01-10-2012 04:17 AM - edited 02-21-2020 05:48 PM
Hi dears. I configurate ipsec vpn at firewall.i connect vpn but i do not access inside server,i want to access 172.16.10.254,172.18.10.10 but i can not access
this is my configuartion.please help me.thank you.
FWSM Version 4.0(4)
!
hostname FWSM
domain-name socar.local
enable password 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248 standby x.x.x.x
!
interface Vlan3
description LAN/STATE Failover Interface
!
interface Vlan210
nameif inside
security-level 100
ip address 172.18.10.253 255.255.255.0 standby 172.18.10.252
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit ip any any
access-list NONAT extended permit ip 172.0.0.0 255.0.0.0 10.10.100.0 255.255.255.0
access-list SPLIT standard permit 172.16.10.0 255.255.255.0
access-list SPLIT standard permit 172.18.10.0 255.255.255.0
access-list O2I extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool VPN-POOL 10.10.100.1-10.10.100.254
no failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover link FAILOVER Vlan3
failover interface ip FAILOVER 10.10.10.1 255.255.255.0 standby 10.10.10.2
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.16.0 255.255.255.0
nat (inside) 1 172.18.10.0 255.255.255.0
nat (inside) 1 172.18.20.0 255.255.255.0
nat (inside) 1 172.18.30.0 255.255.255.0
nat (inside) 1 172.18.40.0 255.255.255.0
access-group O2I in interface outside
access-group OUT in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 172.16.10.0 255.255.255.0 172.18.10.254 1
route inside 172.16.16.0 255.255.255.0 172.18.10.254 1
route inside 172.18.20.0 255.255.255.0 172.18.10.254 1
route inside 172.18.30.0 255.255.255.0 172.18.10.254 1
route inside 172.18.40.0 255.255.255.0 172.18.10.254 1
route inside 172.16.15.0 255.255.255.0 172.18.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy SOCAR internal
group-policy SOCAR attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT
username risk password 3rtm490m1auSWuAX encrypted
http server enable
http 172.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service reset no-connection
crypto ipsec transform-set SOCAR esp-3des esp-sha-hmac
crypto dynamic-map SOCAR 10 set transform-set SOCAR
crypto map SOCAR 30 ipsec-isakmp dynamic SOCAR
crypto map SOCAR interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
tunnel-group SOCAR type ipsec-ra
tunnel-group SOCAR general-attributes
address-pool VPN-POOL
default-group-policy SOCAR
tunnel-group SOCAR ipsec-attributes
pre-shared-key *
telnet 172.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh timeout 15
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect sunrpc
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3f7dae74243f6137b135741e677fe4b2
: end
01-10-2012 05:28 AM
FWSM supports IPsec connections only to manage FWSM itself anything else is untested and unsupported.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html#wp1060264
The FWSM supports IPSec for management access.
01-10-2012 10:29 PM
Hi. Thank you very much to reply me. you said fwsm support ipsec for management access but we want to access our networks(servers,...)
can we configure remote access vpn on our core 6500 series catalyst, on which FWSM module is installed?
if yes, how we can do it? please help me. thank you very much.
01-11-2012 12:14 AM
Teymur,
cat6k supports IPsec only when VPN SPA, VPNSM or WS-IPSEC-3 (VSPA) is installed in the chassis.
This is the configu guide for all those:
A long time ago we also supported IPsec to cat6k for management access without additional modules, it is not longer the case as far as my understanding goes.
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: