PIX 506 / Accès HTTPS/VPN DES FOIS OUI DES FOIS NON ????

Forum sur la sécurité des réseaux, la configuration des firewalls, la mise en place de protections contre les attaques, de DMZ, de systèmes anti-intrusion ...

Modérateur: modos Ixus

PIX 506 / Accès HTTPS/VPN DES FOIS OUI DES FOIS NON ????

Messagepar jer_mest » 17 Nov 2004 15:17

Bonjour,

J'ai un probleme ke je ne comprends pas ? J'ai configuré un PIX 506 avec accés tunnel VPN et administration https de n'importe ou ? Quand je demande a mes amis de se connecter en vpn ou en https, ou de chez moi ca marche, j'essaye de mon boulot ca marche pas et de chez un client ca marche pas non plus ??? J'ai un autre accés VPN (sur un PIX 515) à mon boulot qui fonctionne nikel. Il n'y a aucunes regles de filtrage sur le PIX506, je pige pas ?

Ca pourrait venir du fournisseur, Wanadoo, free, noos, ...????

AIDEZ MOI JE NE VOIS VRAIMENT PAS ? SI QQUN A DEJA EU DES ECOS ....

la conf :

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd """""""" encrypted
hostname """"""
domain-name """""
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.250.0 Lan
name 192.168.254.0 VPNpool
name 217.128.104.26 MF2i_
name 192.168.250.30 GIEPC1
object-group service Internet tcp
description Protocoles standards d'Internet
port-object eq ftp
port-object eq pop3
port-object eq 8080
port-object eq nntp
port-object eq ftp-data
port-object eq https
port-object eq www
port-object eq smtp
access-list inside_outbound_nat0_acl remark NoNatForVPNUsers
access-list inside_outbound_nat0_acl permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
access-list inside_outbound_nat0_acl remark NoNatForVPNUsers
access-list OUTSIDE remark Autorise le port HTTP pour acces au serveur WEB
access-list OUTSIDE permit tcp any host """""""""" eq www
access-list OUTSIDE permit icmp any any echo-reply
access-list OUTSIDE remark Autorise IP dans tunnel VPN
access-list OUTSIDE permit ip VPNpool 255.255.255.0 Lan 255.255.255.0 log
access-list OUTSIDE permit icmp any any unreachable
access-list OUTSIDE permit icmp any any time-exceeded
access-list OUTSIDE remark Autorise le port HTTP pour acces au serveur WEB
access-list OUTSIDE remark Autorise IP dans tunnel VPN
access-list inside_access_in remark requetes DNS
access-list inside_access_in remark requetes DNS
access-list INSIDE remark Autorise IP dans tunnel VPN
access-list INSIDE permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
access-list INSIDE remark Requetes DNS
access-list INSIDE permit udp Lan 255.255.255.0 any eq domain
access-list INSIDE remark Autorise ping
access-list INSIDE permit icmp Lan 255.255.255.0 any echo
access-list INSIDE remark Autorise standards Internet
access-list INSIDE permit tcp Lan 255.255.255.0 any object-group Internet
access-list INSIDE permit udp Lan 255.255.255.0 any log
access-list INSIDE remark Autorise IP dans tunnel VPN
access-list INSIDE remark Requetes DNS
access-list INSIDE remark Autorise ping
access-list INSIDE remark Autorise standards Internet
access-list VPN permit ip Lan 255.255.255.0 VPNpool 255.255.255.0
pager lines 24
logging on
logging buffered debugging
logging trap emergencies
logging host inside GIEPC1
icmp deny any outside
icmp permit VPNpool 255.255.255.0 echo inside
icmp permit Lan 255.255.255.0 echo inside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.250.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name AttackOutside attack action alarm drop
ip audit name InfoOutside info action alarm
ip audit name AttackInside attack action alarm drop
ip audit name InfoInside info action alarm
ip audit interface outside InfoOutside
ip audit interface outside AttackOutside
ip audit interface inside InfoInside
ip audit interface inside AttackInside
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1100 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2150 disable
ip local pool VPNpool 192.168.254.1-192.168.254.99
pdm location GIEPC1 255.255.255.255 inside
pdm location VPNpool 255.255.255.0 outside
pdm location VPNpool 255.255.255.0 inside
pdm location MF2i_ 255.255.255.255 outside
pdm location Lan 255.255.255.0 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging debugging 400
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 Lan 255.255.255.0 0 0
static (inside,outside) tcp """"""""""""""" www GIEPC1 www netmask 255.255.255.255 0 0
access-group OUTSIDE in interface outside
access-group INSIDE in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http Lan 255.255.255.0 inside
http VPNpool 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community jfdjdf
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 65534 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup Etude77 address-pool VPNpool
vpngroup Etude77 split-tunnel VPN
vpngroup Etude77 idle-time 1800
vpngroup Etude77 password ********
telnet Lan 255.255.255.0 inside
telnet VPNpool 255.255.255.0 inside
telnet timeout 15
ssh MF2i_ 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname fti/6vx2up2
vpdn group pppoe_group ppp authentication chap
vpdn username fti/6vx2up2 password *********
dhcpd dns 194.2.0.20 194.2.0.50
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username Etu911 password hUCji1dgRqNQJxsK encrypted privilege 3
username Etu921 password uwPO/.5UwcFXGNEC encrypted privilege 3
username Etu931 password VexIaHZMg3J5.DgI encrypted privilege 3
username Etu941 password hPQJE14UqxLY/sSR encrypted privilege 3
username Etu951 password J3I20BxCpfGs9siH encrypted privilege 3
username Etu953 password 9I0LFWFMqj7pGT28 encrypted privilege 3
username Etu922 password UOFVmVolRLDO1PZH encrypted privilege 3
username Etu952 password 0A5nLNVXgCANYFlM encrypted privilege 3
username QSECOFR password xvPYs6rYoBn5d0vK encrypted privilege 15
username administrateur password EGLoWb59HpHBJske encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:4f9f0d948ff9f5f987aad0dbf16e20ed
: end
[OK]
jer_mest
Matelot
Matelot
 
Messages: 8
Inscrit le: 15 Nov 2004 11:37

Messagepar fraedhrim » 17 Nov 2004 15:37

Salut !

J'ai eu un problème d'accès HTTPS sur un PIX il y a quelques mois. Même avec un reboot impossible de reprende la main dessus en HTTPS. Pour le VPN je ne sais pas on n'en a pas sur ce PIX.

Un patchage en version supérieure a résolu le problème. Tu es en 6.3(3). Moi en 6.3(3)124 je n'ai plus le problème....

A+
Avatar de l’utilisateur
fraedhrim
Amiral
Amiral
 
Messages: 1264
Inscrit le: 27 Jan 2004 01:00
Localisation: Nantes

Messagepar jer_mest » 17 Nov 2004 16:24

Ou je peux trouver le patch de la version, et comment je l'update deja ?
merci ...
jer_mest
Matelot
Matelot
 
Messages: 8
Inscrit le: 15 Nov 2004 11:37

Resolution du problème

Messagepar fvignero » 26 Nov 2004 17:24

Moi je sais ce qui se passe depuis votre lieu de travail car je connais l'architecture en place.

Je pense que vous pouvez contacter **********.

Bonne reception.

email: ***************

:roll:
fvignero
Matelot
Matelot
 
Messages: 1
Inscrit le: 26 Nov 2004 17:22

Messagepar fraedhrim » 26 Nov 2004 18:21

????

Houlà c'est quoi ça ?!

C'est de la pub ?


Au modo ! Au modo !
Avatar de l’utilisateur
fraedhrim
Amiral
Amiral
 
Messages: 1264
Inscrit le: 27 Jan 2004 01:00
Localisation: Nantes

Messagepar tomtom » 26 Nov 2004 18:32

Merci Frahedrim :o)

La prochaine fois, essaye un message privé plutot que de crier dans les forums, ce sera plus efficace :lol:

Monsieur f.vignero, si vous connaissez si bien l'architecture de monsieur, appelz le !

Mais là, ca n'a rien à voir avec le forum !

t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris


Retour vers Sécurité et réseaux

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 0 invité(s)

cron