PIX 506 Questions ????

[jer_mest]

Bonjour,

Faut-il avoir une license pr faire du VPN en DES sur un pix506 ?

Peut on Charger une config. 515 sur un 506 ?

Quelles st les parametre de base pour pouvoir se connecter avec un client VPN sur un PIX 506 ?

J'ai une config. qui fonctionne sur un pix 515e, acces VPn , ... par contre la meme config sur un pix 506 ne fonctionne pas. C'est a dire qu'avk un client VPN cisco 4.0.1 je n'ai pas l'écran de demande utilisateut mot de passe je ne comprends pas, pourtant les configs. 515 et 506 st identiques (sauf PPPOe et adresse ip) .... si quelqu'un peut m'aider ?

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password """""""""""""""""""encrypted
passwd """""""""""""""""""encrypted
hostname """""""""""""""""""
domain-name """""""""""""""""""
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.250.0 Lan
name 192.168.254.0 VPNpool
name 217.128.104.26 MF2i_
name 192.168.250.30 GIEPC1
object-group service Internet tcp
description Protocoles standards d'Internet
port-object eq ftp
port-object eq pop3
port-object eq 8080
port-object eq nntp
port-object eq ftp-data
port-object eq https
port-object eq www
port-object eq smtp
access-list inside_outbound_nat0_acl remark NoNatForVPNUsers
access-list inside_outbound_nat0_acl permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
access-list inside_outbound_nat0_acl remark NoNatForVPNUsers
access-list OUTSIDE remark Autorise le port HTTP pour acces au serveur WEB
access-list OUTSIDE permit tcp any host 82.127.101.21 eq www
access-list OUTSIDE permit icmp any any echo-reply
access-list OUTSIDE remark Autorise IP dans tunnel VPN
access-list OUTSIDE permit ip VPNpool 255.255.255.0 Lan 255.255.255.0 log
access-list OUTSIDE permit icmp any any unreachable
access-list OUTSIDE permit icmp any any time-exceeded
access-list OUTSIDE remark Autorise le port HTTP pour acces au serveur WEB
access-list OUTSIDE remark Autorise IP dans tunnel VPN
access-list inside_access_in remark requetes DNS
access-list inside_access_in remark requetes DNS
access-list INSIDE remark Autorise IP dans tunnel VPN
access-list INSIDE permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
access-list INSIDE remark Requetes DNS
access-list INSIDE permit udp Lan 255.255.255.0 any eq domain
access-list INSIDE remark Autorise ping
access-list INSIDE permit icmp Lan 255.255.255.0 any echo
access-list INSIDE remark Autorise standards Internet
access-list INSIDE permit tcp Lan 255.255.255.0 any object-group Internet
access-list INSIDE permit udp Lan 255.255.255.0 any log
access-list INSIDE remark Autorise IP dans tunnel VPN
access-list INSIDE remark Requetes DNS
access-list INSIDE remark Autorise ping
access-list INSIDE remark Autorise standards Internet
access-list VPN permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
pager lines 24
logging on
logging buffered debugging
logging trap emergencies
logging host inside GIEPC1
icmp deny any outside
icmp permit VPNpool 255.255.255.0 echo inside
icmp permit Lan 255.255.255.0 echo inside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.250.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackOutside attack action alarm drop
ip audit name InfoOutside info action alarm
ip audit name AttackInside attack action alarm drop
ip audit name InfoInside info action alarm
ip audit interface outside InfoOutside
ip audit interface outside AttackOutside
ip audit interface inside InfoInside
ip audit interface inside AttackInside
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1100 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2150 disable
ip local pool VPNpool 192.168.254.1-192.168.254.99
pdm location GIEPC1 255.255.255.255 inside
pdm location VPNpool 255.255.255.0 outside
pdm location VPNpool 255.255.255.0 inside
pdm location MF2i_ 255.255.255.255 outside
pdm location Lan 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging warnings 400
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 Lan 255.255.255.0 0 0
static (inside,outside) tcp 82.127.101.21 www GIEPC1 www netmask 255.255.255.255 0 0
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http Lan 255.255.255.0 inside
http VPNpool 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community jfdjdf
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 65534 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Etude77 address-pool VPNpool
vpngroup Etude77 split-tunnel VPN
vpngroup Etude77 idle-time 1800
vpngroup Etude77 password ********
telnet Lan 255.255.255.0 inside
telnet VPNpool 255.255.255.0 inside
telnet timeout 15
ssh MF2i_ 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname fti/6vx2up2
vpdn group pppoe_group ppp authentication chap
vpdn username fti/6vx2up2 password *********
dhcpd dns 194.2.0.20 194.2.0.50
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username Etu911 password """"""""""""""""""" encrypted privilege 3
username Etu921 password """""""""""""""""""encrypted privilege 3
username Etu931 password """""""""""""""""""encrypted privilege 3
username Etu941 password """""""""""""""""""encrypted privilege 3
username Etu951 password J""""""""""""""""""" encrypted privilege 3
username Etu953 password """"""""""""""""""" encrypted privilege 3
username Etu922 password """"""""""""""""""" encrypted privilege 3
username Etu952 password """""""""""""""""""encrypted privilege 3
username QSECOFR password """""""""""""""""""encrypted privilege 15
username administrateur password E""""""""""""""""""" encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:471732ea81b1f4dc4a47cd0ac42e6194
: end
[OK]

[rodolphedj]

la licence est fournie avec le firewall

donc aucun probleme.