RE: Difference between Cisco VPN and PIX Firewall [7:75235]
Scenario III is probably the most recommended. It is incorrect to say that the VPN Concentrator does not have filtering capabilities. It generally only allows traffic in its public interface necessary for VPN connections, so it is not any more inherently insecure as a PIX. It does not have all of the capabilities of the PIX however, so if you need a true firewall I'd go with a firewall (not necessarily a PIX, I personally think they suck, go with a Check Point). Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Mr piyush shah [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: Re: Difference between Cisco VPN and PIX Firewall [7:75235] Hello all Can I know what is the Cisco PIX and that of a Cisco VPN 3000 in terms of performance? As I am planning to implement VPN with either VPN Concentrator or PIX,however I was told that if you implement only VPN Concentrator instead of PIX ,then you may get VPN connectivity but you will not be able to implement the filtering functionalities which are required .In case of PIX I may get both VPN as well as as filtering of unwanted traffic thereby changes of hacking sessions are less. Is this true. I am confised .Kindly help me. Also which one should consider to be the best scenario for implementation ? I am giving the 3 scenario below.If there is any scenario better than this pls get me know ewith the pros and cons of that one.Also equest you to know me the pros and cons of this scenarios also. aThnaks in advance. Scenario I Scenario II Scenario InternetInternet Internet ||| VPN Concentrator Firewall Firewall--VPN || | Concntrtr || | | LAN VPNLAN _| Concentrator Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75244&t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Difference between Cisco VPN and PIX Firewall [7:75235]
Stnadard answer: it depends. Followed immediately by the standard question: what problem are you trying to solve? The VPN Concentrator does not firewall or filter; it is a specialized tunnel termination device. You may (emphasis on may) need to use it when you are terminating more than about 20 tunnels. That depends on how active the tunnels are and what else your firewall is doing -- how much other work must it do filtering how much other traffic? The Concentrator does offer AES and DH Group 7 (the latter is useful if the other end of the tunnel is a client which can support ECC, but not many can). You need a firewall between you and the Internet. Have a look at the SMR SAFE Blueprint, here: http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml If you do decide to use a Concentrator, people may differ, but I recommend terminating your tunnels outside the firewall. If you don't, the firewall must either work at the traffic to inspect it properly (which in fact makes it work even harder tore-encrypt, etc. to send it to the Concentrator) or you poke a big hole in the firewall by accepting traffic that "looks like" it ought to be a part of the tunnel. If your LAN receives public traffic (is there a public-facing server, any kind of mini-DMZ?), then you will want a switch to send tunnel traffic tothe Concentrator and all other traffic to the firewall. Looks sort of like this: Concentrator / \ Internet---switch/\firewall---LAN HTH Annlee Mr piyush shah wrote: > Hello all > Can I know what is the Cisco PIX and that of a Cisco > VPN 3000 in terms of performance? > As I am planning to implement VPN with either VPN > Concentrator or PIX,however I was told that if you > implement only VPN Concentrator instead of PIX ,then > you may get VPN connectivity but you will not be able > to implement the filtering functionalities which are > required .In case of PIX I may get both VPN as well as > as filtering of unwanted traffic thereby changes of > hacking sessions are less. > Is this true. > I am confised .Kindly help me. > Also which one should consider to be the best scenario > for implementation ? > I am giving the 3 scenario below.If there is any > scenario better than this pls get me know ewith the > pros and cons of that one.Also equest you to know me > the pros and cons of this scenarios also. > aThnaks in advance. > > Scenario I Scenario II Scenario > > > InternetInternet Internet >||| > > > > VPN Concentrator Firewall Firewall--VPN >|| | Concntrtr >|| | | > LAN VPNLAN _| >Concentrator > > > > > > Yahoo! India Matrimony: Find your partner online. > Go to http://yahoo.shaadi.com > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75241&t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Difference between Cisco VPN and PIX Firewall [7:75235]
Hello all Can I know what is the Cisco PIX and that of a Cisco VPN 3000 in terms of performance? As I am planning to implement VPN with either VPN Concentrator or PIX,however I was told that if you implement only VPN Concentrator instead of PIX ,then you may get VPN connectivity but you will not be able to implement the filtering functionalities which are required .In case of PIX I may get both VPN as well as as filtering of unwanted traffic thereby changes of hacking sessions are less. Is this true. I am confised .Kindly help me. Also which one should consider to be the best scenario for implementation ? I am giving the 3 scenario below.If there is any scenario better than this pls get me know ewith the pros and cons of that one.Also equest you to know me the pros and cons of this scenarios also. aThnaks in advance. Scenario I Scenario II Scenario InternetInternet Internet ||| VPN Concentrator Firewall Firewall--VPN || | Concntrtr || | | LAN VPNLAN _| Concentrator Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75235&t=75235 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: vpn client termination on router, with split-tunnel [7:75147]
Sure You will need to be running IOS 12.2(8)T or above. ""bk"" wrote in message news:[EMAIL PROTECTED] > Hello all, > > I am trying to terminate a vpn tunnel on a 3640 for clients (4.x). I > have done it on a pix with split-tunnel. Can the 3640 be setup to > perform split-tunnel? > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75147&t=75147 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
vpn client termination on router, with split-tunnel [7:75134]
Hello all, I am trying to terminate a vpn tunnel on a 3640 for clients (4.x). I have done it on a pix with split-tunnel. Can the 3640 be setup to perform split-tunnel? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75134&t=75134 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hmm, that's bizarre. I'm running 4.02B and I can use SHA. Where did you get the information that 3.6 and above don't support SHA??? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Deepali S [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 3:14 AM To: [EMAIL PROTECTED] Subject: RE: PIX VPN Client Configuration - At my wit's end! [7:74363] Hi James, First and foremost please make sure that the inside ip address of the pix and the VPN address pool are of different range since there is a BUG associated , i would recommend you to use an entirely different range of address pool. What is the client version you are using? If you are using Cisco VPN client 3.6.x and above then please change the hash type to md5 as Cisco VPN client 3.6.x doesnt support sha . isakmp policy 1 md5 Pls read check this link: http://www.cisco.com/warp/public/707/ipsec_debug.html#inability Just let me know if you have any queries. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html [GroupStudy removed an attachment of type application/octet-stream which had a name of vpn.PNG] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74660&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Setup [7:74369]
Hi! John, The isakmp and pre-share key is used only when you have the L2L tunnel setup. When you have a VPN tunnel between Client and PIX , the command below is same as the isakmp and pre-shared key. vpngroup VPNUSER password Spli tunneling is used when you want the user to browse the internet when he still has a VPN tunnel established. Pls check this link to know more abt split tunneling: http://www.cisco.com/warp/public/707/ipsec_debug.html#inability Let me know if you have any queries. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74635&t=74369 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: 2501 VPN [7:73977]
Hi You can check this link: http://www.cisco.com/warp/public/707/overload_public.html http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSec&s=Implementation_and_Configuration#Samples_and_Tips Just let me know if you have any queries. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74638&t=73977 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi James, First and foremost please make sure that the inside ip address of the pix and the VPN address pool are of different range since there is a BUG associated , i would recommend you to use an entirely different range of address pool. What is the client version you are using? If you are using Cisco VPN client 3.6.x and above then please change the hash type to md5 as Cisco VPN client 3.6.x doesnt support sha . isakmp policy 1 md5 Pls read check this link: http://www.cisco.com/warp/public/707/ipsec_debug.html#inability Just let me know if you have any queries. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74636&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Pix VPN & SMTP [7:74527]
I have a Pix 501 setup for VPN for a few users, now the outgoing SMTP server for all their email (from Bell Sympatico) only allows relaying when on the Bell domain. So everything works fine when people are in the office but if they go home and use say Rogers to connect to the internet, then VPN into the office and try to send an email out it won't work. There is a split tunnel setup so only traffic going to the local network 192.168.1.x will get pushed through the VPN Tunnel. And since Pix doesn't allow someone to come in on the outside interface then go out again. Anyone have any thoughts to fix this? Any router models similar in price/function to the pix 501 that might not cause this problem. Thanks John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74527&t=74527 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: help with vpn scenario [7:74366]
Thank you both for the suggestions and info! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74417&t=74366 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX VPN Client Configuration - At my wit's end! [7:74363]
Have you watched your access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any very closely? It is meant to be "mirrored" at the client connection time so must be access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 A packet sent from the client is checked against this list. So must be more specific in my experience. Martijn -Oorspronkelijk bericht- Van: Derek Gaff [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 26 augustus 2003 9:57 Aan: [EMAIL PROTECTED] Onderwerp: Re: PIX VPN Client Configuration - At my wit's end! [7:74363] James Your missing the command "vpdn enable outside" from your config. regards derek - Original Message - From: "James Willard" To: Sent: Tuesday, August 26, 2003 12:17 AM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] > Hi all, > > Thanks in advance for reading this message. I am completely boggled on an > issue here that I have literally been trying to troubleshoot for some 12 > hours now. > > I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. > > Here are the relevant parts of my config: > > :PIX Version 6.3(1) > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any > ip local pool vpnusers 192.168.2.100-192.168.2.254 > nat (inside) 0 access-list nonat > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set vpn esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 300 > crypto dynamic-map dynmap 30 set transform-set vpn > crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap > crypto map crypto-map-swa interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 300 > vpngroup VPNUser address-pool vpnusers > vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 > vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 > vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl > vpngroup VPNUser idle-time 1800 > vpngroup VPNUser password > > Let's say the outside interface is 100.100.100.28. These are the networks: > > 100.100.100.28 255.255.255.240(outside) > 192.168.1.0255.255.255.0 (inside) > 192.168.2.0255.255.255.0 (vpn IP pool) > 10.0.1.0 255.255.255.0 (dmz) > > I can connect with the client just fine, but neither end can ping the other. > Say the client machine gets the IP 192.168.2.100 from the pool, it cannot > ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping > 192.168.2.100. The VPN Client side shows packets being encrypted but none > decrypted. The IPSec SA on the PIX shows packets being encrypted and none > decrypted. > > Also worth noting is that the VPN client status shows "Transparent > Tunneling: Inactive" on the status page while connecting, even though isakmp > nat-traversal is enabled. An ethereal capture shows the client sending ESP > packets to the PIX but none are coming back. > > Please, if anyone has any ideas I would love to hear them. This has been > driving me crazy! > > Thanks, > > James Willard > [EMAIL PROTECTED] > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74397&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Client Configuration - At my wit's end! [7:74363]
James Your missing the command "vpdn enable outside" from your config. regards derek - Original Message - From: "James Willard" To: Sent: Tuesday, August 26, 2003 12:17 AM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] > Hi all, > > Thanks in advance for reading this message. I am completely boggled on an > issue here that I have literally been trying to troubleshoot for some 12 > hours now. > > I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. > > Here are the relevant parts of my config: > > :PIX Version 6.3(1) > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any > ip local pool vpnusers 192.168.2.100-192.168.2.254 > nat (inside) 0 access-list nonat > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set vpn esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 300 > crypto dynamic-map dynmap 30 set transform-set vpn > crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap > crypto map crypto-map-swa interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 300 > vpngroup VPNUser address-pool vpnusers > vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 > vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 > vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl > vpngroup VPNUser idle-time 1800 > vpngroup VPNUser password > > Let's say the outside interface is 100.100.100.28. These are the networks: > > 100.100.100.28 255.255.255.240(outside) > 192.168.1.0255.255.255.0 (inside) > 192.168.2.0255.255.255.0 (vpn IP pool) > 10.0.1.0 255.255.255.0 (dmz) > > I can connect with the client just fine, but neither end can ping the other. > Say the client machine gets the IP 192.168.2.100 from the pool, it cannot > ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping > 192.168.2.100. The VPN Client side shows packets being encrypted but none > decrypted. The IPSec SA on the PIX shows packets being encrypted and none > decrypted. > > Also worth noting is that the VPN client status shows "Transparent > Tunneling: Inactive" on the status page while connecting, even though isakmp > nat-traversal is enabled. An ethereal capture shows the client sending ESP > packets to the PIX but none are coming back. > > Please, if anyone has any ideas I would love to hear them. This has been > driving me crazy! > > Thanks, > > James Willard > [EMAIL PROTECTED] > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74391&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi James, It would be nice to have the output of the "show crypto ipsec sa" on the PIX while pinging back and forth. It would be nice to get the output of the "debug icmp trace" and the "sh access-list" as well but in any case my suggestion is this: 1) If you are doing split-tunneling I will suggest and access-list like this: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 and not: access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any This is because you need to tell the PIX to creat a pair of SAs for Phase II so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX will encrypt traffic from the local LAN to the pool only. Lastly, if you need to communicate to the DMZ as well, you may add these lines to the access-list for nonat and interesting traffic: access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0 I will recommend to use the same access-list nonat for the line below: nat (dmz) 0 access-l nonat This is in order to avoid some "bugs" surfing around 6.3.1. Hope this helps a little, and if you can send more details it would be nice to follow up in this a little more. Have a good one! My two cents, Frank Costa Rica - Original Message - From: "James Willard" To: Sent: Monday, August 25, 2003 5:17 PM Subject: PIX VPN Client Configuration - At my wit's end! [7:74363] > Hi all, > > Thanks in advance for reading this message. I am completely boggled on an > issue here that I have literally been trying to troubleshoot for some 12 > hours now. > > I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. > > Here are the relevant parts of my config: > > :PIX Version 6.3(1) > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any > ip local pool vpnusers 192.168.2.100-192.168.2.254 > nat (inside) 0 access-list nonat > nat (inside) 10 0.0.0.0 0.0.0.0 0 0 > sysopt connection permit-ipsec > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set vpn esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 300 > crypto dynamic-map dynmap 30 set transform-set vpn > crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap > crypto map crypto-map-swa interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash sha > isakmp policy 1 group 2 > isakmp policy 1 lifetime 300 > vpngroup VPNUser address-pool vpnusers > vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 > vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 > vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl > vpngroup VPNUser idle-time 1800 > vpngroup VPNUser password > > Let's say the outside interface is 100.100.100.28. These are the networks: > > 100.100.100.28 255.255.255.240(outside) > 192.168.1.0255.255.255.0 (inside) > 192.168.2.0255.255.255.0 (vpn IP pool) > 10.0.1.0 255.255.255.0 (dmz) > > I can connect with the client just fine, but neither end can ping the other. > Say the client machine gets the IP 192.168.2.100 from the pool, it cannot > ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping > 192.168.2.100. The VPN Client side shows packets being encrypted but none > decrypted. The IPSec SA on the PIX shows packets being encrypted and none > decrypted. > > Also worth noting is that the VPN client status shows "Transparent > Tunneling: Inactive" on the status page while connecting, even though isakmp > nat-traversal is enabled. An ethereal capture shows the client sending ESP > packets to the PIX but none are coming back. > > Please, if anyone has any ideas I would love to hear them. This has been > driving me crazy! > > Thanks, > > James Willard > [EMAIL PROTECTED] > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74384&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: help with vpn scenario [7:74366]
Hi Chandler, To secure the laptop of company a while connected via VPN form company B my suggestion is to run the Client Firewall feature the concentrator has, (this is why I love this device so much). While you are connected via VPN, the concentrator will inject a set of rules, (a firewall configuration), that will run on the PC while connected. In other words: COMPANY A CVPN 300XLAPTOPCOMPANY B (DOMAIN) + + PC1 LAPTOP is connected to company B directly right? Ok, PC1 should be able to "ping" LAPTOP due they belong to the same network. If LAPTOP is connected to CVPN300X, the concentrator will inject a firewall set of rules, (like a PIX), that will avoid PC1 to ping LATOP, in other words the VPN client installed is protecting and is acting as a firewall for its own. This means that while LAPTOP is connected, no one from company B will be able to ping it, if LAPTOP is disconnected from the CVPN300X, no PC1 will be able to ping it, due the firewall was removed with the tunnel as well. For more details on this please check the link below: Client FW Parameters Tab (version 4.X) http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/userm gt.htm#1759740 My two cents, Frank Costa Rica - Original Message - From: "Chandler Mike" To: Sent: Monday, August 25, 2003 6:06 PM Subject: help with vpn scenario [7:74366] > Please help with the following scenario: A laptop user works for Company A > and possesses a Company A laptop that belongs to their domain. The user has > needs to frequently access confidential records that belong to Company A, > while on another company's network. > > The user also works onsite (with Company A's laptop) of another company, > Company B. This company has its own network, unrelated and not tied into > Company A's network in any way. How does the user access a vpn concentrator > located at Company A while working onsite at Company B without logging on to > their domain? The laptop has the cisco vpn client installed on it and the > user uses it from home fine. But how does one setup a secure method of > having the user vpn into Company A while on another company's network > without compromising the data on the laptop? > > This is a real scenario, sorry if I am overlooking some obvious things, but > I would appreciate any input on making this work. Thanks > > Mike C > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74382&t=74366 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX VPN Setup [7:74369]
John, One question at the time: 1) "I noticed that I never set an isakmp pre-share key" - Remember that for a VPN client connection, ISAKMP or Phase I is established using "aggressive mode" in this case and due the remote connection would come from any place on the Internet; a pre-share key is not used like in a L2L tunnel "isakmp key etc... This is not a security risk but if you want to be a little more specific, you can use digital certificates, (rsa-signatures), so that will give you the opportunity to "trust" more in the people getting connected. CRLs will be definitely something I will suggest. For more details check this link: http://www.cisco.com/warp/public/471/configipsecsmart.html "...you can avoid the eToken part" 2) In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface - The PIX firewall will never re-direct packets to the same interface they have just arrived and this is in order to prevent IP spoofing, (that how ASA works on the PIX). In the other hand, another interface is the solution for this, but the 501 only comes with outside/inside, the four ports you see on the back are all "inside", (this is an embedded switch for SOHO users). But remember that if you have another interface on the PIX, (a 515 or 525), that interface should be connected to another ISP and you'll need another default gateway; another default gateway is something you cannot achieve unless you are running 6.3.1 and enable OSPF for that device but then again, this is a design I will not recommend. Summarizing, go with "split-tunneling" or use a IOS router or VPN concentrator and that will do the trick for you. Finally and in regards with the config, everything looks ok, no need to have more than one isakmp polices but if you wish you can leave things the way they are. Hope this helps a little. My two cents, Frank Costa Rica Original Message - From: "John Cianfarani" To: Sent: Monday, August 25, 2003 6:25 PM Subject: PIX VPN Setup [7:74369] > I'm setting up a small VPN just for home use so me and a few friends can > log in remotely via a PIX 501 w/ 3DES over my cable connection. > > Now I've got it working, but found a few strange things I had questions > about. I have each user setup with the VPNGROUP config lines. (I will > post config below), everyone uses the Cisco VPN client to connect. Now > I noticed that I never set an isakmp pre-share key and there is no spot > to add one in the Cisco client only user/pass I would think that should > be needed for secure connectivety. The other setup I did was have a > split-tunnel applied to the user when they connect to only encrypt > traffic destined for the local network and any regular internet traffic > would still go out the persons internet connection. In testing I tried > to get all traffic to flow through the VPN but I think the pix prevents > traffic coming in on the outside interface to leave on that same > interface (as it would with internet traffic) . Any way to do this or do > you need another interface? > Also just wondering if there is a better way to write this config or any > other tips are appreciated. > > Here is an edited config with only the relevant portions. > > Thanks for any help > John > > PIX Version 6.3(1) > ! > access-list 80 permit ip any host 192.168.1.75 > access-list 80 permit ip any host 192.168.1.76 > access-list 80 permit ip any host 192.168.1.77 > access-list 80 permit ip any host 192.168.1.78 > access-list 80 permit ip any host 192.168.1.79 > ! > access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 > access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 > access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 > access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 > access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 > ! > ip address outside dhcp setroute > ip address inside 192.168.1.254 255.255.255.0 > ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 > ! > global (outside) 1 interface > nat (inside) 0 access-list 80 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > floodguard enable > ! > crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac > crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM > crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP > crypto map MYMAP interface outside > ! > isakmp enable outside > isakmp identity address > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption 3des > isakmp policy 10 hash sha > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > isakmp pol
RE: help with vpn scenario [7:74366]
It depends on Company B's firewall, and how it is setup to allow IPsec traffic (or not). Theoretically, there is no difference between connecting to Company A via an ISP connection and connecting to Company A through Company B, except that Company B's firewall may not allow or be capable of allowing IPsec connections. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Chandler Mike [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 8:06 PM To: [EMAIL PROTECTED] Subject: help with vpn scenario [7:74366] Please help with the following scenario: A laptop user works for Company A and possesses a Company A laptop that belongs to their domain. The user has needs to frequently access confidential records that belong to Company A, while on another company's network. The user also works onsite (with Company A's laptop) of another company, Company B. This company has its own network, unrelated and not tied into Company A's network in any way. How does the user access a vpn concentrator located at Company A while working onsite at Company B without logging on to their domain? The laptop has the cisco vpn client installed on it and the user uses it from home fine. But how does one setup a secure method of having the user vpn into Company A while on another company's network without compromising the data on the laptop? This is a real scenario, sorry if I am overlooking some obvious things, but I would appreciate any input on making this work. Thanks Mike C **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74372&t=74366 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX VPN Setup [7:74369]
I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 1 isakmp policy 40 lifetime 86400 ! vpngroup VPNUSER address-pool REMOTEUSER vpngroup VPNUSER dns-server vpngroup VPNUSER default-domain cisco.com vpngroup VPNUSER split-tunnel 90 vpngroup VPNUSER idle-time 1800 vpngroup VPNUSER password vpngroup john address-pool REMOTEUSER vpngroup john dns-server vpngroup john default-domain cisco.com vpngroup john idle-time 1800 vpngroup john password Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74369&t=74369 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX VPN Setup [7:74367]
I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 1 isakmp policy 40 lifetime 86400 ! vpngroup VPNUSER address-pool REMOTEUSER vpngroup VPNUSER dns-server vpngroup VPNUSER default-domain cisco.com vpngroup VPNUSER split-tunnel 90 vpngroup VPNUSER idle-time 1800 vpngroup VPNUSER password vpngroup john address-pool REMOTEUSER vpngroup john dns-server vpngroup john default-domain cisco.com vpngroup john idle-time 1800 vpngroup john password Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74367&t=74367 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
help with vpn scenario [7:74366]
Please help with the following scenario: A laptop user works for Company A and possesses a Company A laptop that belongs to their domain. The user has needs to frequently access confidential records that belong to Company A, while on another company's network. The user also works onsite (with Company A's laptop) of another company, Company B. This company has its own network, unrelated and not tied into Company A's network in any way. How does the user access a vpn concentrator located at Company A while working onsite at Company B without logging on to their domain? The laptop has the cisco vpn client installed on it and the user uses it from home fine. But how does one setup a secure method of having the user vpn into Company A while on another company's network without compromising the data on the laptop? This is a real scenario, sorry if I am overlooking some obvious things, but I would appreciate any input on making this work. Thanks Mike C Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74366&t=74366 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX VPN Client Configuration - At my wit's end! [7:74363]
Hi all, Thanks in advance for reading this message. I am completely boggled on an issue here that I have literally been trying to troubleshoot for some 12 hours now. I'm trying to configure a PIX 515E for Cisco VPN Client connectivity. Here are the relevant parts of my config: :PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any ip local pool vpnusers 192.168.2.100-192.168.2.254 nat (inside) 0 access-list nonat nat (inside) 10 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set vpn esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 300 crypto dynamic-map dynmap 30 set transform-set vpn crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap crypto map crypto-map-swa interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 300 vpngroup VPNUser address-pool vpnusers vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl vpngroup VPNUser idle-time 1800 vpngroup VPNUser password Let's say the outside interface is 100.100.100.28. These are the networks: 100.100.100.28 255.255.255.240(outside) 192.168.1.0255.255.255.0 (inside) 192.168.2.0255.255.255.0 (vpn IP pool) 10.0.1.0 255.255.255.0 (dmz) I can connect with the client just fine, but neither end can ping the other. Say the client machine gets the IP 192.168.2.100 from the pool, it cannot ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping 192.168.2.100. The VPN Client side shows packets being encrypted but none decrypted. The IPSec SA on the PIX shows packets being encrypted and none decrypted. Also worth noting is that the VPN client status shows "Transparent Tunneling: Inactive" on the status page while connecting, even though isakmp nat-traversal is enabled. An ethereal capture shows the client sending ESP packets to the PIX but none are coming back. Please, if anyone has any ideas I would love to hear them. This has been driving me crazy! Thanks, James Willard [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74363&t=74363 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Client [7:74205]
It depends on the configuration of the hub. If the hub supports both 3DES and DES, then the client will be able to connect. What, exactly are you asking??? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 7:58 PM To: [EMAIL PROTECTED] Subject: VPN Client [7:74205] hi guys, will a vpn client that can run 3DES connect to a router running DES? if no is it still possible to get the DES version? cant seem to find it on cisco website. regards, Tunde **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74249&t=74205 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: VPN Client [7:74205]
Yes, the 3DES client will negotiate DES with a DES only router or pix. It comes down to crypto policy configuration, it can only negotiate what's on offer from the VPN gateway. Darren On Tue, 19 Aug 2003, Tunde Kalejaiye wrote: > hi guys, > > will a vpn client that can run 3DES connect to a router running DES? if no is > it still possible to get the DES version? cant seem to find it on cisco > website. > > regards, > > Tunde > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74220&t=74205 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
VPN Client [7:74205]
hi guys, will a vpn client that can run 3DES connect to a router running DES? if no is it still possible to get the DES version? cant seem to find it on cisco website. regards, Tunde Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74205&t=74205 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Cisco Secure VPN 642-511 [7:73919]
Just received e-mail from Cisco that they would send me the INFOSEC letter of recognition after I signed the Cisco Certification Agreement. I am spending time on other interesting stuffs which is not Cisco and not sure if I would sit for recert. ""Kevin Wigle"" wrote in message news:[EMAIL PROTECTED] >> > > > on the same page is an INFOSEC Professional link. Cisco has been granted > rights to award this cert. It is NOT a Cisco cert. Which is cool because > once it is awarded there is no need to recertify, it is permanent. > > Which is opposite to everything Cisco does - especially CCSP - to recert > CCSP you have to take all 5 exams again. Hopefully by the time people get 3 > years in CCSP Cisco will have a single recert exam like they do for > CCIE/CCDP/CCNP > > I might do the security exams once to get the INFOSEC cert and then forget > the recert on the Cisco stuff. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74180&t=73919 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Very true. The clients are the most vulnerable before the VPN session is established. Without PSPF enabled clients can attack other clients on an access point. Even with PSPF enabled an attacker could put up a rogue with the same SSID and WEP key if used and try to attack/trojan the client. It's interesting though, the new IOS firmware has crypto map statements available. I wonder if Cisco will eventually allow VPN sessions to terminate directly on the access points. That would be pretty cool. Much like what Colubris does right now. Reimer, Fred wrote: > > Hmm, PSPF definitely sounds interesting, but I'd recommend > requiring the > integrated Cisco firewall in the VPN client, and not allowing > split > tunneling. > > Also, there is apparently a working group working on VPN > multicast... > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA > 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary > information which > may be legally privileged. It is intended only for the named > recipient(s). > If an addressing or transmission error has misdirected the > email, please > notify the author by replying to this message. If you are not > the named > recipient, you are not authorized to use, disclose, distribute, > copy, print > or rely on this email, and should immediately delete it from > your computer. > > > -Original Message- > From: Charlie Wehner [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 16, 2003 4:14 PM > To: [EMAIL PROTECTED] > Subject: RE: wireless security and VPN software? [7:73988] > > One more quick note on using VPN solutions. If your using a > VPN solution > with a Cisco AP be sure to enable PSPF. Everyone misses that > setting... > but it's important. :) > **Please support GroupStudy by purchasing from the GroupStudy > Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74074&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Hmm, PSPF definitely sounds interesting, but I'd recommend requiring the integrated Cisco firewall in the VPN client, and not allowing split tunneling. Also, there is apparently a working group working on VPN multicast... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Charlie Wehner [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 4:14 PM To: [EMAIL PROTECTED] Subject: RE: wireless security and VPN software? [7:73988] One more quick note on using VPN solutions. If your using a VPN solution with a Cisco AP be sure to enable PSPF. Everyone misses that setting... but it's important. :) **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74052&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
One more quick note on using VPN solutions. If your using a VPN solution with a Cisco AP be sure to enable PSPF. Everyone misses that setting... but it's important. :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74049&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Well, I thought for sure I was going to fail, but I passed the CSI test with a score of 902. Needed 825 out of 1000... After giving it some thought, I think it's probably better if I don't comment on the wireless questions at this point. I had typed up quite a bit of observations that I just deleted, before I realized that this is one of the key areas where we sell our products (in my group). It would probably not be the wisest decision to provide free R&D to our competitors. If anyone has specific questions on anything, then by all means ask away, but I opened up the original question a little more than I intended. But some answers to the original question (personal views only): 1) VPNs, specifically IPsec VPNs, will always be more secure than WEP, or Cisco's proprietary CCKM or the WPA standard. 2) I don't think it is unreasonable. Especially since you can have auto-initiate with the VPN 3000 Client so that the VPN is "automatically" connected and the users don't even need to be aware that it is there. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74033&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Reimer, Fred wrote: > > Being in healthcare, I have some strong views on this topic. > Unfortunately, > I'm cramming for the CSI test I have tomorrow, and I still have > two chapters Good luck on the test. > to go through on the KnowledgeNet course. So, you will just > have to wait... > LOL Expect some comments on EAP-TLS, WPA, and assorted > technologies. Sounds great. I'd love to hear your comments on EAP-TLS, WPA, (RSN?) Thanks in advance and thanks to everyone else who answered too. > For > now, I have to get some sleep, and study ;-) > > Priscilla - Send me your email address... I can do that, but please post comments for all to see so everyone benefits. Thanks. Priscilla > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA > 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary > information which > may be legally privileged. It is intended only for the named > recipient(s). > If an addressing or transmission error has misdirected the > email, please > notify the author by replying to this message. If you are not > the named > recipient, you are not authorized to use, disclose, distribute, > copy, print > or rely on this email, and should immediately delete it from > your computer. > > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 14, 2003 7:52 PM > To: [EMAIL PROTECTED] > Subject: wireless security and VPN software? [7:73988] > > For a large campus network that has a need for wireless access > in conference > rooms, cafeterias, etc., would it be overkill to require > wireless clients to > use VPN IPSec software to access the campus network? This is > for a customer > who is paranoid about security and understands the tradeoff of > ease-of-use > versus security. > > There are othere downsides with requiring VPN software, of > course, including > the usual issues of incompatibility with some apps, the lack of > support for > protocols other than IP, and the lack of support for multicast > applications > (from what I understand). Also, we have to consider the > scalability of the > current VPN solution and whether it can support numerous > transient wireless > users, but we think it can. There are many advantages with > IPSec too, like > support for encryption that actually works... > > What do you all think? Do any of you require your campus > wireless users to > use VPN software? > > Sorry if it's a stupid question. > > Priscilla > **Please support GroupStudy by purchasing from the GroupStudy > Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74027&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
.. not a stupid question at all. The issues we ran into: 1. We put the wireless users on a completely untrusted segment 2. We needed to permit DHCP+DNS to clients pre-VPN connection DHCP to get an IP, obviously DNS because our VPN Profiles used DNS names 3. We needed to also permit access to the concentrator(s) (seems obvious, but you'd be surprised ... ) 4. We used CS-ACS for the auth., this works reasonably well for us. (aside from not being able to apply service packs to Win2k in a timely fashiondammit) Other issues: 1. Make sure your WAP's and VPN Concentrators are able to handle double the expected load . 2. Make sure you have good WAP coverage - once they can get wireless access from anywhere users will be miffed if they can't get access from their favorite corner of the lunchroom. 3. Maybe someone else has a answer for this - but one problem we do have is when a user roams from one WAP-area to another their VPN gets dropped. 4. If using all one brand you can go for other security options (e.g.-LEAP) 5. If it is a static, reasonably small user population you could also go for mac filtering. (I know - you can get around this, but ... think layers) The truly surprising part is that the client is willing to consider making a performance/ease-of-use sacrifices for security! You should run with it. Thanks! TJ -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74013&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Being in healthcare, I have some strong views on this topic. Unfortunately, I'm cramming for the CSI test I have tomorrow, and I still have two chapters to go through on the KnowledgeNet course. So, you will just have to wait... LOL Expect some comments on EAP-TLS, WPA, and assorted technologies. For now, I have to get some sleep, and study ;-) Priscilla - Send me your email address... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74002&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
What type of applications do they need to support? What devices and OS's do they need to support? -Watch out for PDAs. Most PDAs have limited support for VPN clients. What type of users are they? (Techie or basic AOL users?) These are the main questions in my opinion. VPNs aren't so bad. I know quite a few enterprises that are currently using VPN solutions for wireless. I honestly don't think most users notice the performance hit. Also, some VPN clients can be setup very seemlessly so there aren't multiple logins. I would also look into PEAP, EAP-TLS and LEAP. PEAP is pretty secure if setup correctly. The PEAP client is already built into WinXP and PPC 2003. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73998&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
Guru. Type the no-xauth behind the key-mapping. isakmp key **NEWKEYNEWCUSTO** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode Martijn -Oorspronkelijk bericht- Van: suaveguru [mailto:[EMAIL PROTECTED] Verzonden: donderdag 7 augustus 2003 7:08 Aan: [EMAIL PROTECTED] Onderwerp: Strange VPN problem [7:73641] hi all, I am trying to setup a easy VPN solution for a cisco 837 to a cisco VPN concentrator 3005 using network extension mode but I keep getting this error msg "Aug 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth Request, Please enter the following command: Aug 7 13:08:16.571: EZVPN: crypto ipsec client ezvpn xauth" Any form of input will be appreciated suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73645&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
VPN problems' still exist [7:73704]
hi all, thanks for all the assistance given using xauth regarding easyvpn . I have solved the problem by configuring SITE-TO-SITE VPN. but still the VPN peer cannot be established. I am actually doing a site-to-site VPN from one 806 router to a cisco concentrator 3005. attatched is the configuration of my 805 router for your reference. regards, suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com [GroupStudy removed an attachment of type text/richtext which had a name of Mendel's config.rtf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73704&t=73704 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: wireless security and VPN software? [7:73988]
Are they concerned about what is in the traffic going back and forth from the wireless users to the wired network? In other words interception of the signal. Or is it a desire to isolate the wireless from the wired side of the network. If isolation is what is needed, it would seem a lot easier to put the wireless users in their own network and implement security where the wireless and wired networks join. If they are concerned with the traffic going back and forth over the wireless network, what about encrypting all of their traffic by default? If they use a VPN solution, it does nothing for the rogue access point problem. A group of users could setup their own wireless network and not have to use a VPN. Whereas if all PCs encrypt their traffic, even over the wired network, they could bypass the interception problem. Now I cannot say I have ever attempted to encrypt traffic this way. What are the problems with this approach? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: wireless security and VPN software? [7:73988] For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73996&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: wireless security and VPN software? [7:73988]
Priscilla Oppenheimer wrote: > For a large campus network that has a need for wireless access in conference > rooms, cafeterias, etc., would it be overkill to require wireless clients to > use VPN IPSec software to access the campus network? This is for a customer > who is paranoid about security and understands the tradeoff of ease-of-use > versus security. > > There are othere downsides with requiring VPN software, of course, including > the usual issues of incompatibility with some apps, the lack of support for > protocols other than IP, and the lack of support for multicast applications > (from what I understand). Also, we have to consider the scalability of the > current VPN solution and whether it can support numerous transient wireless > users, but we think it can. There are many advantages with IPSec too, like > support for encryption that actually works... > > What do you all think? Do any of you require your campus wireless users to > use VPN software? > > Sorry if it's a stupid question. > > Priscilla > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > I'll take a swing: It Depends. Really, I think it does. This campus network may have wireless access in areas where traffic should be encrypted (is there a health clinic? think HIPAA; will HR or Finance be using wireless from these conference rooms?). But there may also be many areas, if not most, where it is overkill. Security is always a balancing act between convenience/ease of use and the cost incurred if information is somehow violated (lost, compromised, kidnapped--it can happen, heavens--it has). If the wireless is being added for low-value use and convenience, I don't see a need for IPSec, though I would certainly be careful to segregate the wirelss from the wired and control wireless access into significant segments of the wired network. I would look very hard at the design issues of what apps and what data will be transiting where, and protect those areas which carry sensitive data. And I would pay especial attention to Layer 8 issues [grin]. Annlee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73991&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Conncetion from Windows Client to nt domain [7:73720]
PLease take every point I make seriously. Please also read the release notes that belong to the vpn client. I believe you when you say you can do everything. Have you tried starting outlook (if you use exchange) or doing a rpc-ping, when doing net use do you get a logon screen. I have had RPC problems because of MTU/hardware>RPC settings once. Radius is a tip for the authentication of users on the access-device. No seperate user accounts, dial-in policies etc. Martijn -Oorspronkelijk bericht- Van: K. Bovermann [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 8 augustus 2003 15:39 Aan: Jansen, M Onderwerp: AW: VPN Conncetion from Windows Client to nt domain [7:73720] the windows 2k client got the connection and I can ping around the network without any porblems. The client gets his ip from the concentrator (manually added ad the user configuration) I can map the drives manually without problems only the log on to the domain e.g. the script wont work.so I have to add them manually. When I try to authenticate the user name and password for the domain at the vpn concentrator it works with no problem. >From windows site it wont work. It is no problem with the ip adress or subnet mask or any permissions. Only the log on to the nt domain won4t work. We have no RADIUS Server at our domain. Will it work also with radius if I don4t have any radius server ?? Regards Kai -Urspr|ngliche Nachricht- Von:[EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED] Gesendet am:Freitag, 8. August 2003 15:26 An: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: RE: VPN Conncetion from Windows Client to nt domain [7:73720] Check: (off my hat, or cap whatever) access-listsnetbios time kerberos dns maybe wins if you use it check bill's site dhcpgive client dns maybe wins dhcp pool domain if 2k maybe add xtra subnet to site mmc sites and services route has the server a route to the concentrator AND to the VPN client subnet ping client from server, IP AND name route has the client route to server, host file? ping ip AND name from client Tip: always use radius. Tip2: READ THE "FEATURE" (RELEASE NOTES) LIST FROM THE EXACT VPN CLIENT VERSION NUMBER! Martijn -Oorspronkelijk bericht- Van: Kai Bovermann [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 8 augustus 2003 14:05 Aan: [EMAIL PROTECTED] Onderwerp: VPN Conncetion from Windows Client to nt domain [7:73720] Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73729&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
I'd consider the 3005 at the remote sites. It has the capability to do a LAN-to-LAN NAT, where if you had customer A and customer B that both used 10.1.x you could map them to 45.1 and 45.2 respectively, or any other equal-mask network. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Ryan Finnesey [mailto:[EMAIL PROTECTED] Sent: Saturday, August 09, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73825&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]
Groan. I'll bet they could really make the chIPs fly. > -Original Message- > From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] > They finally identified the superior router brand. > > Craftsman. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73895&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
Hi Ryan, For head-end 3030/3060 would be a better choice. PIX for example doesn't provide connectivity between remote sites in hub-and-spoke topology. On remote side 831 might be a best pick especially if you want to provide some backup mechanism for VPN tunnel. Regards, Andrey. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73853&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
wireless security and VPN software? [7:73988]
For a large campus network that has a need for wireless access in conference rooms, cafeterias, etc., would it be overkill to require wireless clients to use VPN IPSec software to access the campus network? This is for a customer who is paranoid about security and understands the tradeoff of ease-of-use versus security. There are othere downsides with requiring VPN software, of course, including the usual issues of incompatibility with some apps, the lack of support for protocols other than IP, and the lack of support for multicast applications (from what I understand). Also, we have to consider the scalability of the current VPN solution and whether it can support numerous transient wireless users, but we think it can. There are many advantages with IPSec too, like support for encryption that actually works... What do you all think? Do any of you require your campus wireless users to use VPN software? Sorry if it's a stupid question. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73988&t=73988 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]
At 4:57 PM + 8/11/03, Truman, Michelle, RTSLS wrote: >Advantis is actually now called AGNS for AT&T Global Network (Was the >IBM Global Network after it was Advantis). I still cherish memories of teaching a class to Advantis when it was still an IBM-Sears joint venture. It was a private ICRC, where we used their existing equipment, all token ring LAN. I finally understood why the lab exercises were acting so weirdly when I discovered they had connected the lab backbone to a production network. Anyway, they gave me a hard time all week claiming they had much better routers than Cisco. At first, I thought they were referring to some of the IBM-labeled routers that were Wellfleet under the hood. It was worse. They finally identified the superior router brand. Craftsman. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73893&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
The 3000's support fail-over just fine, and the new version even supports "multi-entry point" VPNs (like Check Point has for years). Basically meaning that at your main site you can have two 3030's with connections to different ISP's and totally different external addresses. See: "Backup LAN-to-LAN The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not. * You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same VPN Concentrator. * Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed, Note This feature does not work in conjunction with VRRP. If you set up a Backup LAN-to-LAN configuration, disable VRRP." I'm sure Cisco would entertain cutting a special deal on 2000 3002/3005 devices. If not, send me a note offline and I'll see if our sales guys are interested. We usually only deal with hospitals, but they may make an exception for a large number like that... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Andrey Tarasov [mailto:[EMAIL PROTECTED] Sent: Sunday, August 10, 2003 10:27 PM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Hi Ryan, For head-end 3030/3060 would be a better choice. PIX for example doesn't provide connectivity between remote sites in hub-and-spoke topology. On remote side 831 might be a best pick especially if you want to provide some backup mechanism for VPN tunnel. Regards, Andrey. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73875&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
That is a ADSL WIC or am I missing something? We are looking to use IDSL but can not find a router that supports 3DES and IDSL Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wed 8/13/2003 1:40 AM To: Ryan Finnesey; [EMAIL PROTECTED] Cc: Subject: RE: VPN Best Hardware to use? [7:73793] You mean? newest: DSL WAN Interface Cards WIC-1ADSL-I-DG 1-port ADSLoISDN WAN Interface Card cco partner login: http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_data_s heet09186a0080088713.html Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: woensdag 13 augustus 2003 3:57 Aan: [EMAIL PROTECTED] Onderwerp: RE: VPN Best Hardware to use? [7:73793] You are right it is a service offering. Right now, we are using ISDN dial-up and would like to move to a full time connection. We would not be using the customerbs connection but will be installing a 144K IDSL or 192K SDSL line. What I am going to do on Friday in the lab ( If we get the lines from Covad on time) is use a 7200 at the head end and a 1700 on the other end run the IPSec and NAT on the 1700 and see how that goes. The only problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL. Ryan Message- From: [EMAIL PROTECTED] on behalf of Reimer, Fred Sent: Mon 8/11/2003 10:02 AM To: [EMAIL PROTECTED] Cc: Subject: RE: VPN Best Hardware to use? [7:73793] I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due to less operating cost, relatively quickly. Now, if this is something else, like a company with 2000 offices throughout the world, then I can see your point and you may end up with different requirements. But, that's not how it sounds so far. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning
RE: 2501 VPN [7:73977]
Well, you could look here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec ur_c/fipsenc/scfipsec.htm#1001813 And here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec ur_c/fipsenc/scfike.htm#1012737 And here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec ur_c/fipsenc/scfinter.htm#1001485 One of the good things about IPsec, IMNSHO, is that you actually need to know what the heck you are doing in order to get it to work. Do you know what a transform set is? IKE? An SA? Crypto-map? If not, Read The Manuals. It's not overly difficult. Once you read the manuals, if you have questions, I'm sure that everyone would be more than glad to answer any specific questions. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Henry Volentine [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: 2501 VPN [7:73977] I need assistance configuring VPN between a Cisco 2501 and a Cisco 827H. Both routers have IOS that supports VPN. The 2501 is connected to the ISP via a 768kb fractional T1 and the 827H has an ADSL connection to the same ISP. If anyone could please send sample configurations for either router, I would appreciate it. [EMAIL PROTECTED] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73979&t=73977 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
You are right it is a service offering. Right now, we are using ISDN dial-up and would like to move to a full time connection. We would not be using the customerbs connection but will be installing a 144K IDSL or 192K SDSL line. What I am going to do on Friday in the lab ( If we get the lines from Covad on time) is use a 7200 at the head end and a 1700 on the other end run the IPSec and NAT on the 1700 and see how that goes. The only problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL. Ryan Message- From: [EMAIL PROTECTED] on behalf of Reimer, Fred Sent: Mon 8/11/2003 10:02 AM To: [EMAIL PROTECTED] Cc: Subject: RE: VPN Best Hardware to use? [7:73793] I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due to less operating cost, relatively quickly. Now, if this is something else, like a company with 2000 offices throughout the world, then I can see your point and you may end up with different requirements. But, that's not how it sounds so far. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning - messaging - authentication - client-server - webapps - desktop/register maintenance/management - security man You will need to or may want to build an hierarchical design. Keep in mind that differen platfroms use different (HQ) fail-over or 2nd ip techniques. Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: zondag 10 augustus 2003 4:36 Aan: [EMAIL PROTECTED] Onderwerp: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]
Why thanks! I only have a CCNA now because I had to get it for our partner level, and I'm supposed to get much more. And I only have it on my sig because I use the same sig for work and work-related lists. You are correct that we would need more details if it is anything other than what I think it is. If it is just a small service, cookie cutter type deal, then I don't see why they can't use a cookie cutter type solution. Being in healthcare, I envision something like Blue Cross/ Blue Shield payer connections, where I think they use the IBM Advantis network (is that what it was called? Who owns them now, AT&T? Yep, they purchased them in 1999 for $5B) and have routers at each customer site. Why not replace them with a cookie cutter type connection? They already have connections to each customer, likely on a DMZ. The communication is just patient financial information (claims) between one host system at a hospital and a system at BC/BS. AT&T certainly uses a cookie-cutter type connection for all of their connections (wonder if they upgraded all of those thousands of routers for the IOS patch). There may be a one-off here and there, but for the VAST majority of situations it's the same. Same for ISP's. You think they have custom connections for each T1 line they install? Stick a this type router here and a that type router there? No, unless a customer has a special need, like shadow T3's as we do, then you're not going to get special treatment. At least that's my take on it. So as to reduce complexity, administration, maintenance, and increase scalability, security, stability, I'd attempt at all cost to have a standard configuration. Even if it cost a bit more. The 3000 series may not be the answer, because we don't know the true requirements, but whatever the answer is I'd attempt to standardize on it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:51 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: Fred, I respect you. You are one of the top repliers at the moment, terms of qual and freq. I am learning a lot from you, between work en heavy (i mean heavy) cramming an typing for my coming lab. And I mean it. I get a laugh out of your, Fred, (ccna) and answering ccie level q&a! >>> More than one platform depending on req's MAYBE also deployment costs, EOL (800 806-820's-830's series spinning like crazy, 501 here to stay, vpn hw client okay.) Please stop because we're fishing, we need facts. RYAN, Please give us a list of req's. When you design 10-20 sites you ask for a box. When you design 2000 sites you design a total solution. Management of - config, - change, - security, - availability, - performance and - capacity. I am sure I forgot one. You catch my drift? I am also curious about service offered, need front-end? back-end? DMZ's? etc. Learnt as designer consultant etc that if you make a quicky of business req's you'll pay afterwards, because it is not what customer had hoped for Trusted -untrusted client sites. Martijn -Oorspronkelijk bericht- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: maandag 11 augustus 2003 16:02 Aan: Jansen, M; [EMAIL PROTECTED] Onderwerp: RE: VPN Best Hardware to use? [7:73793] I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due
RE: VPN Best Hardware to use? [7:73793]
Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning - messaging - authentication - client-server - webapps - desktop/register maintenance/management - security man You will need to or may want to build an hierarchical design. Keep in mind that differen platfroms use different (HQ) fail-over or 2nd ip techniques. Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: zondag 10 augustus 2003 4:36 Aan: [EMAIL PROTECTED] Onderwerp: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73862&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Cisco Secure VPN 642-511 [7:73919]
I'm for the check CCO part of your post. Visit http://www.cisco.com/en/US/learning/le3/le30/le13/learning_learning_path.html and you'll see all the Specialist certifications. They are not going anywhere - yet. The CCSP is still going strong: http://www.cisco.com/en/US/learning/le3/le2/le37/le54/learning_certification_type_home.html on the same page is an INFOSEC Professional link. Cisco has been granted rights to award this cert. It is NOT a Cisco cert. Which is cool because once it is awarded there is no need to recertify, it is permanent. Which is opposite to everything Cisco does - especially CCSP - to recert CCSP you have to take all 5 exams again. Hopefully by the time people get 3 years in CCSP Cisco will have a single recert exam like they do for CCIE/CCDP/CCNP I might do the security exams once to get the INFOSEC cert and then forget the recert on the Cisco stuff. If you get the CCSP you'll also have the credits to be a Firewall Spec, IDS Spec and a VPN Spec. It would make for a crowded business card. The specs are good for 2 years, the CCSP is good for 3 years. Which is also weird as you used the specs to get CCSP but they expire first. I'm sure there are "good" reasons for these certification oddities. Kevin Wigle CCDP CCNP MCSE CBE Security+ - Original Message - From: "Reimer, Fred" To: Sent: Tuesday, August 12, 2003 9:45 AM Subject: Cisco Secure VPN 642-511 [7:73919] > Change of subject, and a massive trim. > > The KnowledgeNet course was good. I took the "Express" "with Mentor." > Contrary to their recommendations, I didn't see much value in their mentors. > Not to say that they are not knowledgeable or anything, just that 90% of the > time my "questions" for the mentors were corrections in the Cisco > courseware. The course was for the new test. I believe there were a few > questions on the test that were not covered in the course. > > You get the Cisco courseware documentation, and access to their on-line > power-point type slides with an instructor basically saying the same thing > as is in the courseware. However, they do talk about some things that are > not in the manuals. You should have six weeks to go through it. I'd > suggest taking a day off or spending a Saturday to go through the whole > course, but that's just me. I can't do the one hour here and there thing. > > They also include "labs" or simulations of setting up the hardware. > However, they don't have an actual lab. I think they are working on that, > but I found it very useful to have a "real" 3000 available to go through the > menus. > > If you haven't taken this test before, don't skip the practice thing in the > beginning. One of the simulations worked a bit differently than I was > expecting, and although I'm sure I knew what I was doing I'm not sure if I > got credit for that question. > > Know all the menus, and what items are on the actual configuration screens. > > I have a side question myself. Cisco changed their specialist program, so > that now apparently there isn't a Firewall Specialist, VPN Specialist, and > IDS Specialist, but rather just one Security Specialist. So does that mean > that I can't use the "VPN Specialist" designation anymore and have to wait > until I pass all of the tests? What about that INFOSEC designation, is that > still valid? > > Perhaps I should just login to the new Certifications Community site and > check there. > > http://forums.cisco.com/eforum/servlet/CertCom?page=main > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary information which > may be legally privileged. It is intended only for the named recipient(s). > If an addressing or transmission error has misdirected the email, please > notify the author by replying to this message. If you are not the named > recipient, you are not authorized to use, disclose, distribute, copy, print > or rely on this email, and should immediately delete it from your computer. > > > -Original Message- > From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 12, 2003 9:17 AM > To: Reimer, Fred; [EMAIL PROTECTED] > Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793] > > Can you comment on that particular Knowledgenet class? I'm signed up to > take it in the not too distant future. > Thanks, > > Michelle > > Michelle Truman CCIE # 8098 > Principal Technical Consultant > AT&T Solutions Center > mailto:[EMAIL PROTEC
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73882]
Fred, I respect you. You are one of the top repliers at the moment, terms of qual and freq. I am learning a lot from you, between work en heavy (i mean heavy) cramming an typing for my coming lab. And I mean it. I get a laugh out of your, Fred, (ccna) and answering ccie level q&a! >>> More than one platform depending on req's MAYBE also deployment costs, EOL (800 806-820's-830's series spinning like crazy, 501 here to stay, vpn hw client okay.) Please stop because we're fishing, we need facts. RYAN, Please give us a list of req's. When you design 10-20 sites you ask for a box. When you design 2000 sites you design a total solution. Management of - config, - change, - security, - availability, - performance and - capacity. I am sure I forgot one. You catch my drift? I am also curious about service offered, need front-end? back-end? DMZ's? etc. Learnt as designer consultant etc that if you make a quicky of business req's you'll pay afterwards, because it is not what customer had hoped for Trusted -untrusted client sites. Martijn -Oorspronkelijk bericht- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: maandag 11 augustus 2003 16:02 Aan: Jansen, M; [EMAIL PROTECTED] Onderwerp: RE: VPN Best Hardware to use? [7:73793] I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due to less operating cost, relatively quickly. Now, if this is something else, like a company with 2000 offices throughout the world, then I can see your point and you may end up with different requirements. But, that's not how it sounds so far. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning - messaging - authentication - client-server - webapps - desktop/register maintenance/management - security man You will need to or may want to build an hierarchical design. Keep in mind that differen platfroms use different (HQ) fail-over or 2nd ip techniques. Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: zondag 10 augustus 2003 4:36 Aan: [EMAIL PROTECTED] Onderwerp: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73882&t=73882 -- **Please support GroupStudy by p
RE: VPN Conncetion from Windows Client to nt domain [7:73720]
Go in the client and choose Options | Windows Logon Properties and make sure the "Enable start before logon" checkbox is checked. Download the latest client. Enjoy. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Kai Bovermann [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 8:05 AM To: [EMAIL PROTECTED] Subject: VPN Conncetion from Windows Client to nt domain [7:73720] Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73728&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641] OT:F funny [7:73722]
I mailed that! Only your explanation is superior. ;-) When i have time, not studying for my lab, i study the English language.. Say, getting dizzy over the C&C BGP guide (that should be during my sleep though, like very wannabee, I have not seen a normal book in a while) Martijn -Oorspronkelijk bericht- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: donderdag 7 augustus 2003 15:33 Aan: [EMAIL PROTECTED] Onderwerp: RE: Strange VPN problem [7:73641] Does anyone read the manuals around here??? http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu r_r/sec_c2g.htm#1070272 You probably have your IKE proposal in your concentrator set for XAUTH, and you don't have your router setup for that. You can configure your router as the reference manual says, or you }may{ be able to add in a new or modify an existing IKE policy under Configuration | System | Tunneling Protocols | IPSec | IKE Proposals so that the Authentication mode is not one that has (XAUTH) at the end of it. Probably "Preshared Keys" would be the one you want. If you create a new one (recommended) they you would have to change the IKE policy used for your SA under Configuration | Policy Management | Traffic Management | SAs. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 1:08 AM To: [EMAIL PROTECTED] Subject: Strange VPN problem [7:73641] hi all, I am trying to setup a easy VPN solution for a cisco 837 to a cisco VPN concentrator 3005 using network extension mode but I keep getting this error msg "Aug 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth Request, Please enter the following command: Aug 7 13:08:16.571: EZVPN: crypto ipsec client ezvpn xauth" Any form of input will be appreciated suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73722&t=73722 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
You mean? newest: DSL WAN Interface Cards WIC-1ADSL-I-DG 1-port ADSLoISDN WAN Interface Card cco partner login: http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_data_s heet09186a0080088713.html Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: woensdag 13 augustus 2003 3:57 Aan: [EMAIL PROTECTED] Onderwerp: RE: VPN Best Hardware to use? [7:73793] You are right it is a service offering. Right now, we are using ISDN dial-up and would like to move to a full time connection. We would not be using the customerbs connection but will be installing a 144K IDSL or 192K SDSL line. What I am going to do on Friday in the lab ( If we get the lines from Covad on time) is use a 7200 at the head end and a 1700 on the other end run the IPSec and NAT on the 1700 and see how that goes. The only problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL. Ryan Message- From: [EMAIL PROTECTED] on behalf of Reimer, Fred Sent: Mon 8/11/2003 10:02 AM To: [EMAIL PROTECTED] Cc: Subject: RE: VPN Best Hardware to use? [7:73793] I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due to less operating cost, relatively quickly. Now, if this is something else, like a company with 2000 offices throughout the world, then I can see your point and you may end up with different requirements. But, that's not how it sounds so far. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning - messaging - authentication - client-server - webapps - desktop/register maintenance/management - security man You will need to or may want to build an hierarchical design. Keep in mind that differen platfroms use different (HQ) fail-over or 2nd ip techniques. Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: zondag 10 augustus 2003 4:36 Aan: [EMAIL PROTECTED] Onderwerp: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
XAUTH is in my perception for authentication of users, (local) escpecially radius or tacacs. So what we do at the hub site for a static IKE peer is disable XAUTH, so that a spoke router does not get an auth prompt, or the hub does not wait for it. So I think the HUb is waiting for an answer, maybe used to authenticate VPN users only. WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You need Preshareds keys there! 8. The following example shows the various policies used in the IKE policy named "CiscoVPNClient-3DES-MD". In this policy, Preshared Keys(XAUTH) for Authentication Mode is being used so that the client will be prompted to supply a username and password at the end of IKE negotiations. http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration _example09186a008010edf4.shtml#task2_steps Martijn -Oorspronkelijk bericht- Van: suaveguru [mailto:[EMAIL PROTECTED] Verzonden: donderdag 7 augustus 2003 9:40 Aan: Jansen, M Onderwerp: RE: Strange VPN problem [7:73641] thanks for your prompt reply , but I am using easyvpn configuration for cisco 805 router to concentrator 3005 with the cisco 805 as client mode and concentrator as hub . I can't find the line that you indicate for my cisco 805 , could it be easyvpn configuration that i am using? suaveguru --- [EMAIL PROTECTED] wrote: > Guru. > > Type the no-xauth behind the key-mapping. > > > > isakmp key **NEWKEYNEWCUSTO** address x.x.x.x > netmask 255.255.255.255 > no-xauth no-config-mode > > > > Martijn > > > -Oorspronkelijk bericht- > Van: suaveguru [mailto:[EMAIL PROTECTED] > Verzonden: donderdag 7 augustus 2003 7:08 > Aan: [EMAIL PROTECTED] > Onderwerp: Strange VPN problem [7:73641] > > > hi all, > > I am trying to setup a easy VPN solution for a cisco > 837 to a cisco VPN concentrator 3005 using network > extension mode but I keep getting this error msg > "Aug > 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth > Request, Please enter the following command: > Aug 7 13:08:16.571: EZVPN: crypto ipsec client > ezvpn > xauth" > > Any form of input will be appreciated > > suaveguru > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com > **Please support GroupStudy by purchasing from the > GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73648&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN problems' still exist [7:73704]
I don't think attachments make it through. Go into the 3005 and modify the events so that all of the IKE classes (under Configuration | System | Events | Classes) have the highest level (1-13) and tell us what messages you get when it tries to connect. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:00 AM To: [EMAIL PROTECTED] Subject: VPN problems' still exist [7:73704] hi all, thanks for all the assistance given using xauth regarding easyvpn . I have solved the problem by configuring SITE-TO-SITE VPN. but still the VPN peer cannot be established. I am actually doing a site-to-site VPN from one 806 router to a cisco concentrator 3005. attatched is the configuration of my 805 router for your reference. regards, suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com [GroupStudy removed an attachment of type text/richtext which had a name of Mendel's config.rtf] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73725&t=73704 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
I would certainly hope that the remotes wouldn't use different platforms. I don't know the business model, but it sounds to me like it's some kind of service offering or something. Maybe they have a 2000 site Frame Relay network used to offer a service or something, and they want to switch to something more economical. Instead of paying monthly circuit fees, pay a one-time hardware cost (assuming they don't own the FR routers at the customer end) and use the customer's Internet connection. Why in the world would you want different hardware at each customer site in that situation? Standardize on one hardware platform, and build the cost of that hardware into the business model... If that's the case then the cost of a 3005 can be justified in a small number of months, depending on your FR cost. Certainly you would recoup your cost and start making more money, due to less operating cost, relatively quickly. Now, if this is something else, like a company with 2000 offices throughout the world, then I can see your point and you may end up with different requirements. But, that's not how it sounds so far. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] Despite all hw issues, you really need to - describe the business req's first - translate to technical req's (you are talking 2000+ sites) And you will see that you'll need more than one platform for de Remotes. Dependig on your hierarchy concerning - messaging - authentication - client-server - webapps - desktop/register maintenance/management - security man You will need to or may want to build an hierarchical design. Keep in mind that differen platfroms use different (HQ) fail-over or 2nd ip techniques. Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: zondag 10 augustus 2003 4:36 Aan: [EMAIL PROTECTED] Onderwerp: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73876&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
That is adsl over isdn. Thought to only COMMON flavours were adsl async up/down and sdsl sync up/down freq ranges. SEEMS YOU CAN USE A BRI WIC!!! >>>>>>>>>>>>>>>>>>>>>>>>> Developed by Ascend Communications (acquired by Lucent Technologies), ISDN Digital Subscriber Line (IDSL) transmits data digitally across existing ISDN lines, at a rate of 128 Kbps. The benefits of IDSL over ISDN are that the former service offers always-on connections, transmits data via a data network rather than the phone companybs voice network, and avoids per-call fees by being billed at a flat-rate. http://www.cisco.com/en/US/partner/tech/tk175/tk349/technologies_q_and_a_ite m09186a00800946d3.shtml Q. What is IDSL? IDSL is a cross between ISDN and xDSL. As with ISDN, it uses a single wire pair to transmit full-duplex data at 128 Kbps and at distances of up to the Revised Resistance Distance range of 15,000 to 18,000 feet. IDSL also uses a 2B1Q line code to enable transparent operation through the ISDN "U" interface. IDSL is essentially a leased line ISDN Basic Rate Interface (BRI), or an ISDN BRI that is not switched and does not contain signaling (a D channel). IDSL and ISDN BRI use the same 2B1Q line modulation. On the router, this equates to putting the BRI interface in a leased line configuration. The line can be configured for a speed of 64 Kbps, 128 Kbps, or 144 Kbps. The frames that are going across the wire are standard High-Level Data Link Control (HDLC) frames. IDSL can be configured with Point-to-Point Protocol (PPP) or Frame Relay encapsulation for the leased line BRI interface. The easiest way to think about it is as if the BRI interface was a slow speed synchronous serial port. Also, existing Customer Premises Equipment (CPE) (ISDN BRI terminal adapters, bridges, and routers) can be used to connect to the central office. IDSL Frequently Asked Questions Downloads IDSL Frequently Asked Questions Questions What is IDSL? Does the Cisco 2500 series router support IDSL? Does the Cisco 2600 support IDSL? What routers support IDSL? Is PPP over Frame Relay supported on IDSL? Does a SPID or phone number need to be defined to configure IDSL? Do I need the ISDN switch type command on the CPE when I configure IDSL? Is the Cisco 804 IDSL router compatible with CopperMountain CE200? Does the Cisco 804 IDSL router support PPP over Frame Relay? Does the Cisco DSLAM chassis have IDSL modules? What is the distance limitation for IDSL? Does IDSL support voice? How do I configure a basic IDSL interface? Related Information Q. What is IDSL? IDSL is a cross between ISDN and xDSL. As with ISDN, it uses a single wire pair to transmit full-duplex data at 128 Kbps and at distances of up to the Revised Resistance Distance range of 15,000 to 18,000 feet. IDSL also uses a 2B1Q line code to enable transparent operation through the ISDN "U" interface. IDSL is essentially a leased line ISDN Basic Rate Interface (BRI), or an ISDN BRI that is not switched and does not contain signaling (a D channel). IDSL and ISDN BRI use the same 2B1Q line modulation. On the router, this equates to putting the BRI interface in a leased line configuration. The line can be configured for a speed of 64 Kbps, 128 Kbps, or 144 Kbps. The frames that are going across the wire are standard High-Level Data Link Control (HDLC) frames. IDSL can be configured with Point-to-Point Protocol (PPP) or Frame Relay encapsulation for the leased line BRI interface. The easiest way to think about it is as if the BRI interface was a slow speed synchronous serial port. Also, existing Customer Premises Equipment (CPE) (ISDN BRI terminal adapters, bridges, and routers) can be used to connect to the central office. Q. Does the Cisco 2500 series router support IDSL? No. The Cisco 2500 series does not support IDSL because its BRI hardware does not support channel aggregation. Q. Does the Cisco 2600 support IDSL? Yes. IDSL is currently supported with the ISDN WAN Interface Cards (WICs) and network modules when they are configured in leased line mode. Q. What routers support IDSL? The following routers support IDSL: 800 b Cisco 801-805 ISDN, Serial, and IDSL Routers 1600 b Cisco 1600 Series Routers and WAN Interface Cards 1720 b Cisco 1720 Modular Access Router 1750 b Cisco 1750 Modular Access Router 2600 b Connecting WAN and Voice Interface Cards to a Network Martijn -Oorspronkelijk bericht- Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] Verzonden: woensdag 13 augustus 2003 7:53 Aan: Jansen, M; [EMAIL PROTECTED] Onderwerp: RE: VPN Best Hardware to use? [7:73793] That is a ADSL WIC or am I missing something? We are looking to use IDSL
Re: Cisco Secure VPN 642-511 [7:73919]
Assorted comments in line. --On 12 August 2003 13:45 + "Reimer, Fred" wrote: > > You should have six weeks to go through it. I'd > suggest taking a day off or spending a Saturday to go through the whole > course, but that's just me. I can't do the one hour here and there thing. Hmmm, you should try running through the knowledgenet course after work in the evening, then heading back into the office at midnight and configuring your first concentrator before 8:30am when people start arriving for their days work. That wasnt fun :-) > > They also include "labs" or simulations of setting up the hardware. > However, they don't have an actual lab. I think they are working on that, > but I found it very useful to have a "real" 3000 available to go through > the menus. > Yep. > I have a side question myself. Cisco changed their specialist program, so > that now apparently there isn't a Firewall Specialist, VPN Specialist, and > IDS Specialist, but rather just one Security Specialist. So does that > mean that I can't use the "VPN Specialist" designation anymore and have > to wait until I pass all of the tests? What about that INFOSEC > designation, is that still valid? > I think you have things in reverse. The Security specialist cert is being / has been retired. The three new specialist exams and CCSP replaced it. If you are interested, I expressed my opinion on that change in some detail (either on this list or security ie dot com) a while back. (I wasnt very complementary about the new specialist certs) Regards Peter Walker CC[NID]P, CISSP, CSS1, etc (yeah, my current employer is a reseller) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73937&t=73919 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Largest CA Keylength on VPN 3000 [7:73409]
Well, the manuals are wrong ;-) The key size on the latest version of software is 2048 bits max. It was not an allocation issue. One pointer though, if you have to recreate your CA on a Microsoft platform you may as well reformat the hard drive and start from scratch, as there is no de-install for the SCEP add-on to IIS so you have to de-install the CA, de-install IIS!, re-install IIS and the CA, then re-install SCEP, and even then your CA is going to be all F'd up. Somehow, I got to the point where you could only request "user" and "efs" certs, not "web server" or "server" certs like you can on another CA we have installed same version of everything), plus you can't specify the OU, so you can't match that to a group name. We are using OpenSSL just fine, even on a Windows box with cygwin. I hate Windows. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 5:01 AM To: [EMAIL PROTECTED] Subject: RE: Largest CA Keylength on VPN 3000 [7:73409] Is it a size or allocation issue? CSCdv48299 If fewer than three spots remain in the CA certificate store of a VPN 3000 Concentrator, and an attempt is made to install a CA certificate with associated RAs, then the RA or RAs are installed (filling the store) and the root certificate is not installed. This is incorrect behavior. Instead, the software should check to see if there is enough room in the store before installing a partial CA certificate. Partial certificates should not be installed. If the RAs and the Root certificate cannot be installed, the software should install nothing. Or just RTFM below? Martijn Key Size - man Yes scep Yes The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, of if you are requesting an identity certificate using SCEP, only the RSA options are available. RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the least processing. RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal security. It requires approximately 2 to 4 times more processing than the 512-bit key. RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high security, and it requires approximately 4 to 8 times more processing than the 512-bit key. man Yes csep No DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm). DSA 768 bits = Generate 768-bit keys using the DSA algorithm. DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm. -Oorspronkelijk bericht- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: zaterdag 2 augustus 2003 14:49 Aan: [EMAIL PROTECTED] Onderwerp: Largest CA Keylength on VPN 3000 [7:73409] Let's see if anyone here can answer faster than Cisco TAC. What is the largest CA root key length supported by the Cisco VPN Concentrator 3000 series hardware? I have a 4096 bit key and it won't accept the root key because it can't "validate" it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73604&t=73409 -- **Please support GroupStudy by purchasing from the Grou
2501 VPN [7:73977]
I need assistance configuring VPN between a Cisco 2501 and a Cisco 827H. Both routers have IOS that supports VPN. The 2501 is connected to the ISP via a 768kb fractional T1 and the 827H has an ADSL connection to the same ISP. If anyone could please send sample configurations for either router, I would appreciate it. [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73977&t=73977 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]
Can you comment on that particular Knowledgenet class? I'm signed up to take it in the not too distant future. Thanks, Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant AT&T Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793] Wow, I guess I'm dating myself a little there if that many changes have happened. I don't believe there were that many options, if any, in the original network. Glad to see things have changed. More on-topic, I just took the CSVPN test and just squeezed by. Note to self, make sure you study for a test before taking one ;-) I went through the KnowledgeNet Express course like a week or two ago, but didn't study this weekend. Probably not a good practice. I'll have to remember that one later... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:57 PM To: Reimer, Fred; [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883] Advantis is actually now called AGNS for AT&T Global Network (Was the IBM Global Network after it was Advantis). You can get VPN's on just about any remote client you like, from Cisco to Nortel to Checkpoint to AT&T proprietary Netgate boxes which are derived from Linux OS. You also can run the VPN over the IP backbone for dedicated or DSL connections. AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't support 83x Cisco boxes yet because the Netgates have been so popular, but it's under development. Massive IOS upgrades were already done because pretty much everything we do is automated because of scale requirements. Personally speaking, I like the 3000 Concentrator at the headend with Netgate at the client site. that is the most flexible and affordable configuration. Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant AT&T Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883] Why thanks! I only have a CCNA now because I had to get it for our partner level, and I'm supposed to get much more. And I only have it on my sig because I use the same sig for work and work-related lists. You are correct that we would need more details if it is anything other than what I think it is. If it is just a small service, cookie cutter type deal, then I don't see why they can't use a cookie cutter type solution. Being in healthcare, I envision something like Blue Cross/ Blue Shield payer connections, where I think they use the IBM Advantis network (is that what it was called? Who owns them now, AT&T? Yep, they purchased them in 1999 for $5B) and have routers at each customer site. Why not replace them with a cookie cutter type connection? They already have connections to each customer, likely on a DMZ. The communication is just patient financial information (claims) between one host system at a hospital and a system at BC/BS. AT&T certainly uses a cookie-cutter type connection for all of their connections (wonder if they upgraded all of those thousands of routers for the IOS patch). There may be a one-off here and there, but for the VAST majority of situations it's the same. Same for ISP's. You think they have custom connections for each T1 line they install? Stick a this type router here and a that type router there? No, unless a customer has a special need, like shadow T3's as we do, then you're not going to get special treatment. At least that's my take on it. So as to reduce complexity, administration, maintenance, and increase scalability, security, stability, I'd attempt at all cost to have a standard configuration. Even if it cost a bit more. The 3000 series may not be the answer, because we don't know the true requirements, but whatever the answer is I'd attempt to standardize on it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlan
Cisco Secure VPN 642-511 [7:73919]
Change of subject, and a massive trim. The KnowledgeNet course was good. I took the "Express" "with Mentor." Contrary to their recommendations, I didn't see much value in their mentors. Not to say that they are not knowledgeable or anything, just that 90% of the time my "questions" for the mentors were corrections in the Cisco courseware. The course was for the new test. I believe there were a few questions on the test that were not covered in the course. You get the Cisco courseware documentation, and access to their on-line power-point type slides with an instructor basically saying the same thing as is in the courseware. However, they do talk about some things that are not in the manuals. You should have six weeks to go through it. I'd suggest taking a day off or spending a Saturday to go through the whole course, but that's just me. I can't do the one hour here and there thing. They also include "labs" or simulations of setting up the hardware. However, they don't have an actual lab. I think they are working on that, but I found it very useful to have a "real" 3000 available to go through the menus. If you haven't taken this test before, don't skip the practice thing in the beginning. One of the simulations worked a bit differently than I was expecting, and although I'm sure I knew what I was doing I'm not sure if I got credit for that question. Know all the menus, and what items are on the actual configuration screens. I have a side question myself. Cisco changed their specialist program, so that now apparently there isn't a Firewall Specialist, VPN Specialist, and IDS Specialist, but rather just one Security Specialist. So does that mean that I can't use the "VPN Specialist" designation anymore and have to wait until I pass all of the tests? What about that INFOSEC designation, is that still valid? Perhaps I should just login to the new Certifications Community site and check there. http://forums.cisco.com/eforum/servlet/CertCom?page=main Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 9:17 AM To: Reimer, Fred; [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793] Can you comment on that particular Knowledgenet class? I'm signed up to take it in the not too distant future. Thanks, Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant AT&T Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73919&t=73919 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Conncetion from Windows Client to nt domain [7:73720]
access-listsnetbios time kerberos dns maybe wins if you use it check bill's site dhcpgive client dns maybe wins dhcp pool domain if 2k maybe add xtra subnet to site mmc sites and services route has the server a route to the concentrator AND to the VPN client subnet ping client from server, IP AND name route has the client route to server, host file? ping ip AND name from client Tip: always use radius. Tip2: READ THE "FEATURE" (RELEASE NOTES) LIST FROM THE EXACT VPN CLIENT VERSION NUMBER! Martijn -Oorspronkelijk bericht- Van: Kai Bovermann [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 8 augustus 2003 14:05 Aan: [EMAIL PROTECTED] Onderwerp: VPN Conncetion from Windows Client to nt domain [7:73720] Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73723&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]
Wow, I guess I'm dating myself a little there if that many changes have happened. I don't believe there were that many options, if any, in the original network. Glad to see things have changed. More on-topic, I just took the CSVPN test and just squeezed by. Note to self, make sure you study for a test before taking one ;-) I went through the KnowledgeNet Express course like a week or two ago, but didn't study this weekend. Probably not a good practice. I'll have to remember that one later... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 12:57 PM To: Reimer, Fred; [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883] Advantis is actually now called AGNS for AT&T Global Network (Was the IBM Global Network after it was Advantis). You can get VPN's on just about any remote client you like, from Cisco to Nortel to Checkpoint to AT&T proprietary Netgate boxes which are derived from Linux OS. You also can run the VPN over the IP backbone for dedicated or DSL connections. AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't support 83x Cisco boxes yet because the Netgates have been so popular, but it's under development. Massive IOS upgrades were already done because pretty much everything we do is automated because of scale requirements. Personally speaking, I like the 3000 Concentrator at the headend with Netgate at the client site. that is the most flexible and affordable configuration. Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant AT&T Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883] Why thanks! I only have a CCNA now because I had to get it for our partner level, and I'm supposed to get much more. And I only have it on my sig because I use the same sig for work and work-related lists. You are correct that we would need more details if it is anything other than what I think it is. If it is just a small service, cookie cutter type deal, then I don't see why they can't use a cookie cutter type solution. Being in healthcare, I envision something like Blue Cross/ Blue Shield payer connections, where I think they use the IBM Advantis network (is that what it was called? Who owns them now, AT&T? Yep, they purchased them in 1999 for $5B) and have routers at each customer site. Why not replace them with a cookie cutter type connection? They already have connections to each customer, likely on a DMZ. The communication is just patient financial information (claims) between one host system at a hospital and a system at BC/BS. AT&T certainly uses a cookie-cutter type connection for all of their connections (wonder if they upgraded all of those thousands of routers for the IOS patch). There may be a one-off here and there, but for the VAST majority of situations it's the same. Same for ISP's. You think they have custom connections for each T1 line they install? Stick a this type router here and a that type router there? No, unless a customer has a special need, like shadow T3's as we do, then you're not going to get special treatment. At least that's my take on it. So as to reduce complexity, administration, maintenance, and increase scalability, security, stability, I'd attempt at all cost to have a standard configuration. Even if it cost a bit more. The 3000 series may not be the answer, because we don't know the true requirements, but whatever the answer is I'd attempt to standardize on it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and
RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]
Advantis is actually now called AGNS for AT&T Global Network (Was the IBM Global Network after it was Advantis). You can get VPN's on just about any remote client you like, from Cisco to Nortel to Checkpoint to AT&T proprietary Netgate boxes which are derived from Linux OS. You also can run the VPN over the IP backbone for dedicated or DSL connections. AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't support 83x Cisco boxes yet because the Netgates have been so popular, but it's under development. Massive IOS upgrades were already done because pretty much everything we do is automated because of scale requirements. Personally speaking, I like the 3000 Concentrator at the headend with Netgate at the client site. that is the most flexible and affordable configuration. Michelle Michelle Truman CCIE # 8098 Principal Technical Consultant AT&T Solutions Center mailto:[EMAIL PROTECTED] Work: 651-998-0949 -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883] Why thanks! I only have a CCNA now because I had to get it for our partner level, and I'm supposed to get much more. And I only have it on my sig because I use the same sig for work and work-related lists. You are correct that we would need more details if it is anything other than what I think it is. If it is just a small service, cookie cutter type deal, then I don't see why they can't use a cookie cutter type solution. Being in healthcare, I envision something like Blue Cross/ Blue Shield payer connections, where I think they use the IBM Advantis network (is that what it was called? Who owns them now, AT&T? Yep, they purchased them in 1999 for $5B) and have routers at each customer site. Why not replace them with a cookie cutter type connection? They already have connections to each customer, likely on a DMZ. The communication is just patient financial information (claims) between one host system at a hospital and a system at BC/BS. AT&T certainly uses a cookie-cutter type connection for all of their connections (wonder if they upgraded all of those thousands of routers for the IOS patch). There may be a one-off here and there, but for the VAST majority of situations it's the same. Same for ISP's. You think they have custom connections for each T1 line they install? Stick a this type router here and a that type router there? No, unless a customer has a special need, like shadow T3's as we do, then you're not going to get special treatment. At least that's my take on it. So as to reduce complexity, administration, maintenance, and increase scalability, security, stability, I'd attempt at all cost to have a standard configuration. Even if it cost a bit more. The 3000 series may not be the answer, because we don't know the true requirements, but whatever the answer is I'd attempt to standardize on it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:51 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: Fred, I respect you. You are one of the top repliers at the moment, terms of qual and freq. I am learning a lot from you, between work en heavy (i mean heavy) cramming an typing for my coming lab. And I mean it. I get a laugh out of your, Fred, (ccna) and answering ccie level q&a! >>> More than one platform depending on req's MAYBE also deployment costs, EOL (800 806-820's-830's series spinning like crazy, 501 here to stay, vpn hw client okay.) Please stop because we're fishing, we need facts. RYAN, Please give us a list of req's. When you design 10-20 sites you ask for a box. When you design 2000 sites you design a total solution. Management of - config, - change, - security, - availability, - performance and - capacity. I am sure I forgot one. You catch my drift? I am also curious about service offered, need front-end? back-end? DMZ's? etc. Learnt as designer consultant etc that if you make a quicky of business req's you'll pay afterwards, because it is not what customer had hoped
RE: VPN Best Hardware to use? [7:73793]
I'd consider the 3005 at the remote sites. It has the capability to do a LAN-to-LAN NAT, where if you had customer A and customer B that both used 10.1.x you could map them to 45.1 and 45.2 respectively, or any other equal-mask network. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Ryan Finnesey [mailto:[EMAIL PROTECTED] Sent: Saturday, August 09, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73837&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Best Hardware to use? [7:73793]
I'd consider the 3005 at the remote sites. It has the capability to do a LAN-to-LAN NAT, where if you had customer A and customer B that both used 10.1.x you could map them to 45.1 and 45.2 respectively, or any other equal-mask network. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Ryan Finnesey [mailto:[EMAIL PROTECTED] Sent: Saturday, August 09, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: VPN Best Hardware to use? [7:73793] I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73806&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
thanks for your reply , I will read the documentation and see if I can solve my problem --- "Reimer, Fred" wrote: > Does anyone read the manuals around here??? > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu > r_r/sec_c2g.htm#1070272 > > You probably have your IKE proposal in your > concentrator set for XAUTH, and > you don't have your router setup for that. You can > configure your router as > the reference manual says, or you }may{ be able to > add in a new or modify an > existing IKE policy under Configuration | System | > Tunneling Protocols | > IPSec | IKE Proposals so that the Authentication > mode is not one that has > (XAUTH) at the end of it. Probably "Preshared Keys" > would be the one you > want. If you create a new one (recommended) they > you would have to change > the IKE policy used for your SA under Configuration > | Policy Management | > Traffic Management | SAs. > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, > Atlanta, GA 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: > 888-260-2050 > > > NOTICE; This email contains confidential or > proprietary information which > may be legally privileged. It is intended only for > the named recipient(s). > If an addressing or transmission error has > misdirected the email, please > notify the author by replying to this message. If > you are not the named > recipient, you are not authorized to use, disclose, > distribute, copy, print > or rely on this email, and should immediately delete > it from your computer. > > > -Original Message- > From: suaveguru [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 07, 2003 1:08 AM > To: [EMAIL PROTECTED] > Subject: Strange VPN problem [7:73641] > > hi all, > > I am trying to setup a easy VPN solution for a cisco > 837 to a cisco VPN concentrator 3005 using network > extension mode but I keep getting this error msg > "Aug > 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth > Request, Please enter the following command: > Aug 7 13:08:16.571: EZVPN: crypto ipsec client > ezvpn > xauth" > > Any form of input will be appreciated > > suaveguru > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com > **Please support GroupStudy by purchasing from the > GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73698&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
I have done that but now more problems crop in look at my latest mail with attatchment suaveguru --- "[EMAIL PROTECTED]" wrote: > Guru. > > Type the no-xauth behind the key-mapping. > > > > isakmp key **NEWKEYNEWCUSTO** address x.x.x.x > netmask 255.255.255.255 > no-xauth no-config-mode > > > > Martijn > > > -Oorspronkelijk bericht- > Van: suaveguru [mailto:[EMAIL PROTECTED] > Verzonden: donderdag 7 augustus 2003 7:08 > Aan: [EMAIL PROTECTED] > Onderwerp: Strange VPN problem [7:73641] > > > hi all, > > I am trying to setup a easy VPN solution for a cisco > 837 to a cisco VPN concentrator 3005 using network > extension mode but I keep getting this error msg > "Aug > 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth > Request, Please enter the following command: > Aug 7 13:08:16.571: EZVPN: crypto ipsec client > ezvpn > xauth" > > Any form of input will be appreciated > > suaveguru > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com > **Please support GroupStudy by purchasing from the > GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the > GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73705&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
VPN Best Hardware to use? [7:73793]
I need to setup VPNs to about 2000 sites. Each site will have an IDSL line installed that will be used to connect to monitor network devices and servers. Some of the remote networks will be using the same network block. I am looking to know what the best hardware to use on each end is. On my end, would it be better to use a PIX or a 3030? On the remote end, I was looking at a PIX 501, SOHO 91 or the 831? Thank you Ryan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73793&t=73793 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Conncetion from Windows Client to nt domain [7:73720]
There are a few things that you can try on the concentrator, like checking all the settings in the group that the client/user is a member of. But the most likely suspect is the settings on the PC. The network connection settings must have "Client for Microsoft Networks" enabled and I would also recommend NetBIOS over TCP/IP in the advanced settings. If you can ping the devices on the LAN, then you will require NetBIOS to browse properly. This is a simple solution to a possibly complicated scenario, but try it out anyway. Regards, Steve Wilson CCNP Network Engineer -Original Message- From: Kai Bovermann [mailto:[EMAIL PROTECTED] Sent: 08 August 2003 13:05 To: [EMAIL PROTECTED] Subject: VPN Conncetion from Windows Client to nt domain [7:73720] Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73726&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
VPN Conncetion from Windows Client to nt domain [7:73720]
Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73720&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
Get the latest version of CRWS (Cisco Router Web Setup) then yo can use Xauth with a nice web front end. The IOS based version is in my opinion - unusable & not for end users. Joel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 07 August 2003 15:31 To: [EMAIL PROTECTED] Subject: RE: Strange VPN problem [7:73641] XAUTH is in my perception for authentication of users, (local) escpecially radius or tacacs. So what we do at the hub site for a static IKE peer is disable XAUTH, so that a spoke router does not get an auth prompt, or the hub does not wait for it. So I think the HUb is waiting for an answer, maybe used to authenticate VPN users only. WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You need Preshareds keys there! 8. The following example shows the various policies used in the IKE policy named "CiscoVPNClient-3DES-MD". In this policy, Preshared Keys(XAUTH) for Authentication Mode is being used so that the client will be prompted to supply a username and password at the end of IKE negotiations. http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration _example09186a008010edf4.shtml#task2_steps Martijn -Oorspronkelijk bericht- Van: suaveguru [mailto:[EMAIL PROTECTED] Verzonden: donderdag 7 augustus 2003 9:40 Aan: Jansen, M Onderwerp: RE: Strange VPN problem [7:73641] thanks for your prompt reply , but I am using easyvpn configuration for cisco 805 router to concentrator 3005 with the cisco 805 as client mode and concentrator as hub . I can't find the line that you indicate for my cisco 805 , could it be easyvpn configuration that i am using? suaveguru --- [EMAIL PROTECTED] wrote: > Guru. > > Type the no-xauth behind the key-mapping. > > > > isakmp key **NEWKEYNEWCUSTO** address x.x.x.x > netmask 255.255.255.255 > no-xauth no-config-mode > > > > Martijn > > > -Oorspronkelijk bericht- > Van: suaveguru [mailto:[EMAIL PROTECTED] > Verzonden: donderdag 7 augustus 2003 7:08 > Aan: [EMAIL PROTECTED] > Onderwerp: Strange VPN problem [7:73641] > > > hi all, > > I am trying to setup a easy VPN solution for a cisco > 837 to a cisco VPN concentrator 3005 using network > extension mode but I keep getting this error msg > "Aug > 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth > Request, Please enter the following command: > Aug 7 13:08:16.571: EZVPN: crypto ipsec client > ezvpn > xauth" > > Any form of input will be appreciated > > suaveguru > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com > **Please support GroupStudy by purchasing from the > GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html === This message has been checked for all known viruses by the Sirocom Virus Scanning Service === === This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM === Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73668&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
Does anyone read the manuals around here??? http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu r_r/sec_c2g.htm#1070272 You probably have your IKE proposal in your concentrator set for XAUTH, and you don't have your router setup for that. You can configure your router as the reference manual says, or you }may{ be able to add in a new or modify an existing IKE policy under Configuration | System | Tunneling Protocols | IPSec | IKE Proposals so that the Authentication mode is not one that has (XAUTH) at the end of it. Probably "Preshared Keys" would be the one you want. If you create a new one (recommended) they you would have to change the IKE policy used for your SA under Configuration | Policy Management | Traffic Management | SAs. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 1:08 AM To: [EMAIL PROTECTED] Subject: Strange VPN problem [7:73641] hi all, I am trying to setup a easy VPN solution for a cisco 837 to a cisco VPN concentrator 3005 using network extension mode but I keep getting this error msg "Aug 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth Request, Please enter the following command: Aug 7 13:08:16.571: EZVPN: crypto ipsec client ezvpn xauth" Any form of input will be appreciated suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73661&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Strange VPN problem [7:73641]
thanks for your answer , I will try and let you know the results. regards, suaveguru --- [EMAIL PROTECTED] wrote: > GURU: > XAUTH is in my perception for authentication of > users, (local) escpecially > radius or tacacs. > > So what we do at the hub site for a static IKE peer > is disable XAUTH, so > that a spoke router does not get an auth prompt, or > the hub does not wait > for it. > > So I think the HUb is waiting for an answer, maybe > used to authenticate VPN > users only. > > > > WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You > need Preshareds keys > there! > 8. > The following example shows the various policies > used in the IKE policy > named "CiscoVPNClient-3DES-MD". > In this policy, Preshared Keys(XAUTH) for > Authentication Mode is being used > so that the client will be prompted to supply a > username and password at the > end of IKE negotiations. > > http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration > _example09186a008010edf4.shtml#task2_steps > > Martijn > > > > -Oorspronkelijk bericht- > Van: suaveguru [mailto:[EMAIL PROTECTED] > Verzonden: donderdag 7 augustus 2003 9:40 > Aan: Jansen, M > Onderwerp: RE: Strange VPN problem [7:73641] > > > thanks for your prompt reply , but I am using > easyvpn > configuration for cisco 805 router to concentrator > 3005 with the cisco 805 as client mode and > concentrator as hub . I can't find the line that you > indicate for my cisco 805 , could it be easyvpn > configuration that i am using? > > suaveguru > --- [EMAIL PROTECTED] wrote: > > Guru. > > > > Type the no-xauth behind the key-mapping. > > > > > > > > isakmp key **NEWKEYNEWCUSTO** address x.x.x.x > > netmask 255.255.255.255 > > no-xauth no-config-mode > > > > > > > > Martijn > > > > > > -Oorspronkelijk bericht----- > > Van: suaveguru [mailto:[EMAIL PROTECTED] > > Verzonden: donderdag 7 augustus 2003 7:08 > > Aan: [EMAIL PROTECTED] > > Onderwerp: Strange VPN problem [7:73641] > > > > > > hi all, > > > > I am trying to setup a easy VPN solution for a > cisco > > 837 to a cisco VPN concentrator 3005 using network > > extension mode but I keep getting this error msg > > "Aug > > 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth > > Request, Please enter the following command: > > Aug 7 13:08:16.571: EZVPN: crypto ipsec client > > ezvpn > > xauth" > > > > Any form of input will be appreciated > > > > suaveguru > > > > __ > > Do you Yahoo!? > > Yahoo! SiteBuilder - Free, easy-to-use web site > > design software > > http://sitebuilder.yahoo.com > > **Please support GroupStudy by purchasing from the > > GroupStudy Store: > > http://shop.groupstudy.com > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > __ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site > design software > http://sitebuilder.yahoo.com __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73651&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Strange VPN problem [7:73641]
hi all, I am trying to setup a easy VPN solution for a cisco 837 to a cisco VPN concentrator 3005 using network extension mode but I keep getting this error msg "Aug 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth Request, Please enter the following command: Aug 7 13:08:16.571: EZVPN: crypto ipsec client ezvpn xauth" Any form of input will be appreciated suaveguru __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73641&t=73641 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Largest CA Keylength on VPN 3000 [7:73409]
Is it a size or allocation issue? CSCdv48299 If fewer than three spots remain in the CA certificate store of a VPN 3000 Concentrator, and an attempt is made to install a CA certificate with associated RAs, then the RA or RAs are installed (filling the store) and the root certificate is not installed. This is incorrect behavior. Instead, the software should check to see if there is enough room in the store before installing a partial CA certificate. Partial certificates should not be installed. If the RAs and the Root certificate cannot be installed, the software should install nothing. Or just RTFM below? Martijn Key Size - man Yes scep Yes The algorithm for generating the public-key/private-key pair, and the key size. If you are requesting an SSL certificate, of if you are requesting an identity certificate using SCEP, only the RSA options are available. RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This key size provides sufficient security and is the default selection. It is the most common, and requires the least processing. RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal security. It requires approximately 2 to 4 times more processing than the 512-bit key. RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high security, and it requires approximately 4 to 8 times more processing than the 512-bit key. man Yes csep No DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm). DSA 768 bits = Generate 768-bit keys using the DSA algorithm. DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm. -Oorspronkelijk bericht- Van: Reimer, Fred [mailto:[EMAIL PROTECTED] Verzonden: zaterdag 2 augustus 2003 14:49 Aan: [EMAIL PROTECTED] Onderwerp: Largest CA Keylength on VPN 3000 [7:73409] Let's see if anyone here can answer faster than Cisco TAC. What is the largest CA root key length supported by the Cisco VPN Concentrator 3000 series hardware? I have a 4096 bit key and it won't accept the root key because it can't "validate" it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73593&t=73409 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Largest CA Keylength on VPN 3000 [7:73409]
Let's see if anyone here can answer faster than Cisco TAC. What is the largest CA root key length supported by the Cisco VPN Concentrator 3000 series hardware? I have a 4096 bit key and it won't accept the root key because it can't "validate" it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73409&t=73409 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPN Client cannot connect [7:73350]
I think we'd need to logs on the router in order to diagnose why it is aborting. The client starts sending DPD keepalives, but there is no indication that it received any. It sends them out every 20 seconds, and after sending 3 or four of them the connection attempt is aborted. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 12:24 PM To: [EMAIL PROTECTED] Subject: VPN Client cannot connect [7:73350] Hi all, my set up is a vpn client connection to a cisco ios router. i can connect using an old version of the vpn client (3.6.4a) but i cannot connect using the newer versions (4.0.1 & 4.0.2)i actually get to the stage of putting in my username and password but nothing happens after that and it eventually times out. I have pasted the vpn clients loggs. alll inputs are appreciated. regards, Tunde Cisco Systems VPN Client Version 4.0.2 (B) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.0.2195 11315:11:19.082 08/01/03 Sev=Info/4 CM/0x6312 Begin connection process 11415:11:19.082 08/01/03 Sev=Info/4 CM/0x6314 Establish secure connection using Ethernet 11515:11:19.082 08/01/03 Sev=Info/4 CM/0x63100024 Attempt connection with server "217.37.10.173" 11615:11:19.082 08/01/03 Sev=Info/6 IKE/0x633B Attempting to establish a connection with 217.37.10.173. 11715:11:19.122 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 217.37.10.173 11815:11:19.192 08/01/03 Sev=Info/4 IPSEC/0x6378 IPSec driver successfully started 11915:11:19.192 08/01/03 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 12015:11:19.773 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 12115:11:19.773 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 217.37.10.173 12815:11:19.823 08/01/03 Sev=Info/4 IKE/0x6382 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4 12915:11:19.823 08/01/03 Sev=Info/4 CM/0x631E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 13015:11:19.893 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 13115:11:19.893 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK TRANS *(HASH, ATTR) to 217.37.10.173 13515:11:22.957 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 13615:11:22.957 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK TRANS *(Retransmission) to 217.37.10.173 14215:11:30.208 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14315:11:30.208 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14415:11:50.237 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14515:11:50.237 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14615:12:10.265 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14715:12:10.265 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14815:12:30.294 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14915:12:30.294 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 15015:12:48.370 08/01/03 Sev=Info/4 CM/0x6316 Abort connection attempt before Phase 1 SA up 15115:12:48.370 08/01/03 Sev=Info/4 IKE/0x6301 IKE received signal to terminate VPN connection 15215:12:48.370 08/01/03 Sev=Info/4 IKE/0x6317 Marking IKE SA for deletion (I_Cookie=492CE06BE33C37A0 R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB 15315:12:48.370 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 217.37.10.173 15415:12:48.380 08/01/03 Sev=Info/4 IKE/0x634A Discarding IKE SA negotiation (I_Cookie=492CE06BE33C37A0 R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB 155
VPN Client cannot connect [7:73350]
Hi all, my set up is a vpn client connection to a cisco ios router. i can connect using an old version of the vpn client (3.6.4a) but i cannot connect using the newer versions (4.0.1 & 4.0.2)i actually get to the stage of putting in my username and password but nothing happens after that and it eventually times out. I have pasted the vpn clients loggs. alll inputs are appreciated. regards, Tunde Cisco Systems VPN Client Version 4.0.2 (B) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.0.2195 11315:11:19.082 08/01/03 Sev=Info/4 CM/0x6312 Begin connection process 11415:11:19.082 08/01/03 Sev=Info/4 CM/0x6314 Establish secure connection using Ethernet 11515:11:19.082 08/01/03 Sev=Info/4 CM/0x63100024 Attempt connection with server "217.37.10.173" 11615:11:19.082 08/01/03 Sev=Info/6 IKE/0x633B Attempting to establish a connection with 217.37.10.173. 11715:11:19.122 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 217.37.10.173 11815:11:19.192 08/01/03 Sev=Info/4 IPSEC/0x6378 IPSec driver successfully started 11915:11:19.192 08/01/03 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 12015:11:19.773 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 12115:11:19.773 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 217.37.10.173 12815:11:19.823 08/01/03 Sev=Info/4 IKE/0x6382 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4 12915:11:19.823 08/01/03 Sev=Info/4 CM/0x631E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 13015:11:19.893 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 13115:11:19.893 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK TRANS *(HASH, ATTR) to 217.37.10.173 13515:11:22.957 08/01/03 Sev=Info/5 IKE/0x632F Received ISAKMP packet: peer = 217.37.10.173 13615:11:22.957 08/01/03 Sev=Info/4 IKE/0x6314 RECEIVING >> ISAKMP OAK TRANS *(Retransmission) to 217.37.10.173 14215:11:30.208 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14315:11:30.208 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14415:11:50.237 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14515:11:50.237 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14615:12:10.265 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14715:12:10.265 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 14815:12:30.294 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173 14915:12:30.294 08/01/03 Sev=Info/6 IKE/0x6352 Sent a keepalive on the IKE SA 15015:12:48.370 08/01/03 Sev=Info/4 CM/0x6316 Abort connection attempt before Phase 1 SA up 15115:12:48.370 08/01/03 Sev=Info/4 IKE/0x6301 IKE received signal to terminate VPN connection 15215:12:48.370 08/01/03 Sev=Info/4 IKE/0x6317 Marking IKE SA for deletion (I_Cookie=492CE06BE33C37A0 R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB 15315:12:48.370 08/01/03 Sev=Info/4 IKE/0x6313 SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 217.37.10.173 15415:12:48.380 08/01/03 Sev=Info/4 IKE/0x634A Discarding IKE SA negotiation (I_Cookie=492CE06BE33C37A0 R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB 15515:12:48.380 08/01/03 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 15615:12:48.831 08/01/03 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 15715:12:48.831 08/01/03 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 15815:12:48.831 08/01/03 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 15915:12:48.831 08/01/03 Sev=Info/4 IPSEC/0x637A IPSec driver successfully stopped Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73350&t=73350 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com
RE: VPN logging ACS server [7:73297]
Sounds like you need to turn on accounting to get the start/stop records. -Original Message- From: Jim Devane [mailto:[EMAIL PROTECTED] Sent: 31 July 2003 18:42 To: [EMAIL PROTECTED] Subject: VPN logging ACS server [7:73297] Hello all, I have 3.6 Clients connecting to a PIX 515 and using Xauth. Everything is just grand except I need a way to get a reporting of everyuser that logs in and how long they were connected. Preferably including start and stop times. OUr ACS server is great for showing when the connection was made by making an entry in the "Passed Authentications" But it does not record when the VPN is torn down. Any solutions, suggestions, comments on how to capture the teardown so I can make a reporting of how long the user was connected? I sthere and ACS fix, a PIX fix..someother fix ( using an ISA server) I am open to all sorts of suggestions. thanks, jim === This message has been checked for all known viruses by the Sirocom Virus Scanning Service === === This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM === Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73338&t=73297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider VPN Caveats [7:73207]
One thing that gets missed in the L2VPN versus L3VPN issue, with provider-provisioned LANs, is the people aspect both for the provider and customer. If you provision a L2VPN, it's a familiar interface to the customer. It's also much more familiar to telco/TDM technicians. I've seen market estimates that of telco staff, perhaps 10% would really be able to support L3VPN without extensive training. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73309&t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN logging ACS server [7:73297]
Hello all, I have 3.6 Clients connecting to a PIX 515 and using Xauth. Everything is just grand except I need a way to get a reporting of everyuser that logs in and how long they were connected. Preferably including start and stop times. OUr ACS server is great for showing when the connection was made by making an entry in the "Passed Authentications" But it does not record when the VPN is torn down. Any solutions, suggestions, comments on how to capture the teardown so I can make a reporting of how long the user was connected? I sthere and ACS fix, a PIX fix..someother fix ( using an ISA server) I am open to all sorts of suggestions. thanks, jim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73297&t=73297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Ports [7:73290]
Don't forget UDP port 500 for ISAKMP! -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: 31 July 2003 18:32 To: [EMAIL PROTECTED] Subject: RE: VPN Ports [7:73290] Steven Aiello wrote: > > Ok, > >I haven't gotten much of a bit on my access list question. > But no > worries I have a book and I'm going to try it my self. However > can any > on give me a list run down of the ports needed for a VPN? I didn't see your first message so I don't know what you're trying to accomplish, so if this message is a non sequitor, I apoligize... > > exp > > IPSec portx tcp IPSec doesn't use TCP ports. It uses IP protocol numbers. There are two types: The Authentication Header (AH) and Encapsulating Security Payload (ESP). AH uses IP protocol number 51 ESP uses IP protocol number 50 > Lt\2TP porty tcp You can run L2TP over UDP, in which case UDP port number 1701 is used. See RFC 2661 for more info. Talk to you later, Priscilla > > I would greatly apprecate the help > > I am very new to the VPN side and I want to be sure I don't > over look > any thing > > Steven === This message has been checked for all known viruses by the Sirocom Virus Scanning Service === === This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM === Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73300&t=73290 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Ports [7:73290]
Steven Aiello wrote: > > Ok, > >I haven't gotten much of a bit on my access list question. > But no > worries I have a book and I'm going to try it my self. However > can any > on give me a list run down of the ports needed for a VPN? I didn't see your first message so I don't know what you're trying to accomplish, so if this message is a non sequitor, I apoligize... > > exp > > IPSec portx tcp IPSec doesn't use TCP ports. It uses IP protocol numbers. There are two types: The Authentication Header (AH) and Encapsulating Security Payload (ESP). AH uses IP protocol number 51 ESP uses IP protocol number 50 > Lt\2TP porty tcp You can run L2TP over UDP, in which case UDP port number 1701 is used. See RFC 2661 for more info. Talk to you later, Priscilla > > I would greatly apprecate the help > > I am very new to the VPN side and I want to be sure I don't > over look > any thing > > Steven > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73292&t=73290 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Client cannot connect [7:73276]
I am using a vpn client version 4.0.1, i connect to internet using an adsl modem and i dial my network using the client. the problem is after i put in my logon details into the logon screen..the connection times outwithout ever connecting. i have pasted the router config, the debug cry isa output and the cisco vpn client logg. your help will be highly appreciated. regards, Tunde [B]router config[/B] service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname router ! logging buffered 4096 debugging aaa new-model ! ! aaa authentication login default local aaa authentication login userauthen local aaa authentication enable default enable aaa authorization commands 15 default local aaa authorization network groupauthor local aaa session-id common enable secret 5 $1$.fkm$4O8.dVegwONw0eriy2Hzb/ enable password 7 02020555020303 ! username test password 7 09584B1A0D memory-size iomem 15 ip subnet-zero no ip source-route ! ! ip domain-name rock ip name-server 192.168.123.3 ip name-server 192.168.123.13 ip name-server 192.168.123.15 ! no ip bootp server ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address x.x.x.x ! crypto isakmp client configuration group remotevpn key cisco123 dns 192.168.123.3 wins 192.168.123.2 domain rock.com pool VPN ! ! crypto ipsec transform-set cabweb esp-des esp-md5-hmac crypto ipsec transform-set vpn-transform-set esp-3des esp-sha-hmac crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto dynamic-map dynmap 30 set transform-set vpn-transform-set ! ! crypto map cabweb client authentication list userauthen crypto map cabweb isakmp authorization list groupauthor crypto map cabweb client configuration address respond crypto map cabweb 10 ipsec-isakmp set peer x.x.x.x set transform-set cabweb match address 111 crypto map cabweb 30 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 ip address 1.1.1.1 255.255.255.248 ip nat outside no ip mroute-cache full-duplex no cdp enable crypto map cabweb ! interface FastEthernet0 ip address 192.168.123.252 255.255.255.0 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside no ip mroute-cache speed 100 half-duplex ntp disable no cdp enable standby 2 ip 192.168.123.1 standby 2 priority 150 standby 2 preempt ! ip local pool VPN 192.168.123.180 192.168.123.200 ip nat inside source list IP-NAT interface Ethernet0 overload ip nat inside source static 192.168.123.13 1.1.1.2 ip nat inside source static 192.168.123.2 1.1.1.3 ip nat inside source static 192.168.123.3 1.1.1.4 no ip classless ip route 0.0.0.0 0.0.0.0 1.1.1.6 ip route 0.0.0.0 0.0.0.0 192.168.123.4 100 no ip http server ip pim bidir-enable ! ! ip access-list standard IP-NAT deny 192.168.123.3 deny 192.168.123.2 deny 192.168.123.15 deny 192.168.123.13 permit 192.168.0.0 0.0.255.255 ! access-list 111 permit ip 192.168.123.0 0.0.0.255 192.168.124.0 0.0.0.255 no cdp run ! line con 0 exec-timeout 0 0 password 7 1416160E0E0B3D2A282D line aux 0 line vty 0 4 password 7 0507071820425D0617 ! no scheduler allocate end [B]debug output[/B] 2d06h: ISAKMP (0:2): retransmitting phase 1 AG_INIT_EXCH... 2d06h: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1 2d06h: ISAKMP (0:2): retransmitting phase 1 AG_INIT_EXCH 2d06h: ISAKMP (0:2): sending packet to 81.134.114.66 (R) AG_INIT_EXCH 2d06h: ISAKMP (0:0): received packet from 81.134.114.66 (N) NEW SA 2d06h: ISAKMP: local port 500, remote port 500 2d06h: ISAKMP (0:3): (Re)Setting client xauth list userauthen and state 2d06h: ISAKMP: Locking CONFIG struct 0x814F42E0 from crypto_ikmp_config_initialize_sa, count 3 2d06h: ISAKMP (0:3): processing SA payload. message ID = 0 2d06h: ISAKMP (0:3): processing ID payload. message ID = 0 2d06h: ISAKMP (0:3): processing vendor id payload 2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major 2d06h: ISAKMP (0:3): vendor ID is XAUTH 2d06h: ISAKMP (0:3): processing vendor id payload 2d06h: ISAKMP (0:3): vendor ID is DPD 2d06h: ISAKMP (0:3): processing vendor id payload 2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major 2d06h: ISAKMP (0:3): processing vendor id payload 2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major 2d06h: ISAKMP (0:3): processing vendor id payload 2d06h: ISAKMP (0:3): vendor ID is Unity 2d06h: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 30 policy 2d06h: ISAKMP: encryption... What? 7? 2d06h: ISAKMP: hash SHA 2d06h: ISAKMP: default group 2 2d06h: ISAKMP: auth XAUTHInitPreShared 2d06h: ISAKMP: life type in seconds 2d06h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 2d06h: ISAKMP: attribute 14 2d06h: ISAKMP (0:3
Example of reflexive access list with VPN access [7:73269]
Hello all, I need some help with ACL's. What my goal is to allow VNP traffic in to my network to one firewall (Static IP address). Also I want to allow traffic out of my FE 0/1 interface out to the net using "established" access lists. The services I want to let out are. HTTP HTTPS SMTP POP3 FTP SFTP If some one could help me out with a good start or at least a good explanation of the process and how established or reflexive lists work. my network set up is fairly simple ( internet )---Serial 0/1 |CISCO 2621XM| FE 0/1 (continued below) FE 0/1--|Firewall 1| 12.40.100.131 (Needs VPN port passed through) \ \ \ |Firewall 2| 12.40.100.132 (NO VPN ACCESS) All users need the above services. Thanks for all your help, Steven - CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73269&t=73269 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider VPN Caveats [7:73207]
At 9:54 PM + 7/29/03, " Chuck Whose Road is Ever Shorter " wrote: > > > >> BTW, I think it was dre who suggested I read the RFCs, which I've started >to >> do, and suggested I check out the www.lightreading.com website. That site >is >> great! I did do a search on Kompella vs. Kompella. I feel that Kompella >has >> some good points, but so does Kompella. ;-) I guess the real questions >is >> which Kompella is most compelling? Before burning out on this question, try a Martini. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73248&t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider VPN Caveats [7:73207]
John Neiberger wrote: > I've been researching different types of service provider VPNs in general > and Qwest's PRN, in particular. From what I can gather their PRN is a > 2764-based VPN offering using IPSec tunneling. I've run into two fairly > obvious caveats already and I'm wondering what other caveats might await > that aren't so obvious. > > First, and most obvious, is that without the use of GRE or something similar > we won't get multiprotocol capability. Second, and a little less obvious > until you think about it, is that we would lose multicasting capabilities > without jumping through some GRE hoops. > > To those of you more familiar with this sort of thing, are there any other > operational caveats like these that I'd need to be aware of? > > BTW, I think it was dre who suggested I read the RFCs, which I've started to > do, and suggested I check out the www.lightreading.com website. That site is > great! I did do a search on Kompella vs. Kompella. I feel that Kompella has > some good points, but so does Kompella. ;-) I guess the real questions is > which Kompella is most compelling? > > I didn't realize that there were so many competing VPN groups and > technologies. At this rate, by the time we agree on any standard methods all > of the technologies will be obsolete! test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73237&t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider VPN Caveats [7:73207]
""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > I've been researching different types of service provider VPNs in general > and Qwest's PRN, in particular. From what I can gather their PRN is a > 2764-based VPN offering using IPSec tunneling. I've run into two fairly > obvious caveats already and I'm wondering what other caveats might await > that aren't so obvious. > > First, and most obvious, is that without the use of GRE or something similar > we won't get multiprotocol capability. Second, and a little less obvious > until you think about it, is that we would lose multicasting capabilities > without jumping through some GRE hoops. > > To those of you more familiar with this sort of thing, are there any other > operational caveats like these that I'd need to be aware of? > > BTW, I think it was dre who suggested I read the RFCs, which I've started to > do, and suggested I check out the www.lightreading.com website. That site is > great! I did do a search on Kompella vs. Kompella. I feel that Kompella has > some good points, but so does Kompella. ;-) I guess the real questions is > which Kompella is most compelling? > > I didn't realize that there were so many competing VPN groups and > technologies. At this rate, by the time we agree on any standard methods all > of the technologies will be obsolete! as the mainframe guys used to say, we love standards. that's why we have so many of them! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73212&t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Provider VPN Caveats [7:73207]
I've been researching different types of service provider VPNs in general and Qwest's PRN, in particular. From what I can gather their PRN is a 2764-based VPN offering using IPSec tunneling. I've run into two fairly obvious caveats already and I'm wondering what other caveats might await that aren't so obvious. First, and most obvious, is that without the use of GRE or something similar we won't get multiprotocol capability. Second, and a little less obvious until you think about it, is that we would lose multicasting capabilities without jumping through some GRE hoops. To those of you more familiar with this sort of thing, are there any other operational caveats like these that I'd need to be aware of? BTW, I think it was dre who suggested I read the RFCs, which I've started to do, and suggested I check out the www.lightreading.com website. That site is great! I did do a search on Kompella vs. Kompella. I feel that Kompella has some good points, but so does Kompella. ;-) I guess the real questions is which Kompella is most compelling? I didn't realize that there were so many competing VPN groups and technologies. At this rate, by the time we agree on any standard methods all of the technologies will be obsolete! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73207&t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what's the bandwidth for this PIX-PIX VPN? [7:73088]
I only can think of the max troughput minus AH and new IP header. So 90%rougly? Experience says that you maybe can do some tweaking on the MTU side? Martijn Jansen -Oorspronkelijk bericht- Van: Richard Campbell [mailto:[EMAIL PROTECTED] Verzonden: maandag 28 juli 2003 10:07 Aan: [EMAIL PROTECTED] Onderwerp: what's the bandwidth for this PIX-PIX VPN? [7:73088] Hi.. I have a PIX 515 connected to internet, the bandwidth is 512K. Besides this PIX 515 also has PIX-PIX VPN to two of our branches. I found that when I transfer a big file via the PIX-PIX VPN, the bandwidth utilisation will never reach the maximum. But when I download big file from internet, it will reach Max. Why?? Note that there is not traffic shaping in the router? What is the Max bandwidth for PIX-PIX VPN on 512K link??? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73096&t=73088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what's the bandwidth for this PIX-PIX VPN? (the numbers) [7:73097]
PIX 515E Performance Summary Cleartext throughput: 188 Mbps Concurrent connections: 130,000 168-bit 3DES IPsec VPN throughput: Up to 140 Mbps with VAC+ or 63 Mbps with VAC 128-bit AES IPsec VPN throughput: Up to 135 Mbps with VAC+ 256-bit AES IPsec VPN throughput: Up to 140 Mbps with VAC+ Simultaneous VPN tunnels: 2000 from cco Martijn Jansen -Oorspronkelijk bericht- Van: Richard Campbell [mailto:[EMAIL PROTECTED] Verzonden: maandag 28 juli 2003 10:07 Aan: [EMAIL PROTECTED] Onderwerp: what's the bandwidth for this PIX-PIX VPN? [7:73088] Hi.. I have a PIX 515 connected to internet, the bandwidth is 512K. Besides this PIX 515 also has PIX-PIX VPN to two of our branches. I found that when I transfer a big file via the PIX-PIX VPN, the bandwidth utilisation will never reach the maximum. But when I download big file from internet, it will reach Max. Why?? Note that there is not traffic shaping in the router? What is the Max bandwidth for PIX-PIX VPN on 512K link??? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73097&t=73097 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
what's the bandwidth for this PIX-PIX VPN? [7:73088]
Hi.. I have a PIX 515 connected to internet, the bandwidth is 512K. Besides this PIX 515 also has PIX-PIX VPN to two of our branches. I found that when I transfer a big file via the PIX-PIX VPN, the bandwidth utilisation will never reach the maximum. But when I download big file from internet, it will reach Max. Why?? Note that there is not traffic shaping in the router? What is the Max bandwidth for PIX-PIX VPN on 512K link??? _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73088&t=73088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Microsoft VPN through a router [7:72824]
I was wondering what ports I would need to have open for a Microsoft VPN connection on my router. If I have done my home work correctly I think IPSec port: 50 L2TP port : 1701 PPTP port : 1723 Are these all TCP, UDP??? I don't really have a full understanding of how the protocal and port process of a VPN works. I understand the theroy; how IPSec incryptes the info in a tunnel data portion of another IP packet blaa blaa blaa. But any more aditional detailed info would be great. Thanks, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72908&t=72824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Microsoft VPN through a router [7:72824]
VPN ProtocolPort GRE Not usedNot used PPTPTCP 1723 L2F UDP 1701 L2TPUDP 1701 IKE UDP 500 ESP 50 AH 51 Note that AH and ESP are protocol numbers, not port numbers (though you can refere tot hem by name in Access Lists, just as you do telnet or ftp, etc.). Annlee Steven Aiello wrote: > I was wondering what ports I would need to have open for a Microsoft VPN > connection on my router. If I have done my home work correctly I think > > IPSec port: 50 > L2TP port : 1701 > PPTP port : 1723 > > Are these all TCP, UDP??? > > I don't really have a full understanding of how the protocal and port > process of a VPN works. I understand the theroy; how IPSec incryptes > the info in a tunnel data portion of another IP packet blaa blaa blaa. > But any more aditional detailed info would be great. > > Thanks, > Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72851&t=72824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft VPN through a router [7:72824]
Steven Aiello wrote: > > I was wondering what ports I would need to have open for a > Microsoft VPN > connection on my router. If I have done my home work > correctly I think > > IPSec port: 50 This is protocol number (as in "protocol above IP"). You will also need 51 I think. > L2TP port : 1701 UDP > PPTP port : 1723 TCP > > Are these all TCP, UDP??? > > I don't really have a full understanding of how the protocal > and port > process of a VPN works. I understand the theroy; how IPSec > incryptes > the info in a tunnel data portion of another IP packet blaa > blaa blaa. > But any more aditional detailed info would be great. The RFCs are pretty detailed. Thanks, Zsombor > > Thanks, > Steve > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72830&t=72824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Microsoft VPN through a router [7:72824]
Steve, You need to open GRE to from any source to your VPN server and then depending on whether you're using PPTP or L2TP make sure you have either tcp/1723 or tcp/1701 open. My ACL looks like this for PPTP access... access-list 101 permit tcp any host eq 1723 access-list 101 permit gre any host Stevo ""Steven Aiello"" wrote in message news:[EMAIL PROTECTED] > I was wondering what ports I would need to have open for a Microsoft VPN > connection on my router. If I have done my home work correctly I think > > IPSec port: 50 > L2TP port : 1701 > PPTP port : 1723 > > Are these all TCP, UDP??? > > I don't really have a full understanding of how the protocal and port > process of a VPN works. I understand the theroy; how IPSec incryptes > the info in a tunnel data portion of another IP packet blaa blaa blaa. > But any more aditional detailed info would be great. > > Thanks, > Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72831&t=72824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft VPN through a router [7:72824]
For IPSec I believe you need >protocolsport< 500. The 50 is a protocol number, like UDP is 17 and TCP is what? 6? It is not a TCP or UDP port number... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Steven Aiello [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 1:32 PM To: [EMAIL PROTECTED] Subject: Microsoft VPN through a router [7:72824] I was wondering what ports I would need to have open for a Microsoft VPN connection on my router. If I have done my home work correctly I think IPSec port: 50 L2TP port : 1701 PPTP port : 1723 Are these all TCP, UDP??? I don't really have a full understanding of how the protocal and port process of a VPN works. I understand the theroy; how IPSec incryptes the info in a tunnel data portion of another IP packet blaa blaa blaa. But any more aditional detailed info would be great. Thanks, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72833&t=72824 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]