URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 19125
[ Назад ]

Исходное сообщение
"PIX 515 RA VPN"

Отправлено telsek , 24-Июн-09 12:31 
День добрый!
Есть remote access vpn на pix
Клиенты соединяются с ним с помощью cisco vpn
Проблема в том что при подключении к pix у клиента перестает работать интернет.
Для решения этой проблемы существует split-tunnel как я понимаю.
Конфиг ниже.
Клиенту выдаются сети 172.30.30.0/24 и 200.0.1.0/24
до них доступ есть и все хорошо, а вот инет при этом не работает.
Подскажите мож чего не хватает?


PIX Version 8.0(4)
!
terminal width 120
hostname pix
enable password
passwd
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address xx.xx.xx.xx 255.255.240.0
!
boot system flash:/pix804.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
object-group network OUTSOURCES
network-object 172.30.30.0 255.255.255.0
network-object 200.0.1.0 255.255.255.0
access-list 100 extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any echo
access-list nonat extended permit ip object-group OUTSOURCES object-group 192.168.103.0 255.255.255.0
access-list outsources extended permit ip object-group OUTSOURCES 192.168.103.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered emergencies
logging trap informational
logging mail critical
logging host inside 172.30.30.6 17/1514
mtu outside 1500
mtu inside 1500
ip local pool outsources 192.168.103.1-192.168.103.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthOutbound protocol tacacs+
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 200.0.1.11
key *
aaa-server partnerauth (inside) host 172.30.0.10
key *
aaa-server partnerauth (inside) host 172.30.30.1
key *
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set myset2
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 2 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 60
console timeout 0
dhcpd ping_timeout 750
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
group-policy outsources internal
group-policy outsources attributes
wins-server value 172.30.30.1
dns-server value 172.30.30.1 172.30.0.10
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outsources
default-domain value paragon-software.com
username telsek password xxxxxx encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) partnerauth
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group outsources type remote-access
tunnel-group outsources general-attributes
address-pool outsources
authentication-server-group (outside) partnerauth
default-group-policy outsources
tunnel-group outsources ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb892d2d836bdd7c3ab64ce31d098dbf
: end


Содержание

Сообщения в этом обсуждении
"PIX 515 RA VPN"
Отправлено sh_ , 24-Июн-09 14:25 
route print с компика покажите, после того, как подключитесь.

"PIX 515 RA VPN"
Отправлено telsek , 24-Июн-09 15:32 
>route print с компика покажите, после того, как подключитесь.

В том то и дело, что
дефолтный маршрут не подменяется

         0.0.0.0          0.0.0.0      92.36.125.9     92.36.125.9       1
        81.5.68.9  255.255.255.255      92.36.125.9     92.36.125.9       1
      92.36.125.0    255.255.255.0      92.36.125.9     92.36.125.9       1
      92.36.125.9  255.255.255.255        127.0.0.1       127.0.0.1       50
   92.255.255.255  255.255.255.255      92.36.125.9     92.36.125.9       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      172.30.30.1  255.255.255.255    192.168.103.2   192.168.103.1       1
     172.30.30.16  255.255.255.255    192.168.103.2   192.168.103.1       1
    192.168.103.0    255.255.255.0    192.168.103.1   192.168.103.1       40
    192.168.103.1  255.255.255.255        127.0.0.1       127.0.0.1       40
  192.168.103.255  255.255.255.255    192.168.103.1   192.168.103.1       40
    192.168.128.0    255.255.255.0    192.168.128.1   192.168.128.1       20
    192.168.128.1  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.128.255  255.255.255.255    192.168.128.1   192.168.128.1       20
    192.168.187.0    255.255.255.0    192.168.187.1   192.168.187.1       20
    192.168.187.1  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.187.255  255.255.255.255    192.168.187.1   192.168.187.1       20
  212.119.106.160  255.255.255.255      92.36.125.9     92.36.125.9       1
        224.0.0.0        240.0.0.0    192.168.103.1   192.168.103.1       40
        224.0.0.0        240.0.0.0    192.168.128.1   192.168.128.1       20
        224.0.0.0        240.0.0.0    192.168.187.1   192.168.187.1       20
        224.0.0.0        240.0.0.0      92.36.125.9     92.36.125.9       1
  255.255.255.255  255.255.255.255      92.36.125.9     92.36.125.9       1
  255.255.255.255  255.255.255.255    192.168.103.1           80005       1
  255.255.255.255  255.255.255.255    192.168.103.1           80004       1
  255.255.255.255  255.255.255.255    192.168.103.1   192.168.103.1       1
  255.255.255.255  255.255.255.255    192.168.128.1   192.168.128.1       1
  255.255.255.255  255.255.255.255    192.168.187.1   192.168.187.1       1
Основной шлюз:         92.36.125.9