分类:VPN

CISCO

利用VPDN组建专用网

No Comments VPN

随着Internet的普及和发展,基于IP的虚拟专用网技术(IP-Based Virtual Private Networks,IP-VPN)引起了人们的广泛关注,它将成为未来网络安全研究和Internet应用的一个重要方向。过去,当企业需要把他们的信息网络扩展到远方而组成WAN时,通常的做法是租用PSTN、X.25、帧中继或DDN等线路,组成企业的专用网络。但随着Internet本身可靠性和可用性的增强,Internet已经为我们提供了最为廉价和普遍的WAN通信;可是,Internet不能提供与专用网相比的安全性、带宽及服务质量(QoS)保证。于是,人们开始研究一种希望能具有两者的优点,且运行在Internet之上的虚拟专用网络技术,即IP-VPN技术。
利用IP-VPN技术不仅可以构建企业的Intranet和Extranet,在企业网内形成虚拟局域网VLAN,而且还可以保护网络的安全。
何谓VPDN
VPDN(Virtual Private Dial Network)即是利用拨号网络在Internet上建立安全的专用网络的方式。在不安全的Internet上,建立安全的隧道有L2F、L2TP、PPTP、GRE等方式。本文方案介绍采用L2TP协议(Layer 2 Tunneling Protocol),即第二层隧道协议,将中心系统与各地众多分支连接,组成专用网。
由于L2TP本身对所承载的数据没有加密功能,为防止恶意截获,篡改通信中的数据,网络应引入IPSec协议对数据进行加密。IPSec(IP Security)协议在IP网络层和传输层之间加入新的头部,对承载数据IP数据包提供加密和鉴权。
通信方案
在图1中,分支机构通过普通电话线拨号上网,适用于分支机构众多,分布广泛的情况。中心机构使用VPN路由器作为L2TP隧道终结器,Internet中的接入服务器和中心路由器之间使用加密隧道通信。

图1 VPDN通信方案
VPDN 性能分析
VPDN通信方式使用的网络就是电信公司提供的Internet。现在的Internet一般采用节点分级和线路备份的拓扑结构,具有很高的可靠性。节点到中心的通信出现阻断的概率很低,并且因为采用光纤而具备很大的吞吐率。
VPDN接入服务器位于各地级市节点。这一段采用PPP协议,本身通信未加保密措施。这一段的主要不安全因素是,通过电话线路的监听获取用户名、密码、IP地址、交易数据等情况。其中,交易数据可以通过加密来解决。而截获IP地址是无用的,因为我们采用的是内部专用地址,不可能通过公网访问。用户名和密码则可通过定期改变的方法减少被窃取和非法使用的危险。
由于接入服务器和中心路由器之间采用IPSec OVER L2TP隧道,网上传输包的形式如图2所示。
网络实际负载(图2中的IP流)受到IPSec和L2TP的双重保护。L2TP提供了对内部地址的隐藏功能。黑客在网上截获该数据包只能看到接入服务器和中心路由器线路接口的IP地址,数据在Internet传输过程中是安全的。

图2 网上数据传送格式
服务器也可以采取硬化措施,关闭任何与业务无关的服务,通过加强密码管理和系统监控保证系统的安全性。
网络构建实例
Internet具有巨大的吞吐率。业务通信是否发生阻塞主要取决于是否有其他大流量的Internet业务如视频点播或恶意的广播攻击导致网络阻塞。
本方案中,接入服务器提供56kbps的接入速度。
通信质量主要取决于分支机构到接入服务器电话线路这一段。为了保证长时间数据通信不中断,系统选择质量好的电话线路。
实验系统参见图1所示。
其中,Internet接入服务器为Cisco5800,中心路由器采用Cisco2620,使用软件IPSec加、解密。
本方案中,中心路由器所采用的通信线路接口的IP地址在Internet上是公开的。通过关闭不必要的服务,加强口令管理,在接口上设置访问列表,只允许与特定业务有关的数据流通过。这样,黑客非法侵入路由器基本上是不可能的。
实验结果表明,使用VPDN接入稳定可靠,从分支机构连接(ping)中心服务器,响应时间平均为210毫秒,最大不超过1000毫秒,基本上可以满足一般事务处理的要求。

DMVPN详解

No Comments VPN

totle

2007-12-24, 16:29

作者:ZHL 泰克实验室

文章出自:http://bbs.tech-lab.cn/viewthread.php?tid=31261( 转载请注明出处或net130本版面)

利用IPSec隧道在Internet上进行安全的数据传输,是目前公司总部与分支通讯的主要解决方案。它的商业价值,这里就不提了,随便找个文档也会侃半天的。

IPSec网络的拓扑可以是星形结构(hub?and?spoke)也可以是网状结构(full mesh)。实际应用中,数据流量主要分布在分支与中心之间,分支与分支之间的流量分布较少,所以星形结构(hub?and?spoke)通常是最常用的,并且它更经济。因为星形结构(hub?and?spoke)比网状结构(full mesh)使用更少的点到点链路,可以减少线路费用。

在星形拓扑中,分支机构到分支机构(spoke ?to?spoke)的连通不需要额外的通讯费用。但在星形结构中,分支到分支的通信必须跨越中心,这会耗费中心的资源并引入延时。尤其在用IPSec加密时,中心需要在发送数据分支的隧道上解密,而在接收数据的分支隧道上重新加密。还有一种情况是:通讯的两个分支在同一个城市,而中心在另一个城市,这便引入了不必要的延时。

当星形IPSec网络(hub?and?spoke)规模不断扩展时,传统VPN的配置则愈加繁琐,且不便于维护和排错。因此IP数据包的动态路由将非常有意义。

但IPSec隧道和动态路由协议之间存在一个基础问题,动态路由协议依赖于多播或广播包进行路由更新,而IPSec隧道不支持多播或广播包的加密。

这里便引入了动态多点VPN (DMVPN)的概念。

这里将引入两个协议:GRE 和 NHRP

GRE:通用路由封装。由IETF在RFC 2784中定义。它是一个可在任意一种网络层协议上封装任意一个其它网络层协议的协议。GRE将有效载荷封装在一个GRE包中,然后再将此GRE包封装基于实际应用的传输协议上进行转发。(我觉得:GRE类似木马的壳。^_^)

IPSec不支持广播和组播传输,可是GRE能很好的支持运载广播和组播包到对端,并且GRE隧道的数据包是单播的。这就意味着GRE隧道的数据包是可被IPSec加密的,也即GRE Over IPSec。

通过GRE隧道与IPSec加密相结合,利用动态路由协议在加密隧道两端的路由器上更新路由表。从隧道对端学到的子网在路由表条目里将会包含隧道对端的IP地址作为到达对端子网的下一跳地址。这样,隧道任何一端的网络发生变化,另外一端都会动态地学习到这个变化,并保持网络的连通性而无需改变路由器的配置。

IPSec利用访问控制列表(ACL)来匹配感兴趣数据流。当有数据包匹配所定义的ACL时,IPSec加密隧道便会建立。当利用GRE Over IPSec时,GRE隧道的配置已经包括了GRE隧道对端的地址,这个地址同时也是IPSec隧道的对端地址。所以,没有必要再单独为IPSec定义匹配ACL。通过将GRE隧道与IPSec绑定,GRE隧道一旦建立,将立刻触发IPSec加密。在用IPSec对GRE包进行加密时,可以将IPSec配置为传输模式,因为GRE已经将原始数据包封装为单播的IP包,没必要让IPSec再封装一个包头。

GRE的特点使得IPSec也能时髦的运行动态协议了。至此,IPSec不支持动态路由的历史改变了,DMVPN中的“多点” 被摆平。

接下来,让我们看看“动态”的特性是怎样被引入的?

GRE建立了隧道,IPSec完成了VPN网络的加密部分。想要建立GRE隧道,隧道的一端必须知道另一端的IP地址,并且必须能够在Internet上路由。这就要求中心和所有分支路由器必须具有静态的公共IP地址。

可是向ISP申请静态IP地址的费用是非常昂贵的。通常,为节约地址资源并提高有效利用率,无论是ADSL还是直接线缆接入,ISP会通过DHCP服务来提供动态IP地址。(注:IPv4的瓶颈引发的地址匮乏。IPv6不会存在该问题,号称可以给地球上的每一粒沙子都分个IP,口气很大的说)

显然,GRE+IPSec需要明确知道隧道两端的IP地址,而分支路由器外网接口的IP地址由其本地ISP动态分配,每次拨入网络的IP地址是不同的。GRE隧道没办法建立,那么VPN还是无法工作。

这样,NHRP在钓足大家胃口之时,应市场需求,在万众期盼的目光中闪亮登场了,给它些掌声乐乐。噼里啪啦。。。。。。。

NHRP:下一跳解析协议。由IETF在RFC 2332中定义。用于解决非广播多路访问(NBMA)网络上的源节点(主机或路由器)如何获取到达目标节点的“下一跳”的互联网络层地址和NBMA子网地址。

下面咱们一起看看 NHRP 是如何解决静态IP地址问题,而让 VPN “动”起来的:

1、分支到中心(Spoke?to?Hub)的动态隧道建立

DMVPN网络中,中心路由器上没有关于分支的GRE或IPSec配置信息,而在分支路由器上则必须依据中心路由器的公网IP地址和NHRP协议来配置GRE隧道。

当分支路由器加电启动时,由ISP处通过DHCP获取IP地址,并自动建立IPSec加密的GRE隧道,通过NHRP向中心路由器注册自己的外网端口IP地址(貌似反弹连接)。

这样做有三方面的原因:1、由于分支路由器外网端口的IP地址是自动获取的,每次上线时的IP地址可能不同,所以中心路由器无法根据该地址信息进行配置。2、中心路由器不必针对所有分支分别配置GRE或IPSec信息,将大大简化中心路由器的配置。所有相关信息可通过NHRP自动获取。(即:分支向中心汇报各自特征)3、当DMVPN网络扩展时,不必改动中心路由器和其它分支路由器的配置。通过动态路由协议,新加入的分支路由器将自动注册到中心路由器。这样,所有其它分支路由器可以学到这条新的路由,新加入的分支路由器也可以学到到达其它所有路由器的路由信息,直至收敛。(中心路由器犹如OSPF的DR)

2、分支到分支(Spoke?to?Spoke)的动态隧道建立

在DMVPN网络中,分支到中心(Spoke?to?Hub)的隧道一旦建立便持续存在,但是各分支之间并不需要直接配置持续的隧道。当一个分支需要向另一个分支传递数据包时,它利用NHRP来动态获取目的分支的IP地址。该过程中,中心路由器充当NHRP服务器的角色,响应NHRP请求,向源分支提供目标分支的公网地址。于是,两个分支之间通过mGRE端口动态建立IPSec隧道,进行数据传输。该隧道在预定义的周期之后将自动拆除。

DMVPN网络中,分支到中心(Spoke?to?Hub)的隧道一旦建立便持续存在,而各分支之间并没有持续存在的隧道。这样,在路由器初始化后,中心路由器会通过持续存在的隧道向分支路由器宣告其它分支子网的可达路由。到这里,似乎”多点””动态”的问题都解决了,DMVPN可以正常工作了是吧?!

非也!目前,分支路由器的路由表中到达其它分支子网的“下一跳”地址仍是中心路由器的隧道端口地址,而不是其它分支路由器的隧道端口地址。如此一来,分支与分支之间的数据传输还是会通过中心路由器。

要解决这一问题,必须在中心路由器上设置为在mGRE隧道端口上宣告某一分支子网的可达路由时“下一跳”地址是该分支路由器的隧道端口地址,而非中心路由器的地址。

在RIP或EIGRP等距离向量型路由协议中,通常都实现了水平分割(split horizon)功能,阻止将路由信息发回到其来源端口,以避免相邻路由器上路由环路的产生。如果在DMVPN网络上运行RIP或EIGRP协议,则必须关闭水平分割(split horizon)功能。否则,分支路由器将无法学习到通往其它分支子网的路由。

对RIP而言,no split horizon 就大功告成了,因为RIP向路由信息来源端口发送该路由时,其“下一跳”地址不被改变,仍然是原来的地址(即:目标地址)。

但EIGRP在向路由信息来源端口发送该路由时,其“下一跳”地址将改变为该端口的地址。所以,必须关闭这一特性。(EIGRP是CISCO公司的私有协议,关闭这一特性的IOS命令为no ip next?hop?self eigrp )。

OSPF是链路状态型路由协议,其本身就不存在水平分割(split horizon)问题。但在配置OSPF网络类型时,应配置为广播型而不要使用点到多点型,否则,仍然会导致上述的问题。另外需要注意的是,必须把DMVPN的中心路由器(Hub)配置为OSPF的指定路由器(DR),可以通过指定中心路由器(Hub)有更高的OSPF优先权来实现。

最后,总结下DMVPN的整体解决方案

DMVPN是通过多点GRE(mGRE)和下一跳解析协议(NHRP)与IPSec相结合实现的。在DMVPN解决方案中,利用IPSec实现加密功能,利用GRE或多点GRE(mGRE)建立隧道,利用NHRP解决分支节点的动态地址问题。DMVPN只要求中心节点必须申请静态的公共IP地址。(如果用 DNS 的话,中心节点不是也可以动态了吗?)

GRE隧道支持多播或广播(multicast/broadcast)IP包在隧道内传输。因此,DMVPN网络支持在IPSec和mGRE隧道之上运行动态路由协议。需要指出的是,NHRP必须被配置为动态多播映射,这样,当分支路由器在NHRP服务器(中心路由器)上注册单播映射地址时,NHRP会同时为这个分支路由器建立一个多播/广播(multicast/broadcast)映射


cxs-kk

2007-12-25, 09:40

简单的说dmvpn 的核心是nhrp,

nhrp类似arp,arp协议的作用是ip地址到mac地址的解析。nhrp在dmvpn中是把内部vpn的地址到nbma地址(外部地址)的解析。

具体解析过程是:

1.在nhrp协议中存在nhrp server和nhrp client

2.server必须是静态地址,client可以是动态地址。

3.client加电后从isp获得一个公网地址

4.client向server进行地址注册。

5.当client和client需要通信的时候,client向server方向发送解析请求。

6.server收到解析请求后转发到对应的client上。

7.client向client发送解析应答。

注意:1.在整个过程中数据包是经过vpn处理的,因为client必须先和server进行vpn连接。

2.dmvpn在第一阶段,第二阶段、第三阶段的处理流程和功能不同。

以上为个人理解,欢迎大家讨论


xiaoyonng

2007-12-25, 12:50

可以


totle

2007-12-25, 18:44

当client向server注册的时候,主要是注册自己的tunnel的地址和获得server 的tunnel的地址的NHRP的解析。这是第一阶段的注册,第二阶段的注册就是client访问指向tunnel的路由的网段时,要继续去server上request NHRP的解析地址。


cxs-kk

2007-12-27, 09:59

动态VPN配置(DMVPN)

配置步骤:

1. 通过mGRE的封装代替p-t-p GRE封装来减少手动tunnel 数量及有效结合NHRP。

2. mGRE的下一跳动态解析功能通过NHRP来实现,以便动态建立保护网络间的临时tunnel.(保护网络要路由通告出去或分布)

3. 通过ipsec profile 实现 ipsec automatic proxy 功能;保护GRE封装流量,加密根据NHRP和动态路由协议建立起来的保护网络间的临时tunnel。(由于是动态方式,IKE 的远程对端IP为0.0.0.0)

实例:

总部cisco路由器

需要配置(其它不相关的配置在此省略)

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ikeadmin address 0.0.0.0

!

crypto ipsec transform-set jiang esp-des esp-md5-hmac

mode transport

!

------中间广告---------

crypto ipsec profile vpnconfig

set transform-set jiang

!

interface Tunnel0

bandwidth 2000

ip address 10.0.0.1 255.255.255.0

ip mtu 1436(注意设置MTU)

ip nhrp authentication dmvpnkey(nhrp认证,在匹配后,调用mGRE属性)

ip nhrp map multicast dynamic(启用NHRP自动加入分支路由器到多播NHRP映射组中)

ip nhrp network-id 99(启用NHRP,在匹配后,调用mGRE属性)

ip nhrp holdtime 300

no ip split-horizon eigrp 1(当使用EIGRP协议时,屏蔽水平分割)

no ip next-hop-self eigrp 1 (当使用EIGRP时,直接建立动态SPOKE-TO-SPOKE隧道)

delay 1000

tunnel source Ethernet1

tunnel mode gre multipoint(设置隧道接口的封装模式为mGRE)

tunnel key daoyou (tunnel 认证)

tunnel protection ipsec profile vpnconfig(为隧道接口指定IPSEC模板)

!

interface Ethernet1

ip address 218.4.x.2 255.255.255.224

!

interface Ethernet0

ip address 192.168.2.253 255.255.255.0

!

router eigrp 1

network 10.0.0.0 0.0.0.255 area 0

network 192.168.0.0 0.0.0.255 area 0

办事处路由器配置

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ikeadmin address 0.0.0.0

!

crypto ipsec transform-set jiang esp-des esp-md5-hmac

mode transport

!

crypto ipsec profile vpnconfig

set transform-set jiang

interface Tunnel0

ip address 10.0.0.2 255.255.255.0

ip nhrp authentication dmvpnkey

ip nhrp map 10.0.0.1 218.4.x.2

ip nhrp map multicast 218.4.x.2

ip nhrp network-id 99

ip nhrp holdtime 60

ip nhrp nhs 10.0.0.1

ip tcp adjust-mss 1436

tunnel source Dialer0

tunnel destination 218.4.x.2

tunnel key daoyou

tunnel protection ipsec profile vpnprof

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

half-duplex

!

interface FastEthernet0

no ip address

speed auto

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface Dialer0

mtu 1436

bandwidth 2048

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username sz3343535@163.gd password 7

!

dialer-list 1 protocol ip permit

ip nat inside source list 100 interface Dialer0 overload

Cisco ASA EzVPN (Easy VPN) asa server asa client

No Comments VPN

Cisco ASA EzVPN (Easy VPN) Configuration with radius Authentication

http://img.bimg.126.net/photo/svpZEWGti4D50eAj5oE7HQ==/449234062847054718.jpg

Central ASA Configuration (Main Site, HQ Side):
!
ASA Version 7.2(2)
!
hostname asa01
domain-name stknetwork.local
!
!
![CONFIGURATION LEFT]
!
!
ip local pool remoteuserspool 10.10.230.5-10.10.230.254 mask 255.255.255.0
!
!
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.0.0 255.255.0.0
!
!
![CONFIGURATION LEFT]
!
!
aaa-server IASonFS protocol radius
aaa-server IASonFS host 192.168.0.80
key radius
radius-common-pw radius
aaa-server IASonFS host 192.168.0.81
key radius
radius-common-pw radius
group-policy GPRadius external server-group IASonFS password radius
group-policy remoteusers internal
group-policy remoteusers attributes
dns-server value 192.168.0.80 192.168.0.81
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
default-domain value stknetwork.local
secure-unit-authentication disable
user-authentication disable
nem enable

vpn-group-policy remoteusers
vpn-tunnel-protocol IPSec
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
sysopt connection tcpmss 1300
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteuserspool
authentication-server-group IASonFS
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key XXXXXXXXXXXXXX

————————————————————-
Remote ASA Configuration (Client, SOHO Side):
ASA Version 7.2(2)18
!
hostname asa02
domain-name stknetwork.local
enable password XXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.90.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXX encrypted
boot system disk0:/asa722-18-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.0.80
name-server 192.168.0.81
domain-name stknetwork.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list mss_allow_list extended permit tcp any any
!
tcp-map tcp-mss-map
exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging asdm-buffer-size 512
logging monitor informational
logging buffered debugging
logging asdm informational
mtu inside 1360
mtu outside 1360
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.10.90.0 255.255.255.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username administrator password GVvTOu/kpeLaqalx encrypted privilege 3
username mtfinfo password MYQDFAlDSjEkN2Bo encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 outside
sysopt connection tcpmss 1300
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 59
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.90.100-10.10.90.170 inside
dhcpd dns 192.168.0.80 192.168.0.81 interface inside
dhcpd domain stknetwork.local interface inside
dhcpd enable inside
!
vpnclient server 2.2.2.2
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup remoteusers password XXXXXXXX
vpnclient username advpnuser password XXXXXXXX
vpnclient enable

priority-queue inside
queue-limit   1200
tx-ring-limit 120
priority-queue outside
queue-limit   1200
tx-ring-limit 120
!
class-map inspection_default
match default-inspection-traffic
class-map outside-qos-class
match dscp ef
match tunnel-group DefaultRAGroup
class-map mss-map
match access-list mss_allow_list
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ctiqbe
inspect http
policy-map outside-policy
class outside-qos-class
priority
class mss-map
set connection advanced-options tcp-mss-map
policy-map mss-map
class mss-map
set connection advanced-options tcp-mss-map
!
service-policy global_policy global
service-policy outside-policy interface outside
ntp server 129.132.2.21 source outside prefer
smtp-server 192.168.0.81
prompt hostname context
Cryptochecksum:0333d4b9ed0b50d8c6364f206afdad2f
: end

Last Updated on Friday, 15 May 2009 20:58

通过DDN互联VPN作备份配置实例

No Comments VPN

回复说经过测试没有问题,再次查看接口协议以及端口全部UP,但还是PING不通,再次与电信联系电信,电信同意两端同时派人上门,在等待电信的人同时我也查看路由接口以及HDSL发现上面闪的是黄灯,感觉问题应该出于此但当时也不感肯定(因为平时很少留心到电信所提供的设备,只是关心我们自己的产品,所以说有多大把握,但还是凭自己的感觉怀疑是不是光纤插反了而出现此类情况呢?反正死马当活马医了,两端调换一下,好家伙竟然变绿了,到路由上PING北京端路由惊喜的!出现了),通过一些路由的设定完全实现了用户要求的走DDN线路由深圳端出Internet要经过北京端SV2000认证,DDN到此基本完全结束。

449234062847054683[1]

北京端VPN配置:

ISAKMP的配置:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic

转换集的配置:

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

动态加密图的配置:

crypto dynamic-map cisco 10

set transform-set cisco

match address 100

把动态加密图加入到MAP上:

crypto map cisco 10 ipsec-isakmp dynamic cisco

把加密图应用到接口上:

interface FastEthernet0/1
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
crypto map cisco
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *
ppp chap password 0 *
ppp pap sent-username * password 0 *
crypto map cisco

定义需要加密的流量:

access-list 100 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny
ip 192.168.7.0 0.0.0.255 any
access-list 100 deny
ip 192.168.8.0 0.0.0.255 any
access-list 100 deny
ip 192.168.9.0 0.0.0.255 any
access-list 100 deny
ip 192.168.11.0 0.0.0.255 any

定义不需要NAT转换的地址:

access-list 101 deny
ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny
ip 192.168.8.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny
ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny
ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any

深圳端VPN配置:

ISAKMP的配置:

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 222.128.50.112
crypto isakmp keepalive 30 10 periodic

转换集的配置:

crypto ipsec transform-set cisco esp-3des esp-md5-hmac

加密码图的配置:

crypto map cisco 10 ipsec-isakmp
set peer 222.128.50.112
set transform-set cisco
match address 100

把加密图应用到接口:

interface FastEthernet0/1
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
crypto map cisco
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *
ppp chap password 0 *
ppp pap sent-username * password 0 *
crypto map cisco

定义需要加密码的流量:

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny
ip 192.168.10.0 0.0.0.255 any

定义不需要NAT转换的地址:

access-list 101 deny
ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny
ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 deny
ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 deny
ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit

在整个VPN配置中遇到很多问题,主要原因是开始建立VPN之时,用户不同意使用两条独立的线路来建立VPN,想使用北京端现有的Internet线路通过NAT的方式来做VPN,那么这样做就势必受到很多影响,因为要从3640上NAT到现有的2801上面要经过三次NAT,这样做就涉及到安全以及转换的问题,由于客户时间、安全的问题,我没能拿以上三台设备的管理权限,一切只能由他们来做,最终我也不能确定他们在PIX以及SV2000是否正确,最终导致整个VPN的构建失败,由于DDN前期投入到正常使用,这样的测试没有太多时间来完成测试及实验,只能建议客户在北京端申请一条固定IP的ADSL,当两边都为独立的外部线路来建立VPN,比较顺利一次成功,但在测试中SHUTDOWN掉S0/2/0后VPN能马上起来接替DDN而NO SHUTDOWN后DDN线路能起来,但是当再次SHUTDOWN掉S0/2/0接口后,而VPN一直不能建立连接,DEBUG看到一直提示:*Mar 25 15:47:45.423: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 61.144.56.100 dst 61.144.56.101 for SPI 0x3A7B69BF,基本确定问题出现在ISAKMP,只能从此着手,经过查看CISCO官方网站得出结论大概是ISAKMP有一个存活时间,在此次存活时间内,有一端ISAKMP未失效而另一端又采用新的ISAKMP建立连接,出现匹配造成VPN建立不成功,通过在两端加上ISAKMP的KEEPALIVE存活时间设置,最终问题得到解决,从而实现了正常的切换。

三、DDN与VPN切换的配置

北京切换配置:

ip sla monitor 1 /建立监视组1探测深圳端的IP
type echo protocol ipIcmpEcho 192.168.100.2 /发送ICMP探测深圳端IP
timeout 999 /超时时间999MS
frequency 1 /发送一个包
ip sla monitor schedule 1 life forever start-time now /定义监视组的SCHEDULE、LIFE、FOREVER的开始时间
track 1 rtr 1 reachability /定义TRACK组
ip route 192.168.10.0 255.255.255.0 192.168.100.2 60 track 1
ip route 0.0.0.0 0.0.0.0 192.168.8.254 60 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 70
ip route 192.168.7.0 255.255.255.0 192.168.8.254 70
ip route 192.168.9.0 255.255.255.0 192.168.8.254 70
ip route 192.168.11.0 255.255.255.0 192.168.8.254 70

此处几条路由也就是整个线路切换与恢复的关健所在,依次描述。

当DDN正常时默认所有到达深圳端的流量都走S0/2/0端口,并由TRACK1检测是否把此条路由放入路由表中。

当DDN正常时,所有深圳端过来的流量全部转发到SV2000的LAN口,实现深圳出公网的认证以及深圳端与北京端路由,并由TRACK1检测是否把此条路由放入路由表中。

当DDN当掉后,通过TRACK1检测路由会默认关闭S0/2/0,此路由会被放到路由表中,而建立两端的VPN而实现DDN业务的接替,当TRACK1检测到DDN恢复后,此表路由会被删除。

其余几条基本同上一条功能一样,只是更详细的匹配了VPN建立后流量的转发,而实现深圳端与北京端内网的路由。

实现的效果:

走专线时:

pekru020#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 192.168.8.254 to network 0.0.0.0
222.128.50.0/32 is subnetted, 2 subnets
C
222.128.50.112 is directly connected, Dialer1
C
222.128.50.65 is directly connected, Dialer1
C
192.168.8.0/24 is directly connected, FastEthernet0/0
S
192.168.9.0/24 [70/0] via 192.168.8.254
S
192.168.10.0/24 [60/0] via 192.168.100.2
S
192.168.11.0/24 [70/0] via 192.168.8.254
S
192.168.7.0/24 [70/0] via 192.168.8.254
C
192.168.100.0/24 is directly connected, Serial0/2/0
S*
0.0.0.0/0 [60/0] via 192.168.8.254

走VPN时:

pekru020#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
222.128.50.0/32 is subnetted, 2 subnets
C
222.128.50.112 is directly connected, Dialer1
C
222.128.50.65 is directly connected, Dialer1
C
192.168.8.0/24 is directly connected, FastEthernet0/0
S
192.168.9.0/24 [70/0] via 192.168.8.254
S
192.168.11.0/24 [70/0] via 192.168.8.254
S
192.168.7.0/24 [70/0] via 192.168.8.254
S*
0.0.0.0/0 is directly connected, Dialer1

完全实现了线路的自动切换与恢复。

深圳端切换配置:

ip sla monitor 1
type echo protocol ipIcmpEcho 192.168.100.1
timeout 999
frequency 1
ip sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 192.168.100.1 60 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 70

深圳端相对简单,配置原理与北京端相同,在此也不再阐述相关配置了。

在此需要特别注意的地方是,像电信所提供的数字线路,一定需要配合使用监视组来查看业务是否中断,因为当一端DOWN后,而另一端的链路由于连接的是运营商端,只要客户端与运营商端线路正常,那么另一端协议以及端口都会处于UP状态,那么也不能使管理距离为60的路由在路由表里及时删除也会造成管理距离为70的路由被放到路由表。

分享一个自己做的DMVPN配置试验 安魂曲

No Comments VPN

分享一个自己做的DMVPN配置试验

试验环境:
3台3640路由器,1台3640模拟的交换机,为HUB-SPOKE结构
IOS采用:c3640-jk9o3s-mz.124-10a.bin
拓扑见附件:
配置如下:
HUB: 复制内容到剪贴板代码:hostname HUB
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile vpn
set transform-set myset
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.16.1 255.255.255.0
no ip redirects
ip mtu 1416
no ip next-hop-self eigrp 1
ip nhrp authentication nhrp-pwd
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile vpn
!
interface Ethernet0/0
ip address 172.16.16.1 255.255.255.0
full-duplex
!
router eigrp 1
network 1.0.0.0
network 192.168.16.0
no auto-summary
!
ip http server
no ip http secure-server
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!SpokeA: 复制内容到剪贴板代码:
!hostname Spoke1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile vpn
set transform-set myset
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Tunnel0
ip address 192.168.16.2 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication nhrp-pwd
ip nhrp map 192.168.16.1 172.16.16.1
ip nhrp map multicast 172.16.16.1
ip nhrp network-id 1
ip nhrp nhs 192.168.16.1
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile vpn
!
interface Ethernet0/0
ip address 172.16.16.2 255.255.255.0
full-duplex
!
router eigrp 1
network 2.0.0.0
network 192.168.16.0
no auto-summary
!
ip http server
no ip http secure-server
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
endSpokeB 复制内容到剪贴板代码:hostname Spoke2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile vpn
set transform-set myset
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 192.168.16.3 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication nhrp-pwd
ip nhrp map 192.168.16.1 172.16.16.1
ip nhrp map multicast 172.16.16.1
ip nhrp network-id 1
ip nhrp nhs 192.168.16.1
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile vpn
!
interface Ethernet0/0
ip address 172.16.16.3 255.255.255.0
full-duplex
!
!
router eigrp 1
network 3.0.0.0
network 192.168.16.0
no auto-summary
!
ip http server
no ip http secure-server
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end试验目的:了解熟悉DMVPN的工作原理,以及IPSEC-ISAKMP的两阶段工作原理
测试实验结果:使用show crypto isakm sa和show crypto ipsec sa验证两阶段的现象已经显示出动态生成的SPOKEA和SPOKEB之间动态生成的隧道
[本帖最后由 安魂曲 于 2007-7-12 15:46 编辑]附件分享一个自己做的DMVPN配置试验  安魂曲 - dc31151 - 李萧明DMVPN1.jpg(24.49 KB)

2007-7-12 15:18

449234062847054681[1]

PIX Asa 密码恢复

No Comments VPN

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

To recover passwords, perform the following steps:

Step 1 Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section on page 2-4.

Step 2 Power off the security appliance, and then power it on.

Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.

Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:

rommon #1> confreg

The security appliance displays the current configuration register value, and asks if you want to change the value:

Current Configuration Register: 0x00000011

Configuration Summary:

boot TFTP image, boot default image from Flash on netboot failure

Do you wish to change this configuration? y/n [n]:

Step 5 Record your current configuration register value, so you can restore it later.

Step 6 At the prompt, enter Y to change the value.

The security appliance prompts you for new values.

Step 7 Accept the default values for all settings, except for the “disable system configuration?” value; at that prompt, enter Y.

Step 8 Reload the security appliance by entering the following command:

rommon #2> boot

The security appliance loads a default configuration instead of the startup configuration.

Step 9 Enter privileged EXEC mode by entering the following command:

hostname> enable

Step 10 When prompted for the password, press Return.

The password is blank.

Step 11 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 12 Enter global configuration mode by entering the following command:

hostname# configure terminal

Step 13 Change the passwords in the configuration by entering the following commands, as necessary:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:

hostname(config)# config-register value

Where value is the configuration register value you noted in Step 5 and 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference.

Step 15 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Password Recovery for the PIX 500 Series Security Appliance

Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps:

Step 1 Download the PIX password tool from Cisco.com to a TFTP server accessible from the security appliance. See the link in the “Password Recovery Procedure for the PIX” document at the following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a0080 09478b.shtml

Step 2 Connect to the security appliance console port according to the “Accessing the Command-Line Interface” section on page 2-4.

Step 3 Power off the security appliance, and then power it on.

Step 4 Immediately after the startup messages appear, press the Escape key to enter monitor mode.

Step 5 Configure the network settings for the interface that accesses the TFTP server by entering the following commands:

monitor> interface interface_id

monitor> addressinterface_ip

monitor> servertftp_ip

monitor> filepw_tool_name

monitor> gateway gateway_ip

Step 6 Download the PIX password tool from the TFTP server by entering the following command:

monitor> tftp

If you have trouble reaching the server, you can enter the pingaddress command to test the connection.

Step 7 At the “Do you wish to erase the passwords?” prompt, enter Y.

You can now log in with the default login password of “cisco” and the blank enable password.

The following example shows the PIX password recovery with the TFTP server on the outside interface:

monitor> interface 0 。。。。。。此处要接网线,不然initialize error

0: i8255X @ PCI(bus:0 dev:13 irq:10)

1: i8255X @ PCI(bus:0 dev:14 irq:7 )

Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9

monitor> address 10.21.1.99

address 10.21.1.99

monitor> server 172.18.125.3

server 172.18.125.3

monitor> file np70.bin

file np52.bin

monitor> gateway 10.21.1.1

gateway 10.21.1.1

monitor> ping 172.18.125.3

Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds:

!!!!!

Success rate is 100 percent (5/5)

monitor> tftp

tftp np52.bin@172.18.125.3 via 10.21.1.1……………………………..

Received 73728 bytes

Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005

Flash=i28F640J5 @ 0x300

BIOS Flash=AT29C257 @ 0xd8000

Do you wish to erase the passwords? [yn] y

Passwords have been erased.

Rebooting….

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:

hostname(config)# no service password-recovery

On the ASA 5500 series adaptive security appliance, the no service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), then the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recoverycommand replicates to the standby unit.

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

Other Troubleshooting Tools

The security appliance provides other troubleshooting tools to be used in conjunction with Cisco TAC:

?Viewing Debug Messages

?Capturing Packets

?Viewing the Crash Dump

Viewing Debug Messages

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. To enable debug messages, see the debug commands in the Cisco Security Appliance Command Reference.

Capturing Packets

Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. We recommend contacting Cisco TAC if you want to use the packet capture feature. See the capture command in theCisco Security Appliance Command Reference.

Viewing the Crash Dump

If the security appliance crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco Security Appliance Command Reference.

Common Problems

This section describes common problems with the security appliance, and how you might resolve them.

Symptom The context configuration was not saved, and was lost when you reloaded.

Possible Cause You did not save each context within the context execution space. If you are configuring contexts at the command line, you did not save the context before you changed to the next context.

Recommended Action Save each context within the context execution space using the copy run start command. You cannot save contexts from the system execution space.

Symptom You cannot make a Telnet connection or SSH to the security appliance interface.

Possible Cause You did not enable Telnet or SSH to the security appliance.

Recommended Action Enable Telnet or SSH to the security appliance according to the “Allowing Telnet Access” section on page 33-1 or the “Allowing SSH Access” section on page 33-2.

Symptom You cannot ping the security appliance interface.

Possible Cause You disabled ICMP to the security appliance.

Recommended Action Enable ICMP to the security appliance for your IP address using the icmp command.

Symptom You cannot ping through the security appliance, even though the access list allows it.

Possible Cause You did not enable the ICMP inspection engine or apply access lists on both the ingress and egress interfaces.

Recommended Action Because ICMP is a connectionless protocol, the security appliance does not automatically allow returning traffic through. In addition to an access list on the ingress interface, you either need to apply an access list to egress interface to allow replying traffic, or enable the ICMP inspection engine, which treats ICMP connections as stateful connections.

Symptom Traffic does not pass between two interfaces on the same security level.

Possible Cause You did not enable the feature that allows traffic to pass between interfaces on the same security level.

Recommended Action Enable this feature according to the “Allowing Communication Between Interfaces on the Same Security Level” section on page 6-5.