ru.cisco

 
 - RU.CISCO ---------------------------------------------------------------------
 From : Roman Sindarovskiy                   2:5020/400     28 Oct 2007  11:13:54
 To : All
 Subject : Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3
 -------------------------------------------------------------------------------- 
 

 Hi All
 
 Есть центральный PIX 515 (PIX OS 6.3) и 10+ филиалов PIX 501 (6.3). 
 Hастроены а работают IPSEC туннели с каждым филиалом. Поднят PIX 515 
 (PIX OS 7.2) на который перенесены настройки со старого 515-го.
 Hо видимо в процессе переноса что-то не донастроил. Туннели не поднимаются.
 Переношу настроки со старого 515-го, меняю адрес на филиальском 501-м. 
 Далее на обоих пиксах
 
 debug crypto isakmp
 debug crypto ipsec
 debug crypto engine
 conf t
 clear isakmp sa
 clear ipsec sa
 exit
 
 И ничего, т.е. создается впечатление что нет даже попыток поднятия туннеля.
 
 За основу взял с cisco.com документ "PIX/ASA 7.x PIX-to-PIX 
 Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example"
 
 Вопрос: Где можно почитать про различия в настроке IPSEC между PIX OS 
 6.x и PIX OS 7.x? Хочу понять где я ошибся.
 
 P.S. "Cisco Security Appliance Command Line Configuration Guide 7.2" читал
 P.P.S. Кусок из конфигов
 
 PIX 7:
 name a2.b2.c2.d2 PIX6
 sysopt connection permit-vpn
 access-list inside_nonat extended permit ip 172.16.0.0 255.255.0.0 
 192.168.0.0 255.255.255.0
 access-list inside_nonat extended permit icmp 172.16.0.0 255.255.0.0 
 192.168.0.0 255.255.255.0
 access-list outside_cryptomap_201 extended permit ip 172.16.0.0 
 255.255.0.0 192.168.0.0 255.255.255.0
 access-list outside_cryptomap_201 extended permit icmp 172.16.0.0 
 255.255.0.0 192.168.0.0 255.255.255.0
 nat (inside) 0 access-list inside_nonat
 crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
 crypto map outside_map_pce 201 match address outside_cryptomap_201
 crypto map outside_map_pce 201 set peer PIX6
 crypto map outside_map_pce 201 set transform-set TRANS
 crypto map outside_map_pce interface outside
 isakmp enable outside
 isakmp identity address
 isakmp policy 101 authentication pre-share
 isakmp policy 101 encryption 3des
 isakmp policy 101 hash md5
 isakmp policy 101 group 1
 isakmp policy 101 lifetime 86400
 tunnel-group PIX6 type ipsec-l2l
 tunnel-group PIX6 ipsec-attributes
 pre-shared-key secret
 peer-id-validate nocheck
 
 PIX 6:
 name a1.b1.c1.d1 PIX7
 sysopt connection permit-IPSec
 access-list outside_cryptomap_202 permit ip 192.168.0.0 255.255.255.0 
 172.16.0.0 255.255.0.0
 access-list outside_cryptomap_202 permit ip 192.168.0.0 255.255.255.0 
 172.16.0.0 255.255.0.0
 access-list inside_nonat permit ip 192.168.0.0 255.255.255.0 172.16.0.0 
 255.255.0.0
 access-list inside_nonat permit icmp 192.168.0.0 255.255.255.0 
 172.16.0.0 255.255.0.0
 crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
 crypto map outside_map_em 202 ipsec-isakmp
 crypto map outside_map_em 202 match address outside_cryptomap_202
 crypto map outside_map_em 202 set peer PIX7
 crypto map outside_map_em 202 set transform-set TRANS
 crypto map outside_map_em interface outside
 isakmp key 12131415 address PIX7 netmask 255.255.255.255 no-xauth 
 no-config-mode
 isakmp enable outside
 isakmp identity address
 isakmp policy 102 authentication pre-share
 isakmp policy 102 encryption 3des
 isakmp policy 102 hash md5
 isakmp policy 102 group 1
 isakmp policy 102 lifetime 86400
 --- ifmail v.2.15dev5.4
  * Origin: Demos online service (2:5020/400)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   28 Oct 2007 11:13:54   Re: Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   28 Oct 2007 18:10:55   Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Alexandr Oskolkov   28 Oct 2007 22:27:42   Re: Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   29 Oct 2007 03:14:46   Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Slawa Olhovchenkov   29 Oct 2007 10:25:22   Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Alexandr Oskolkov   29 Oct 2007 21:35:47   Re: Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   28 Oct 2007 20:57:05   Re: Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   28 Oct 2007 20:57:06   Re: Site-to-Site IPSEC tunnel between PIX 7.2 and PIX 6.3   Roman Sindarovskiy   01 Nov 2007 01:37:56