPSEC只能外地訪問本地了,本地無法訪問外地網絡??
查看當時在三層上的訪問規劃,沒有問題呀,
上防火牆上SH RUN下,想起增加過兩命令:
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
route inside 192.168.0.0 255.255.0.0 192.168.20.254 1
於是把route inside 192.168.0.0 255.255.0.0 192.168.20.254 1去掉,IPSEC能通了,但是其他VLAN無法上網,問題找到了。
原來是route inside 192.168.0.0 255.255.0.0 192.168.20.254 1包含了***對端的地址,
更改爲下面三條:
更改爲下面三條:
route inside 192.168.201.0 255.255.255.0 192.168.20.254 1
route inside 192.168.202.0 255.255.255.0 192.168.20.254 1
route inside 192.168.203.0 255.255.255.0 192.168.20.254 1
route inside 192.168.202.0 255.255.255.0 192.168.20.254 1
route inside 192.168.203.0 255.255.255.0 192.168.20.254 1
全部ok。
附防火牆全部配置:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x82aRes.pjqJ4dth encrypted
passwd jCEEIEX17NiCkPTM encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 3142
fixup protocol sqlnet 6592
fixup protocol tftp 69
names
access-list acl-out permit icmp any any
access-list *** permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ***1 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ***1 permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 192.168.20.88 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 192.168.29.1-192.168.29.254
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*-*.*.*.* netmask 255.255.255.224
global (outside) 1 *.*.*.*
nat (inside) 0 access-list nonat
alias (inside) 192.168.20.11 *.*.*.* 255.255.255.255
static (inside,outside) *.*.*.* 192.168.20.111 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.23.0 255.255.255.0 192.168.20.254 1
route inside 192.168.21.0 255.255.255.0 192.168.20.254 1
route inside 192.168.22.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set *** esp-des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
crypto map *** 10 match address ***
crypto map *** 10 set peer *.*.*.*
crypto map *** 10 set transform-set ***
crypto map *** 20 ipsec-isakmp
crypto map *** 20 match address ***1
crypto map *** 20 set peer *.*.*.*
crypto map *** 20 set transform-set ***
crypto map *** interface outside
isakmp enable outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local pptp outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 client configuration dns 202.106.148.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username geng password *********
vpdn enable outside
terminal width 80
Cryptochecksum:0a4e314cd4cd52bcb26bff122b11fefa
: end
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x82aRes.pjqJ4dth encrypted
passwd jCEEIEX17NiCkPTM encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sqlnet 3142
fixup protocol sqlnet 6592
fixup protocol tftp 69
names
access-list acl-out permit icmp any any
access-list *** permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ***1 permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ***1 permit ip 192.168.21.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.224
ip address inside 192.168.20.88 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp 192.168.29.1-192.168.29.254
pdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*-*.*.*.* netmask 255.255.255.224
global (outside) 1 *.*.*.*
nat (inside) 0 access-list nonat
alias (inside) 192.168.20.11 *.*.*.* 255.255.255.255
static (inside,outside) *.*.*.* 192.168.20.111 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.23.0 255.255.255.0 192.168.20.254 1
route inside 192.168.21.0 255.255.255.0 192.168.20.254 1
route inside 192.168.22.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt noproxyarp inside
crypto ipsec transform-set *** esp-des esp-md5-hmac
crypto map *** 10 ipsec-isakmp
crypto map *** 10 match address ***
crypto map *** 10 set peer *.*.*.*
crypto map *** 10 set transform-set ***
crypto map *** 20 ipsec-isakmp
crypto map *** 20 match address ***1
crypto map *** 20 set peer *.*.*.*
crypto map *** 20 set transform-set ***
crypto map *** interface outside
isakmp enable outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local pptp outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.20.0 255.255.255.0 inside
telnet 192.168.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp
vpdn group 1 client configuration dns 202.106.148.1
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username geng password *********
vpdn enable outside
terminal width 80
Cryptochecksum:0a4e314cd4cd52bcb26bff122b11fefa
: end