dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



This Section
The network layout, Lan 192.168.0.0 is connected to the Zywall. Lan 192.168.1.0 is connected to the Pix with a pool of public addresses x.x.x.192 /26 between it and a 1720 router.

The Pix config.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any
access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any
access-list To-Internet permit icmp any any
access-list From-Internet permit tcp any host x.x.x.196 eq smtp
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 //iS this necessary?
access-list to-internet permit icmp any any

ip address outside x.x.x.194 255.255.255.192
ip address inside 192.168.1.25 255.255.255.0
ip audit info action alarm reset
ip audit attack action alarm reset
ip local pool NONATippool 192.168.2.1-192.168.2.254

global (outside) 1 x.x.x.251
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) x.x.x.196 192.168.1.1 netmask 255.255.255.255 0 0
access-group From-Internet in interface outside
access-group To-Internet in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac
crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf
crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap
crypto map MYCOmap client configuration address initiate
crypto map MYCOmap client configuration address respond
crypto map MYCOmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local MYCOippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup MYCOvpn address-pool NONATippool
vpngroup MYCOvpn dns-server 205.171.3.65
vpngroup MYCOvpn wins-server 192.168.1.1
vpngroup MYCOvpn default-domain MYCOMPANY.com
vpngroup MYCOvpn idle-time 1800
vpngroup MYCOvpn password ********
vpngroup MYCO address-pool NONATippool
vpngroup MYCO dns-server 192.168.1.1 205.171.3.65
vpngroup MYCO wins-server 192.168.1.1
vpngroup MYCO default-domain MYCO.com
vpngroup MYCO idle-time 1800
vpngroup MYCO password ********
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local NONATippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password xxxx
vpdn username yyyy password yyyyy
vpdn username zzzz password zzzzz
vpdn enable outside
terminal width 80
Cryptochecksum:
: end
[OK]
MYCOFW# exit

The Zywall config.

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= Work
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= x.x.x.194
Secure Gateway Address= x.x.x.194
Protocol= 17
Local: Addr Type= SUBNET
IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= Yes
Key Management= IKE

Menu 27.1.1.1 - IKE Setup

Phase 1
Negotiation Mode= Main
PSK= ********
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2

Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None

Expand got feedback?

by TerryMiller See Profile edited by KeysCapt See Profile
last modified: 2003-12-03 06:21:43