會員 ![]() | 有關firewall內的user要連到客戶的vpn 各位先進 有一個問題要請較各位,公司的防火牆是使用cisco pix 現在有家客戶需我們內部user使用win2k的pptp連到客戶的server 我在防火牆上要做什麼設定,因為現在如果在防火牆內 是沒有辨法連上客戶的vpn,但在外面可以,所以問題在防火牆上 那我要如何處理,謝謝各位!!! |
回覆 |
無女友的人生34年 | 看一下該 vpn 走哪個 port 把防火牆相對應的 port 打開. |
回覆 |
會員 ![]() | 回覆: 有關firewall內的user要連到客戶的vpn 引用:
What version is your PIX OS? You need to at least have PIX OS 6.2(x) in order to use PAT to support PPTP pass through. But 6.3(3) seems has better support for PPTP pass through. If your PIX OS is 6.1(x), you need to give an extra WAN IP to PPTP session. I use PIX OS 6.1(5) cause it's most stable, but I'm testing 6.3(3) and play PDM 3.01 now.(I'm command-line person, PDM and WEB/GUI configure is kind new to me.) Best regards Calvin | |
回覆 |
會員 ![]() | 回覆: 回覆: 有關firewall內的user要連到客戶的vpn 引用:
Dear Calvin: 我們公司也是用PIX 501,他的OS版本為 PIX Version 6.1(2), 底下為PIX的設定 PIX Version 6.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password mYQxRX2uf9rL.CHQ encrypted passwd mYQxRX2uf9rL.CHQ encrypted hostname picfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside xxx.xxx.64.58 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 202.145.64.59 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xxx.xxx.64.57 192.168.1.254 netmask 255.255.255.255 0 conduit permit icmp any any conduit permit tcp host xxx.xxx.64.57 eq smtp any conduit permit tcp host xxx.xxx.64.57 eq ftp any conduit permit tcp host xxx.xxx.64.57 eq pop3 any conduit permit tcp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0 conduit permit udp host xxx.xxx.64.57 eq 1433 yyy.yyy.68.0 255.255.255.0 conduit permit tcp host xxx.xxx.64.57 eq 3389 yyy.yyy.68.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 xxx.xxx.64.62 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 後來請教當初購買的廠商,他教我們下了底下的COMMAND access-list acl_out permit gre host yyy.yyy.68.25 host xxx.xxx.64.60 我們試一下連接到VPN SERVER(yyy.yyy.68.25),每次都到連線驗證(檢查名稱密碼)部分(xxx.xxx.64.60 這一台機器)就沒辦法過 請教一下是哪裡還需要設定的嗎? 另外廠商說這個版本有點舊所以他們也不太會設定,是這樣的嗎? THANKS~ | |
回覆 |
CM Board Moderator | 回覆: 回覆: 回覆: 有關firewall內的user要連到客戶的vpn 引用:
| |
回覆 |
會員 ![]() | 回覆: 回覆: 回覆: 回覆: 有關firewall內的user要連到客戶的vpn 引用:
SORRY! 再請教一下,COMMAND我要如何下呢? THANKS~ | |
回覆 |
CM Board Moderator | 回覆: 回覆: 回覆: 回覆: 回覆: 有關firewall內的user要連到客戶的vpn 引用:
| |
回覆 |
會員 ![]() | 回覆: 回覆: 回覆: 有關firewall內的user要連到客戶的vpn 引用:
Hi: I'm sorry for late reply. But one thing wanna let you know before I explain anything to you. It's really not a good idea to just post your config file include you telnet and enable password. There's a way to crack your password. Tools are available on internet for free download. Try to use "*" replace following lines: enable password mYQxRX2uf9rL.CHQ encrypted passwd mYQxRX2uf9rL.CHQ encrypted enable password **************** encrypted passwd **************** encrypted OK, back to our topic. Let me make it more clear. THERE IS NO WAY YOU CAN USE PPTP VPN IN PIX OS VERSION 6.1.* PAT MODE. It's offically NOT supported in 6.1(*). You will see exactly PPTP dialer stuck in "verify use/password" then fail the connection. The reason is not GRE protocol but PIX OS 6.1(*) don't how to handle VPN packets when they come back from your VPN server. Part of imformation is missing during PIX doing PAT process. Solution? Upgrade to PIX OS 6.3(*) or 6.2(*) (I suggest you get 6.3(3) I'm sorry this is a bad new to you but it's the truth. Upgrade PIX OS Version require you "buy" a new license from CISCO. CISCO don't have "free" firmware upgrade policy. Calvin | |
回覆 |
|
XML | RSS 2.0 | RSS |
本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。