# Probleme mit Routing mit CiscoPix und EasyVPN



## Xo-mate (6. Juni 2010)

Hi Leute,

ich habe ein schwerwiegendes Problem, weiß nicht wirklich weiter und muss das Problem heute lösen.

Ich habe 2 Cisco Pix501. Eine davon dient als EasyVPN server und ist direkt ans Modem angeschlossen, die andere dient als EasyVPN Remoteclient und ist aus einem anderen Netzwerk mit dem Server verbunden.

Soweit so gut. Die Verbindung kann hergestellt werden und ich kann die eine Pix von der anderen auch pingen. Aber leider nicht das ganze Netzwerk dahinter. Das gleiche ist, wenn ich mit einem Cisco-VPN-Softclient auf den EasyVPN-Server verbinde. Ich erreiche die Pix, aber nichts dahinter.

Hier mal eine kleine Aufstellunge was geht und was nicht (Firewalls sind auf den PCs aus):
Ping von ServerPix zu ClientPix - OK
Ping von ClientPix zu ServerPix - OK
Ping von PC aus Server-Netz zu ServerPix - OK
Ping von PC aus Client-Netz zu ClientPix - OK
Ping von PC aus Client-Netz zu ServerPix - OK
Ping von PC aus Server-Netz zu ClientPix - OK
Ping von PC aus Server-Netz zu PC aus Client-Netz - GEHT NICHT
Ping von PC aus Client-Netz zu PC aus Server-Netz - GEHT NICHT
Ping von PC, der via CiscoVPN-Client verbunden ist, zu ServerPix - OK
Ping von PC, der via CiscoVPN-Client verbunden ist, zu ClientPix - Geht nicht - ist aber glaube ich auch normal, oder? EasyVPN-Client zu EasyVPN-Client geht nicht, oder weiß jemand das Gegenteil? Wäre schön wenn 

Hier die configs der Pixes:
*Server*
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password LLkMi3KcZgYfuWCi encrypted
passwd LLkMi3KcZgYfuWCi encrypted
hostname kr01icr02
domain-name e***
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list 101 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0
access-list ftpin permit tcp any host 192.168.0.220 eq ftp
access-list ftpin permit tcp any host 192.168.0.220 eq 3389
access-list 102 permit tcp host 192.168.128.78 any eq https
access-list 102 permit tcp host 192.168.128.78 any eq ftp
access-list 102 permit tcp host 192.168.128.78 any eq 27
access-list 102 permit tcp host 192.168.128.78 any eq www
access-list 102 permit tcp host 192.168.128.78 any eq 5938
access-list 102 permit tcp host 192.168.128.78 any eq 5959
access-list 102 permit tcp host 192.168.128.78 any eq domain
access-list 102 permit ip host 192.168.128.104 any
access-list 102 permit udp host 192.168.128.78 any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.128.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.120.221-192.168.120.225
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp 192.168.128.10 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.128.104 3389 netmask 255.255.255.255 0 0
access-group ftpin in interface outside
access-group 102 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool ippool
vpngroup mygroup dns-server 192.168.128.60
vpngroup mygroup wins-server 192.168.128.60
vpngroup mygroup default-domain e****
vpngroup mygroup split-tunnel 101
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
vpngroup idle-time idle-time 1800
telnet 192.168.128.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
terminal width 80


*Client:*
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname kr01icr03
domain-name hamburg.praxis
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.221 255.255.255.0
ip address inside 192.168.129.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.129.0 255.255.255.0 inside
pdm location 192.168.128.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.0.250 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.128.0 255.255.255.0 inside
http 192.168.129.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.128.0 255.255.255.0 inside
telnet 192.168.129.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.129.0 255.255.255.0 inside
ssh 192.168.128.0 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpnclient server 85.1**.**.**
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80



der show route-Befehl zeigt mir diese Ausgaben:
*Server:*
kr01icr02# sh route
        outside 0.0.0.0 0.0.0.0 213.191.84.232 1 PPPOE static
        outside 85.1**.**.** 255.255.255.255 85.1**.**.** 1 CONNECT static
        inside 192.168.128.0 255.255.255.0 192.168.128.220 1 CONNECT static

*Client:*
kr01icr03(config)# sh route
        outside 0.0.0.0 0.0.0.0 192.168.0.250 1 OTHER static
        outside 192.168.0.0 255.255.255.0 192.168.0.221 1 CONNECT static
        inside 192.168.129.0 255.255.255.0 192.168.129.220 1 CONNECT static


show access-list zeigt das hier:
*Server:*
kr01icr02# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list 101; 2 elements
access-list 101 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=12)
access-list 101 line 2 permit ip 192.168.128.0 255.255.255.0 192.168.120.0 255.255.255.0 (hitcnt=0)
access-list ftpin; 2 elements
access-list ftpin line 1 permit tcp any host 192.168.0.220 eq ftp (hitcnt=0)
access-list ftpin line 2 permit tcp any host 192.168.0.220 eq 3389 (hitcnt=0)
access-list 102; 10 elements
access-list 102 line 1 permit tcp host 192.168.128.78 any eq https (hitcnt=3329)
access-list 102 line 2 permit tcp host 192.168.128.78 any eq ftp (hitcnt=0)
access-list 102 line 3 permit tcp host 192.168.128.78 any eq 27 (hitcnt=0)
access-list 102 line 4 permit tcp host 192.168.128.78 any eq www (hitcnt=27)
access-list 102 line 5 permit tcp host 192.168.128.78 any eq 5938 (hitcnt=6)
access-list 102 line 6 permit tcp host 192.168.128.78 any eq 5959 (hitcnt=0)
access-list 102 line 7 permit tcp host 192.168.128.78 any eq domain (hitcnt=0)
access-list 102 line 8 permit ip host 192.168.128.104 any (hitcnt=974)
access-list 102 line 9 permit udp host 192.168.128.78 any eq domain (hitcnt=0)
access-list  dynacl58; 1 elements
access-list  dynacl58 line 1 permit ip 192.168.128.0 255.255.255.0 host 192.168.0.221 (hitcnt=0)
access-list  dynacl59; 1 elements
access-list  dynacl59 line 1 permit ip 192.168.128.0 255.255.255.0 192.168.129.0 255.255.255.0 (hitcnt=8)

*Client:*
kr01icr03(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list _vpnc_acl; 2 elements
access-list _vpnc_acl line 1 permit ip 192.168.129.0 255.255.255.0 192.168.128.0 255.255.255.0 (hitcnt=19)
access-list _vpnc_acl line 2 permit ip host 192.168.0.221 192.168.128.0 255.255.255.0 (hitcnt=3)


Wenn mir irgendjemand helfen kann, bitte ich Ihm mir zu helfen, da das wirklich dringend ist, dass das laufen muss.
Ich komme dort alleine nicht mehr weiter


----------

