Проблемы с pix515e, Санек, 24-Ноя-07, 18:26 [смотреть все]1. Не пингуются любые внешние IP-адреса изнутри локалки, включая внешний интерфейс pix 2. Не пингуются внешние адреса с самой циски 3. После изменения настроек самой циски и сохранения их в память отваливается туннель с удаленным складом (85.X.Y.G, pix501). Решается включением/выключением pix501 из сети 220В.Building configuration... : Saved : PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto shutdown interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto nameif ethernet0 outside security0 nameif ethernet1 ethernet1 security10 nameif ethernet2 ethernet2 security10 nameif ethernet3 ethernet3 security10 nameif ethernet4 ethernet4 security10 nameif ethernet5 inside security100 enable ... passwd ... hostname pix515 domain-name ... clock timezone MSK/MSD 3 clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.1.1.0 Sklad object-group service Proto tcp-udp description Allowed Traffic port-object eq 20 port-object eq 21 port-object eq domain port-object eq www port-object eq 123 port-object eq 143 port-object eq 443 port-object eq 119 port-object eq 87 port-object eq 23 port-object eq 25 port-object eq 110 access-list compiled access-list inside_nat0_outbound permit ip 192.168.0.0 255.255.255.0 Sklad 255.255.255.0 access-list outside_cryptomap_10 permit icmp 192.168.0.0 255.255.255.0 Sklad 255.255.255.0 access-list outside_cryptomap_10 permit ip 192.168.0.0 255.255.255.0 Sklad 255.255.255.0 access-list inside_access_in permit ip 192.168.0.0 255.255.255.0 any access-list outside_inbound_nat0_acl permit ip Sklad 255.255.255.0 192.168.0.0 255.255.255.0 access-list Group permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list Group permit ip 192.168.0.0 255.255.255.0 Sklad 255.255.255.0 pager lines 24 icmp permit host 85.X.Y.G outside icmp permit host 192.168.0.10 inside mtu outside 1500 mtu ethernet1 1500 mtu ethernet2 1500 mtu ethernet3 1500 mtu ethernet4 1500 mtu inside 1500 ip address outside 85.X.Y.Z 255.255.255.248 no ip address ethernet1 no ip address ethernet2 no ip address ethernet3 no ip address ethernet4 ip address inside 192.168.0.1 255.255.255.0 ip verify reverse-path interface outside ip audit name ATK attack action alarm drop reset ip audit name INF info action alarm drop reset ip audit interface outside INF ip audit interface outside ATK ip audit info action alarm ip audit attack action alarm ip audit signature 2000 disable ip audit signature 2004 disable ip local pool Pool 192.168.10.1-192.168.10.5 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address ethernet1 no failover ip address ethernet2 no failover ip address ethernet3 no failover ip address ethernet4 no failover ip address inside pdm location Sklad 255.255.255.0 outside pdm location 85.X.Y.Z 255.255.255.255 outside pdm location 192.168.0.10 255.255.255.255 inside pdm location 192.168.10.0 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 2 85.X.Y.A global (outside) 3 85.X.Y.B global (outside) 4 85.X.Y.C global (outside) 5 85.X.Y.D nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list Group nat (inside) 1 192.168.0.0 255.255.255.0 0 0 access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 85.X.Y.E 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 85.X.Y.Z 255.255.255.255 outside http 192.168.0.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.0.10 /pix515_backup floodguard enable Groupt connection permit-ipsec Groupt connection permit-pptp crypto ipsec transform-set MAIN esp-des esp-md5-hmac crypto map TUNNEL 10 ipsec-isakmp crypto map TUNNEL 10 match address outside_cryptomap_10 crypto map TUNNEL 10 set peer 85.X.Y.G crypto map TUNNEL 10 set transform-set MAIN crypto map TUNNEL interface outside isakmp enable outside isakmp key ******** address 85.X.Y.G netmask 255.255.255.255 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 telnet 85.X.Y.Z 255.255.255.255 outside telnet 192.168.0.10 255.255.255.255 inside telnet timeout 5 ssh 85.X.Y.Z 255.255.255.255 outside ssh timeout 60 console timeout 0 vpdn group Group accept dialin pptp vpdn group Group ppp authentication pap vpdn group Group ppp authentication mschap vpdn group Group ppp encryption mppe 128 vpdn group Group client configuration address local Pool vpdn group Group client configuration dns 192.168.0.10 vpdn group Group pptp echo 60 vpdn group Group client authentication local vpdn username ... vpdn enable outside username .. privilege 15 username .. privilege 2 terminal width 80 Cryptochecksum:00000000000000000000000000000000 : end [OK] |
- Проблемы с pix515e, Санек, 23:01 , 26-Ноя-07 (1)
Добавлю: начались проблемы с того что вечером во время удаленной настройки 515 рутер вдруг "пропал" для эхо запросов, и видимо "завис", т.к. придя на работу, утром инет не работал. Вылечилось "железным" рестартом девайса. Но пинговаться и пинговать товарищ перестал. Раньше все было ОК. Никаких таких правил, могущих повредить не добавлялось/не удалялось.
|