Re: Difference between Cisco VPN and PIX Firewall [7:75235]

[Mr piyush shah]

Hello all
Can I know what is the Cisco PIX and that of a Cisco
VPN 3000 in terms of performance?
As I am planning to implement VPN with either VPN
Concentrator or PIX,however I was told that if you
implement only VPN Concentrator instead of PIX ,then
you may get VPN connectivity but you will not be able
to implement the filtering functionalities which are
required .In case of PIX I may get both VPN as well as
as filtering of unwanted traffic thereby changes of
hacking sessions are less.
Is this true.
I am confised .Kindly help me.
Also which one should consider to be the best scenario
for implementation ?
I am giving the 3 scenario below.If there is any
scenario better than this pls get me know ewith the
pros and cons of that one.Also equest you to know me
the pros and cons of this scenarios also.
aThnaks in advance.

Scenario I Scenario II   Scenario

  
 InternetInternet Internet
   |||
  
  
  
  VPN Concentrator Firewall Firewall--VPN 
   ||  |  Concntrtr   
   ||  |   |  
 LAN   VPNLAN _|
   Concentrator





Yahoo! India Matrimony: Find your partner online.
Go to http://yahoo.shaadi.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75235t=75235
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Difference between Cisco VPN and PIX Firewall [7:75235]

[annlee]

Stnadard answer: it depends.

Followed immediately by the standard question: what problem are you 
trying to solve?

The VPN Concentrator does not firewall or filter; it is a specialized 
tunnel termination device. You may (emphasis on may) need to use it 
when you are terminating more than about 20 tunnels. That depends on 
how active the tunnels are and what else your firewall is doing -- how 
much other work must it do filtering how much other traffic?

The Concentrator does offer AES and DH Group 7 (the latter is useful 
if the other end of the tunnel is a client which can support ECC, but 
not many can).

You need a firewall between you and the Internet. Have a look at the 
SMR SAFE Blueprint, here:
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8a0.shtml
 


If you do decide to use a Concentrator, people may differ, but I 
recommend terminating your tunnels outside the firewall. If you don't, 
the firewall must either work at the traffic to inspect it properly 
(which in fact makes it work even harder tore-encrypt, etc. to send it 
to the Concentrator) or you poke a big hole in the firewall by 
accepting traffic that looks like it ought to be a part of the 
tunnel.  If your LAN receives public traffic (is there a public-facing 
server, any kind of mini-DMZ?), then you will want a switch to send 
tunnel traffic tothe Concentrator and all other traffic to the 
firewall. Looks sort of like this:

Concentrator
  / \
Internet---switch/\firewall---LAN

HTH

Annlee

Mr piyush shah wrote:
 Hello all
 Can I know what is the Cisco PIX and that of a Cisco
 VPN 3000 in terms of performance?
 As I am planning to implement VPN with either VPN
 Concentrator or PIX,however I was told that if you
 implement only VPN Concentrator instead of PIX ,then
 you may get VPN connectivity but you will not be able
 to implement the filtering functionalities which are
 required .In case of PIX I may get both VPN as well as
 as filtering of unwanted traffic thereby changes of
 hacking sessions are less.
 Is this true.
 I am confised .Kindly help me.
 Also which one should consider to be the best scenario
 for implementation ?
 I am giving the 3 scenario below.If there is any
 scenario better than this pls get me know ewith the
 pros and cons of that one.Also equest you to know me
 the pros and cons of this scenarios also.
 aThnaks in advance.
 
 Scenario I Scenario II   Scenario
 
   
  InternetInternet Internet
|||
   
   
   
   VPN Concentrator Firewall Firewall--VPN 
||  |  Concntrtr   
||  |   |  
  LAN   VPNLAN _|
Concentrator
 
 
 
 
 
 Yahoo! India Matrimony: Find your partner online.
 Go to http://yahoo.shaadi.com
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75241t=75235
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Difference between Cisco VPN and PIX Firewall [7:75235]

[Reimer, Fred]

Scenario III is probably the most recommended.  It is incorrect to say that
the VPN Concentrator does not have filtering capabilities.  It generally
only allows traffic in its public interface necessary for VPN connections,
so it is not any more inherently insecure as a PIX.  It does not have all of
the capabilities of the PIX however, so if you need a true firewall I'd go
with a firewall (not necessarily a PIX, I personally think they suck, go
with a Check Point).

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Mr piyush shah [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 11, 2003 7:08 AM
To: [EMAIL PROTECTED]
Subject: Re: Difference between Cisco VPN and PIX Firewall [7:75235]

Hello all
Can I know what is the Cisco PIX and that of a Cisco
VPN 3000 in terms of performance?
As I am planning to implement VPN with either VPN
Concentrator or PIX,however I was told that if you
implement only VPN Concentrator instead of PIX ,then
you may get VPN connectivity but you will not be able
to implement the filtering functionalities which are
required .In case of PIX I may get both VPN as well as
as filtering of unwanted traffic thereby changes of
hacking sessions are less.
Is this true.
I am confised .Kindly help me.
Also which one should consider to be the best scenario
for implementation ?
I am giving the 3 scenario below.If there is any
scenario better than this pls get me know ewith the
pros and cons of that one.Also equest you to know me
the pros and cons of this scenarios also.
aThnaks in advance.

Scenario I Scenario II   Scenario

  
 InternetInternet Internet
   |||
  
  
  
  VPN Concentrator Firewall Firewall--VPN 
   ||  |  Concntrtr   
   ||  |   |  
 LAN   VPNLAN _|
   Concentrator





Yahoo! India Matrimony: Find your partner online.
Go to http://yahoo.shaadi.com
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75244t=75235
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

vpn client termination on router, with split-tunnel [7:75134]

[bk]

Hello all,

I am trying to terminate a vpn tunnel on a 3640 for clients (4.x).  I 
have done it on a pix with split-tunnel.  Can the 3640 be setup to 
perform split-tunnel?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75134t=75134
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: vpn client termination on router, with split-tunnel [7:75147]

[nrf]

Sure

You will need to be running IOS 12.2(8)T or above.

bk  wrote in message
news:[EMAIL PROTECTED]
 Hello all,

 I am trying to terminate a vpn tunnel on a 3640 for clients (4.x).  I
 have done it on a pix with split-tunnel.  Can the 3640 be setup to
 perform split-tunnel?
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75147t=75147
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

[Deepali S]

Hi James,

 First and foremost please make sure that the inside ip address of the pix
and the VPN address pool are of different range since there is a BUG
associated , i would recommend you to use an entirely different range of
address pool.

 What is the client version you are using? If you are using Cisco VPN client
3.6.x and above then please change the hash type to md5 as Cisco VPN client
3.6.x doesnt support sha .

  isakmp policy 1 md5

 Pls read check this link:

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Just let me know if you have any queries.

 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74636t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: 2501 VPN [7:73977]

[Deepali S]

Hi 

 You can check this link:

 http://www.cisco.com/warp/public/707/overload_public.html

 
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSecs=Implementation_and_Configuration#Samples_and_Tips

 Just let me know if you have any queries.
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74638t=73977
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: PIX VPN Setup [7:74369]

[Deepali S]

Hi! John,

 The isakmp and pre-share key is used only when you have the L2L tunnel
setup.
 When you have a VPN tunnel between Client and PIX , the command below is
same as the isakmp and pre-shared key.

 vpngroup VPNUSER password  
 
 Spli tunneling is used when you want the user to browse the internet when
he still has a VPN tunnel established.

 Pls check this link to know more abt split tunneling: 

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Let me know if you have any queries.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74635t=74369
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

[Reimer, Fred]

Hmm, that's bizarre.  I'm running 4.02B and I can use SHA.  Where did you
get the information that 3.6 and above don't support SHA???



Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Deepali S [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 02, 2003 3:14 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

Hi James,

 First and foremost please make sure that the inside ip address of the pix
and the VPN address pool are of different range since there is a BUG
associated , i would recommend you to use an entirely different range of
address pool.

 What is the client version you are using? If you are using Cisco VPN client
3.6.x and above then please change the hash type to md5 as Cisco VPN client
3.6.x doesnt support sha .

  isakmp policy 1 md5

 Pls read check this link:

 http://www.cisco.com/warp/public/707/ipsec_debug.html#inability

 Just let me know if you have any queries.
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html

[GroupStudy removed an attachment of type application/octet-stream which had
a name of vpn.PNG]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74660t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Pix VPN SMTP [7:74527]

[John Cianfarani]

I have a Pix 501 setup for VPN for a few users, now the outgoing SMTP
server for all their email (from Bell Sympatico) only allows relaying
when on the Bell domain.  So everything works fine when people are in
the office but if they go home and use say Rogers to connect to the
internet, then VPN into the office and try to send an email out it won't
work.   There is a split tunnel setup so only traffic going to the local
network 192.168.1.x will get pushed through the VPN Tunnel.  And since
Pix doesn't allow someone to come in on the outside interface then go
out again.  Anyone have any thoughts to fix this?  Any router models
similar in price/function to the pix 501 that might not cause this
problem.
 
Thanks
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74527t=74527
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

PIX VPN Client Configuration - At my wit's end! [7:74363]

[James Willard]

Hi all,

Thanks in advance for reading this message. I am completely boggled on an
issue here that I have literally been trying to troubleshoot for some 12
hours now.

I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.

Here are the relevant parts of my config:

:PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0 
access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any 
ip local pool vpnusers 192.168.2.100-192.168.2.254
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set vpn esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 300
crypto dynamic-map dynmap 30 set transform-set vpn
crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
crypto map crypto-map-swa interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 300
vpngroup VPNUser address-pool vpnusers
vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
vpngroup VPNUser idle-time 1800
vpngroup VPNUser password 

Let's say the outside interface is 100.100.100.28. These are the networks:

100.100.100.28 255.255.255.240(outside)
192.168.1.0255.255.255.0  (inside)
192.168.2.0255.255.255.0  (vpn IP pool)
10.0.1.0   255.255.255.0  (dmz)

I can connect with the client just fine, but neither end can ping the other.
Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
192.168.2.100. The VPN Client side shows packets being encrypted but none
decrypted. The IPSec SA on the PIX shows packets being encrypted and none
decrypted.

Also worth noting is that the VPN client status shows Transparent
Tunneling: Inactive on the status page while connecting, even though isakmp
nat-traversal is enabled. An ethereal capture shows the client sending ESP
packets to the PIX but none are coming back.

Please, if anyone has any ideas I would love to hear them. This has been
driving me crazy!

Thanks,

James Willard
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74363t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

help with vpn scenario [7:74366]

[Chandler Mike]

Please help with the following scenario: A laptop user works for Company A
and possesses a Company A laptop that belongs to their domain. The user has
needs to frequently access confidential records that belong to Company A,
while on another company's network.

The user also works onsite (with Company A's laptop) of another company,
Company B. This company has its own network, unrelated and not tied into
Company A's network in any way. How does the user access a vpn concentrator
located at Company A while working onsite at Company B without logging on to
their domain? The laptop has the cisco vpn client installed on it and the
user uses it from home fine. But how does one setup a secure method of
having the user vpn into Company A while on another company's network
without compromising the data on the laptop?

This is a real scenario, sorry if I am overlooking some obvious things, but
I would appreciate any input on making this work. Thanks

Mike C


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74366t=74366
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

PIX VPN Setup [7:74367]

[John Cianfarani]

I'm setting up a small VPN just for home use so me and a few friends can
log in remotely via a PIX 501 w/ 3DES over my cable connection.  
 
Now I've got it working, but found a few strange things I had questions
about.  I have each user setup with the VPNGROUP config lines. (I will
post config below), everyone uses the Cisco VPN client to connect.  Now
I noticed that I never set an isakmp pre-share key and there is no spot
to add one in the Cisco client only user/pass I would think that should
be needed for secure connectivety.  The other setup I did was have a
split-tunnel applied to the user when they connect to only encrypt
traffic destined for the local network and any regular internet traffic
would still go out the persons internet connection.  In testing I tried
to get all traffic to flow through the VPN but I think the pix prevents
traffic coming in on the outside interface to leave on that same
interface (as it would with internet traffic) . Any way to do this or do
you need another interface?
Also just wondering if there is a better way to write this config or any
other tips are appreciated.
 
Here is an edited config with only the relevant portions.
 
Thanks for any help
John
 
PIX Version 6.3(1)
!
access-list 80 permit ip any host 192.168.1.75 
access-list 80 permit ip any host 192.168.1.76 
access-list 80 permit ip any host 192.168.1.77 
access-list 80 permit ip any host 192.168.1.78 
access-list 80 permit ip any host 192.168.1.79 
!
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 
!
ip address outside dhcp setroute
ip address inside 192.168.1.254 255.255.255.0
ip local pool REMOTEUSER 192.168.1.75-192.168.1.79
!
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
floodguard enable
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac 
crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM
crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP
crypto map MYMAP interface outside
!
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
!
vpngroup VPNUSER address-pool REMOTEUSER
vpngroup VPNUSER dns-server 
vpngroup VPNUSER default-domain cisco.com
vpngroup VPNUSER split-tunnel 90
vpngroup VPNUSER idle-time 1800
vpngroup VPNUSER password 
vpngroup john address-pool REMOTEUSER
vpngroup john dns-server 
vpngroup john default-domain cisco.com
vpngroup john idle-time 1800
vpngroup john password 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74367t=74367
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

PIX VPN Setup [7:74369]

[John Cianfarani]

I'm setting up a small VPN just for home use so me and a few friends can
log in remotely via a PIX 501 w/ 3DES over my cable connection.  
 
Now I've got it working, but found a few strange things I had questions
about.  I have each user setup with the VPNGROUP config lines. (I will
post config below), everyone uses the Cisco VPN client to connect.  Now
I noticed that I never set an isakmp pre-share key and there is no spot
to add one in the Cisco client only user/pass I would think that should
be needed for secure connectivety.  The other setup I did was have a
split-tunnel applied to the user when they connect to only encrypt
traffic destined for the local network and any regular internet traffic
would still go out the persons internet connection.  In testing I tried
to get all traffic to flow through the VPN but I think the pix prevents
traffic coming in on the outside interface to leave on that same
interface (as it would with internet traffic) . Any way to do this or do
you need another interface?
Also just wondering if there is a better way to write this config or any
other tips are appreciated.
 
Here is an edited config with only the relevant portions.
 
Thanks for any help
John
 
PIX Version 6.3(1)
!
access-list 80 permit ip any host 192.168.1.75 
access-list 80 permit ip any host 192.168.1.76 
access-list 80 permit ip any host 192.168.1.77 
access-list 80 permit ip any host 192.168.1.78 
access-list 80 permit ip any host 192.168.1.79 
!
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 
access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 
!
ip address outside dhcp setroute
ip address inside 192.168.1.254 255.255.255.0
ip local pool REMOTEUSER 192.168.1.75-192.168.1.79
!
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
floodguard enable
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac 
crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM
crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP
crypto map MYMAP interface outside
!
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
!
vpngroup VPNUSER address-pool REMOTEUSER
vpngroup VPNUSER dns-server 
vpngroup VPNUSER default-domain cisco.com
vpngroup VPNUSER split-tunnel 90
vpngroup VPNUSER idle-time 1800
vpngroup VPNUSER password 
vpngroup john address-pool REMOTEUSER
vpngroup john dns-server 
vpngroup john default-domain cisco.com
vpngroup john idle-time 1800
vpngroup john password 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74369t=74369
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: help with vpn scenario [7:74366]

[Reimer, Fred]

It depends on Company B's firewall, and how it is setup to allow IPsec
traffic (or not).  Theoretically, there is no difference between connecting
to Company A via an ISP connection and connecting to Company A through
Company B, except that Company B's firewall may not allow or be capable of
allowing IPsec connections.

Fred Reimer - CCNA

Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050

NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Chandler Mike [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 25, 2003 8:06 PM
To: [EMAIL PROTECTED]
Subject: help with vpn scenario [7:74366]

Please help with the following scenario: A laptop user works for Company A
and possesses a Company A laptop that belongs to their domain. The user has
needs to frequently access confidential records that belong to Company A,
while on another company's network.

The user also works onsite (with Company A's laptop) of another company,
Company B. This company has its own network, unrelated and not tied into
Company A's network in any way. How does the user access a vpn concentrator
located at Company A while working onsite at Company B without logging on to
their domain? The laptop has the cisco vpn client installed on it and the
user uses it from home fine. But how does one setup a secure method of
having the user vpn into Company A while on another company's network
without compromising the data on the laptop?

This is a real scenario, sorry if I am overlooking some obvious things, but
I would appreciate any input on making this work. Thanks

Mike C
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74372t=74366
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: help with vpn scenario [7:74366]

[Francisco Gomez]

Hi Chandler,



To secure the laptop of company a while connected via VPN form company B my
suggestion is to run the Client Firewall feature the concentrator has, (this
is why I love this device so much). While you are connected via VPN, the
concentrator will inject a set of rules, (a firewall configuration), that
will run on the PC while connected. In other words:





COMPANY A CVPN 300XLAPTOPCOMPANY B (DOMAIN)


+


+


PC1





LAPTOP is connected to company B directly right? Ok, PC1 should be able to
ping LAPTOP due they belong to the same network. If LAPTOP is connected to
CVPN300X, the concentrator will inject a firewall set of rules, (like a
PIX), that will avoid PC1 to ping LATOP, in other words the VPN client
installed is protecting and is acting as a firewall for its own. This means
that while LAPTOP is connected, no one from company B will be able to ping
it, if LAPTOP is disconnected from the CVPN300X, no PC1 will be able to ping
it, due the firewall was removed with the tunnel as well. For more details
on this please check the link below:



Client FW Parameters Tab (version 4.X)

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/config/userm
gt.htm#1759740



My two cents,



Frank

Costa Rica



- Original Message -
From: Chandler Mike 
To: 
Sent: Monday, August 25, 2003 6:06 PM
Subject: help with vpn scenario [7:74366]


 Please help with the following scenario: A laptop user works for Company A
 and possesses a Company A laptop that belongs to their domain. The user
has
 needs to frequently access confidential records that belong to Company A,
 while on another company's network.

 The user also works onsite (with Company A's laptop) of another company,
 Company B. This company has its own network, unrelated and not tied into
 Company A's network in any way. How does the user access a vpn
concentrator
 located at Company A while working onsite at Company B without logging on
to
 their domain? The laptop has the cisco vpn client installed on it and the
 user uses it from home fine. But how does one setup a secure method of
 having the user vpn into Company A while on another company's network
 without compromising the data on the laptop?

 This is a real scenario, sorry if I am overlooking some obvious things,
but
 I would appreciate any input on making this work. Thanks

 Mike C
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74382t=74366
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: PIX VPN Setup [7:74369]

[Francisco Gomez]

John,



One question at the time:



1)  I noticed that I never set an isakmp pre-share key



  - Remember that for a VPN client connection, ISAKMP or Phase I is
established using aggressive mode in this case and due the remote
connection would come from any place on the Internet; a pre-share key is not
used like in a L2L tunnel isakmp key  etc... This is not a security
risk but if you want to be a little more specific, you can use digital
certificates, (rsa-signatures), so that will give you the opportunity to
trust more in the people getting connected. CRLs will be definitely
something I will suggest. For more details check this link:



http://www.cisco.com/warp/public/471/configipsecsmart.html



...you can avoid the eToken part



2)   In testing I tried to get all traffic to flow through the VPN but I
think the pix prevents  traffic coming in on the outside interface to leave
on that same  interface



  - The PIX firewall will never re-direct packets to the same interface they
have just arrived and this is in order to prevent IP spoofing, (that how ASA
works on the PIX). In the other hand, another interface is the solution for
this, but the 501 only comes with outside/inside, the four ports you see on
the back are all inside, (this is an embedded switch for SOHO users). But
remember that if you have another interface on the PIX, (a 515 or 525), that
interface should be connected to another ISP and you'll need another default
gateway; another default gateway is something you cannot achieve unless you
are running 6.3.1 and enable OSPF for that device but then again, this is a
design I will not recommend.



Summarizing, go with split-tunneling or use a IOS router or VPN
concentrator and that will do the trick for you.



Finally and in regards with the config, everything looks ok, no need to have
more than one isakmp polices but if you wish you can leave things the way
they are. Hope this helps a little.





My two cents,



Frank

Costa Rica





 Original Message -
From: John Cianfarani 
To: 
Sent: Monday, August 25, 2003 6:25 PM
Subject: PIX VPN Setup [7:74369]


 I'm setting up a small VPN just for home use so me and a few friends can
 log in remotely via a PIX 501 w/ 3DES over my cable connection.

 Now I've got it working, but found a few strange things I had questions
 about.  I have each user setup with the VPNGROUP config lines. (I will
 post config below), everyone uses the Cisco VPN client to connect.  Now
 I noticed that I never set an isakmp pre-share key and there is no spot
 to add one in the Cisco client only user/pass I would think that should
 be needed for secure connectivety.  The other setup I did was have a
 split-tunnel applied to the user when they connect to only encrypt
 traffic destined for the local network and any regular internet traffic
 would still go out the persons internet connection.  In testing I tried
 to get all traffic to flow through the VPN but I think the pix prevents
 traffic coming in on the outside interface to leave on that same
 interface (as it would with internet traffic) . Any way to do this or do
 you need another interface?
 Also just wondering if there is a better way to write this config or any
 other tips are appreciated.

 Here is an edited config with only the relevant portions.

 Thanks for any help
 John

 PIX Version 6.3(1)
 !
 access-list 80 permit ip any host 192.168.1.75
 access-list 80 permit ip any host 192.168.1.76
 access-list 80 permit ip any host 192.168.1.77
 access-list 80 permit ip any host 192.168.1.78
 access-list 80 permit ip any host 192.168.1.79
 !
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78
 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79
 !
 ip address outside dhcp setroute
 ip address inside 192.168.1.254 255.255.255.0
 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79
 !
 global (outside) 1 interface
 nat (inside) 0 access-list 80
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 floodguard enable
 !
 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
 crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM
 crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP
 crypto map MYMAP interface outside
 !
 isakmp enable outside
 isakmp identity address
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption 3des
 isakmp policy 10 hash sha
 isakmp policy 10 group 2
 isakmp policy 10 lifetime 86400
 isakmp policy 20 authentication pre-share
 isakmp policy 20 encryption des
 isakmp policy 20 hash sha
 isakmp policy 20 group 1
 isakmp policy 20 lifetime 86400
 isakmp policy 30 authentication pre-share
 isakmp policy 30 encryption 3des
 isakmp policy 30 hash md5
 isakmp policy 30 group 2
 isakmp policy 30 lifetime 86400
 isakmp policy 40 authentication

Re: PIX VPN Client Configuration - At my wit's end! [7:74363]

[Francisco Gomez]

Hi James,



It would be nice to have the output of the show crypto ipsec sa on the PIX
while pinging back and forth. It would be nice to get the output of the
debug icmp trace and the sh access-list as well but in any case my
suggestion is this:



1) If you are doing split-tunneling I will suggest and access-list like
this:



access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0



and not:



 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any



This is because you need to tell the PIX to creat a pair of SAs for Phase II
so the VPN client will encrypt data destined to the 192.168.1.0/24 and PIX
will encrypt traffic from the local LAN to the pool only.



Lastly, if you need to communicate to the DMZ as well, you may add these
lines to the access-list for nonat and interesting traffic:



access-list nonat permit ip 10.0.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPNUser_splitTunnelAcl permit ip 10.0.1.0 255.255.255.0
192.168.2.0 255.255.255.0



I will recommend to use the same access-list nonat for the line below:



nat (dmz) 0 access-l nonat



This is in order to avoid some bugs surfing around 6.3.1. Hope this helps
a little, and if you can send more details it would be nice to follow up in
this a little more. Have a good one!



My two cents,



Frank

Costa Rica

- Original Message -
From: James Willard 
To: 
Sent: Monday, August 25, 2003 5:17 PM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


 Hi all,

 Thanks in advance for reading this message. I am completely boggled on an
 issue here that I have literally been trying to troubleshoot for some 12
 hours now.

 I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.

 Here are the relevant parts of my config:

 :PIX Version 6.3(1)
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security50
 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
 255.255.255.0
 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
 ip local pool vpnusers 192.168.2.100-192.168.2.254
 nat (inside) 0 access-list nonat
 nat (inside) 10 0.0.0.0 0.0.0.0 0 0
 sysopt connection permit-ipsec
 crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set vpn esp-3des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 300
 crypto dynamic-map dynmap 30 set transform-set vpn
 crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
 crypto map crypto-map-swa interface outside
 isakmp enable outside
 isakmp identity address
 isakmp nat-traversal 20
 isakmp policy 1 authentication pre-share
 isakmp policy 1 encryption 3des
 isakmp policy 1 hash sha
 isakmp policy 1 group 2
 isakmp policy 1 lifetime 300
 vpngroup VPNUser address-pool vpnusers
 vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
 vpngroup VPNUser idle-time 1800
 vpngroup VPNUser password 

 Let's say the outside interface is 100.100.100.28. These are the networks:

 100.100.100.28 255.255.255.240(outside)
 192.168.1.0255.255.255.0  (inside)
 192.168.2.0255.255.255.0  (vpn IP pool)
 10.0.1.0   255.255.255.0  (dmz)

 I can connect with the client just fine, but neither end can ping the
other.
 Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
 ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
 192.168.2.100. The VPN Client side shows packets being encrypted but none
 decrypted. The IPSec SA on the PIX shows packets being encrypted and none
 decrypted.

 Also worth noting is that the VPN client status shows Transparent
 Tunneling: Inactive on the status page while connecting, even though
isakmp
 nat-traversal is enabled. An ethereal capture shows the client sending ESP
 packets to the PIX but none are coming back.

 Please, if anyone has any ideas I would love to hear them. This has been
 driving me crazy!

 Thanks,

 James Willard
 [EMAIL PROTECTED]
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74384t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: PIX VPN Client Configuration - At my wit's end! [7:74363]

[Derek Gaff]

James

Your missing the command vpdn enable outside from your config.

regards
derek

- Original Message -
From: James Willard 
To: 
Sent: Tuesday, August 26, 2003 12:17 AM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


 Hi all,

 Thanks in advance for reading this message. I am completely boggled on an
 issue here that I have literally been trying to troubleshoot for some 12
 hours now.

 I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.

 Here are the relevant parts of my config:

 :PIX Version 6.3(1)
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security50
 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
 255.255.255.0
 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
 ip local pool vpnusers 192.168.2.100-192.168.2.254
 nat (inside) 0 access-list nonat
 nat (inside) 10 0.0.0.0 0.0.0.0 0 0
 sysopt connection permit-ipsec
 crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set vpn esp-3des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 300
 crypto dynamic-map dynmap 30 set transform-set vpn
 crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
 crypto map crypto-map-swa interface outside
 isakmp enable outside
 isakmp identity address
 isakmp nat-traversal 20
 isakmp policy 1 authentication pre-share
 isakmp policy 1 encryption 3des
 isakmp policy 1 hash sha
 isakmp policy 1 group 2
 isakmp policy 1 lifetime 300
 vpngroup VPNUser address-pool vpnusers
 vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
 vpngroup VPNUser idle-time 1800
 vpngroup VPNUser password 

 Let's say the outside interface is 100.100.100.28. These are the networks:

 100.100.100.28 255.255.255.240(outside)
 192.168.1.0255.255.255.0  (inside)
 192.168.2.0255.255.255.0  (vpn IP pool)
 10.0.1.0   255.255.255.0  (dmz)

 I can connect with the client just fine, but neither end can ping the
other.
 Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
 ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
 192.168.2.100. The VPN Client side shows packets being encrypted but none
 decrypted. The IPSec SA on the PIX shows packets being encrypted and none
 decrypted.

 Also worth noting is that the VPN client status shows Transparent
 Tunneling: Inactive on the status page while connecting, even though
isakmp
 nat-traversal is enabled. An ethereal capture shows the client sending ESP
 packets to the PIX but none are coming back.

 Please, if anyone has any ideas I would love to hear them. This has been
 driving me crazy!

 Thanks,

 James Willard
 [EMAIL PROTECTED]
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74391t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: PIX VPN Client Configuration - At my wit's end! [7:74363]

[[EMAIL PROTECTED]]

Have you watched your

access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

very closely?

It is meant to be mirrored at the client connection time so must be 

access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0 

A packet sent from the client is checked against this list. So must be more
specific in my experience. 

Martijn 

-Oorspronkelijk bericht-
Van: Derek Gaff [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 26 augustus 2003 9:57
Aan: [EMAIL PROTECTED]
Onderwerp: Re: PIX VPN Client Configuration - At my wit's end! [7:74363]


James

Your missing the command vpdn enable outside from your config.

regards
derek

- Original Message -
From: James Willard 
To: 
Sent: Tuesday, August 26, 2003 12:17 AM
Subject: PIX VPN Client Configuration - At my wit's end! [7:74363]


 Hi all,

 Thanks in advance for reading this message. I am completely boggled on an
 issue here that I have literally been trying to troubleshoot for some 12
 hours now.

 I'm trying to configure a PIX 515E for Cisco VPN Client connectivity.

 Here are the relevant parts of my config:

 :PIX Version 6.3(1)
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security50
 access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
 255.255.255.0
 access-list VPNUser_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
 ip local pool vpnusers 192.168.2.100-192.168.2.254
 nat (inside) 0 access-list nonat
 nat (inside) 10 0.0.0.0 0.0.0.0 0 0
 sysopt connection permit-ipsec
 crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 crypto ipsec transform-set vpn esp-3des esp-md5-hmac
 crypto ipsec security-association lifetime seconds 300
 crypto dynamic-map dynmap 30 set transform-set vpn
 crypto map crypto-map-swa 20 ipsec-isakmp dynamic dynmap
 crypto map crypto-map-swa interface outside
 isakmp enable outside
 isakmp identity address
 isakmp nat-traversal 20
 isakmp policy 1 authentication pre-share
 isakmp policy 1 encryption 3des
 isakmp policy 1 hash sha
 isakmp policy 1 group 2
 isakmp policy 1 lifetime 300
 vpngroup VPNUser address-pool vpnusers
 vpngroup VPNUser dns-server 192.168.1.23 192.168.1.22
 vpngroup VPNUser wins-server 192.168.1.21 192.168.1.21
 vpngroup VPNUser split-tunnel VPNUser_splitTunnelAcl
 vpngroup VPNUser idle-time 1800
 vpngroup VPNUser password 

 Let's say the outside interface is 100.100.100.28. These are the networks:

 100.100.100.28 255.255.255.240(outside)
 192.168.1.0255.255.255.0  (inside)
 192.168.2.0255.255.255.0  (vpn IP pool)
 10.0.1.0   255.255.255.0  (dmz)

 I can connect with the client just fine, but neither end can ping the
other.
 Say the client machine gets the IP 192.168.2.100 from the pool, it cannot
 ping anything in 192.168.1.x. Conversely, nothing in 192.168.1.x can ping
 192.168.2.100. The VPN Client side shows packets being encrypted but none
 decrypted. The IPSec SA on the PIX shows packets being encrypted and none
 decrypted.

 Also worth noting is that the VPN client status shows Transparent
 Tunneling: Inactive on the status page while connecting, even though
isakmp
 nat-traversal is enabled. An ethereal capture shows the client sending ESP
 packets to the PIX but none are coming back.

 Please, if anyone has any ideas I would love to hear them. This has been
 driving me crazy!

 Thanks,

 James Willard
 [EMAIL PROTECTED]
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74397t=74363
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: help with vpn scenario [7:74366]

[Chandler Mike]

Thank you both for the suggestions and info!


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74417t=74366
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Cisco Secure VPN 642-511 [7:73919]

[Alex Lee]

Just received e-mail from Cisco that they would send me the INFOSEC letter
of recognition after I signed the Cisco Certification Agreement.

I am spending time on other interesting stuffs which is not Cisco and not
sure if I would sit for recert.



Kevin Wigle  wrote in message
news:[EMAIL PROTECTED]

 
 on the same page is an INFOSEC Professional link.  Cisco has been granted
 rights to award this cert.  It is NOT a Cisco cert.  Which is cool because
 once it is awarded there is no need to recertify, it is permanent.

 Which is opposite to everything Cisco does - especially CCSP - to recert
 CCSP you have to take all 5 exams again.  Hopefully by the time people get
3
 years in CCSP Cisco will have a single recert exam like they do for
 CCIE/CCDP/CCNP

 I might do the security exams once to get the INFOSEC cert and then forget
 the recert on the Cisco stuff.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74180t=73919
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

VPN Client [7:74205]

[Tunde Kalejaiye]

hi guys,

will a vpn client that can run 3DES connect to a router running DES? if no is
it still possible to get the DES version? cant seem to find it on cisco
website.

regards,

Tunde




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74205t=74205
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: VPN Client [7:74205]

[Darren Ward]

Yes, the 3DES client will negotiate DES with a DES only router or pix.

It comes down to crypto policy configuration, it can only negotiate what's
on offer from the VPN gateway.

Darren

On Tue, 19 Aug 2003, Tunde Kalejaiye wrote:

 hi guys,

 will a vpn client that can run 3DES connect to a router running DES? if no
is
 it still possible to get the DES version? cant seem to find it on cisco
 website.

 regards,

 Tunde
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74220t=74205
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Client [7:74205]

[Reimer, Fred]

It depends on the configuration of the hub.  If the hub supports both 3DES
and DES, then the client will be able to connect.  What, exactly are you
asking???

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 19, 2003 7:58 PM
To: [EMAIL PROTECTED]
Subject: VPN Client [7:74205]

hi guys,

will a vpn client that can run 3DES connect to a router running DES? if no
is
it still possible to get the DES version? cant seem to find it on cisco
website.

regards,

Tunde
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74249t=74205
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Charlie Wehner]

Very true.  The clients are the most vulnerable before the VPN session is
established.  Without PSPF enabled clients can attack other clients on an
access point.  Even with PSPF enabled an attacker could put up a rogue with
the same SSID and WEP key if used and try to attack/trojan the client.

It's interesting though, the new IOS firmware has crypto map statements
available.  I wonder if Cisco will eventually allow VPN sessions to
terminate directly on the access points.  That would be pretty cool.  Much
like what Colubris does right now.

Reimer, Fred wrote:
 
 Hmm, PSPF definitely sounds interesting, but I'd recommend
 requiring the
 integrated Cisco firewall in the VPN client, and not allowing
 split
 tunneling.
 
 Also, there is apparently a working group working on VPN
 multicast...
 
 Fred Reimer - CCNA
 
 
 Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA
 30338
 Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050
 
 
 NOTICE; This email contains confidential or proprietary
 information which
 may be legally privileged. It is intended only for the named
 recipient(s).
 If an addressing or transmission error has misdirected the
 email, please
 notify the author by replying to this message. If you are not
 the named
 recipient, you are not authorized to use, disclose, distribute,
 copy, print
 or rely on this email, and should immediately delete it from
 your computer.
 
 
 -Original Message-
 From: Charlie Wehner [mailto:[EMAIL PROTECTED] 
 Sent: Saturday, August 16, 2003 4:14 PM
 To: [EMAIL PROTECTED]
 Subject: RE: wireless security and VPN software? [7:73988]
 
 One more quick note on using VPN solutions.  If your using a
 VPN solution
 with a Cisco AP be sure to enable PSPF.  Everyone misses that
 setting...
 but it's important.  :)
 **Please support GroupStudy by purchasing from the GroupStudy
 Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74074t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Charlie Wehner]

One more quick note on using VPN solutions.  If your using a VPN solution
with a Cisco AP be sure to enable PSPF.  Everyone misses that setting... 
but it's important.  :)


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74049t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Reimer, Fred]

Hmm, PSPF definitely sounds interesting, but I'd recommend requiring the
integrated Cisco firewall in the VPN client, and not allowing split
tunneling.

Also, there is apparently a working group working on VPN multicast...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Charlie Wehner [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 16, 2003 4:14 PM
To: [EMAIL PROTECTED]
Subject: RE: wireless security and VPN software? [7:73988]

One more quick note on using VPN solutions.  If your using a VPN solution
with a Cisco AP be sure to enable PSPF.  Everyone misses that setting... 
but it's important.  :)
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74052t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Reimer, Fred]

Being in healthcare, I have some strong views on this topic.  Unfortunately,
I'm cramming for the CSI test I have tomorrow, and I still have two chapters
to go through on the KnowledgeNet course.  So, you will just have to wait...
LOL   Expect some comments on EAP-TLS, WPA, and assorted technologies.  For
now, I have to get some sleep, and study ;-)

Priscilla - Send me your email address...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 14, 2003 7:52 PM
To: [EMAIL PROTECTED]
Subject: wireless security and VPN software? [7:73988]

For a large campus network that has a need for wireless access in conference
rooms, cafeterias, etc., would it be overkill to require wireless clients to
use VPN IPSec software to access the campus network? This is for a customer
who is paranoid about security and understands the tradeoff of ease-of-use
versus security.

There are othere downsides with requiring VPN software, of course, including
the usual issues of incompatibility with some apps, the lack of support for
protocols other than IP, and the lack of support for multicast applications
(from what I understand). Also, we have to consider the scalability of the
current VPN solution and whether it can support numerous transient wireless
users, but we think it can. There are many advantages with IPSec too, like
support for encryption that actually works...

What do you all think? Do any of you require your campus wireless users to
use VPN software?

Sorry if it's a stupid question.

Priscilla
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74002t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Evans, Timothy R (BearingPoint)]

.. not a stupid question at all.

The issues we ran into:
1. We put the wireless users on a completely untrusted segment  
2. We needed to permit DHCP+DNS to clients pre-VPN connection
DHCP to get an IP, obviously
DNS because our VPN Profiles used DNS names
3. We needed to also permit access to the concentrator(s)
(seems obvious, but you'd be surprised ... )
4. We used CS-ACS for the auth., this works reasonably well for us.
(aside from not being able to apply service packs to Win2k in a timely
fashiondammit)

Other issues:
1. Make sure your WAP's and VPN Concentrators  are
able to handle double the expected load  .
2. Make sure you have good WAP coverage - once they can get wireless access
from anywhere users will be miffed if they can't get access from their
favorite corner of the lunchroom.
3. Maybe someone else has a answer for this - but one problem we do have is
when a user roams from one WAP-area to another their VPN gets dropped.
4. If using all one brand you can go for other security options (e.g.-LEAP)
5. If it is a static, reasonably small user population you could also go for
mac filtering.  (I know - you can get around this, but ... think layers)


The truly surprising part is that the client is willing to consider making a
performance/ease-of-use sacrifices for security!  You should run with it.
Thanks!
TJ
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 14, 2003 7:52 PM
To: [EMAIL PROTECTED]
Subject: wireless security and VPN software? [7:73988]

For a large campus network that has a need for wireless access in conference
rooms, cafeterias, etc., would it be overkill to require wireless clients to
use VPN IPSec software to access the campus network? This is for a customer
who is paranoid about security and understands the tradeoff of ease-of-use
versus security.

There are othere downsides with requiring VPN software, of course, including
the usual issues of incompatibility with some apps, the lack of support for
protocols other than IP, and the lack of support for multicast applications
(from what I understand). Also, we have to consider the scalability of the
current VPN solution and whether it can support numerous transient wireless
users, but we think it can. There are many advantages with IPSec too, like
support for encryption that actually works...

What do you all think? Do any of you require your campus wireless users to
use VPN software?

Sorry if it's a stupid question.

Priscilla


**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74013t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Priscilla Oppenheimer]

Reimer, Fred wrote:
 
 Being in healthcare, I have some strong views on this topic. 
 Unfortunately,
 I'm cramming for the CSI test I have tomorrow, and I still have
 two chapters

Good luck on the test.

 to go through on the KnowledgeNet course.  So, you will just
 have to wait...
 LOL   Expect some comments on EAP-TLS, WPA, and assorted
 technologies.  

Sounds great. I'd love to hear your comments on EAP-TLS, WPA, (RSN?) Thanks
in advance and thanks to everyone else who answered too.

 For
 now, I have to get some sleep, and study ;-)
 
 Priscilla - Send me your email address...

I can do that, but please post comments for all to see so everyone benefits.
Thanks.

Priscilla


 
 Fred Reimer - CCNA
 
 
 Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA
 30338
 Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050
 
 
 NOTICE; This email contains confidential or proprietary
 information which
 may be legally privileged. It is intended only for the named
 recipient(s).
 If an addressing or transmission error has misdirected the
 email, please
 notify the author by replying to this message. If you are not
 the named
 recipient, you are not authorized to use, disclose, distribute,
 copy, print
 or rely on this email, and should immediately delete it from
 your computer.
 
 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, August 14, 2003 7:52 PM
 To: [EMAIL PROTECTED]
 Subject: wireless security and VPN software? [7:73988]
 
 For a large campus network that has a need for wireless access
 in conference
 rooms, cafeterias, etc., would it be overkill to require
 wireless clients to
 use VPN IPSec software to access the campus network? This is
 for a customer
 who is paranoid about security and understands the tradeoff of
 ease-of-use
 versus security.
 
 There are othere downsides with requiring VPN software, of
 course, including
 the usual issues of incompatibility with some apps, the lack of
 support for
 protocols other than IP, and the lack of support for multicast
 applications
 (from what I understand). Also, we have to consider the
 scalability of the
 current VPN solution and whether it can support numerous
 transient wireless
 users, but we think it can. There are many advantages with
 IPSec too, like
 support for encryption that actually works...
 
 What do you all think? Do any of you require your campus
 wireless users to
 use VPN software?
 
 Sorry if it's a stupid question.
 
 Priscilla
 **Please support GroupStudy by purchasing from the GroupStudy
 Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74027t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Reimer, Fred]

Well, I thought for sure I was going to fail, but I passed the CSI test with
a score of 902.  Needed 825 out of 1000...

After giving it some thought, I think it's probably better if I don't
comment on the wireless questions at this point.  I had typed up quite a bit
of observations that I just deleted, before I realized that this is one of
the key areas where we sell our products (in my group).  It would probably
not be the wisest decision to provide free RD to our competitors.  If
anyone has specific questions on anything, then by all means ask away, but I
opened up the original question a little more than I intended.

But some answers to the original question (personal views only):

1) VPNs, specifically IPsec VPNs, will always be more secure than WEP, or
Cisco's proprietary CCKM or the WPA standard.

2) I don't think it is unreasonable.  Especially since you can have
auto-initiate with the VPN 3000 Client so that the VPN is automatically
connected and the users don't even need to be aware that it is there.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=74033t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

2501 VPN [7:73977]

[Henry Volentine]

I need assistance configuring VPN between a Cisco 2501 and a Cisco 827H. 
Both routers have IOS that supports VPN.  The 2501 is connected to the ISP
via a 768kb fractional T1 and the 827H has an ADSL connection to the same
ISP.  If anyone could please send sample configurations for either router, I
would appreciate it.  [EMAIL PROTECTED]


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73977t=73977
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Largest CA Keylength on VPN 3000 [7:73409]

[Reimer, Fred]

Well, the manuals are wrong ;-)

The key size on the latest version of software is 2048 bits max.

It was not an allocation issue.

One pointer though, if you have to recreate your CA on a Microsoft platform
you may as well reformat the hard drive and start from scratch, as there is
no de-install for the SCEP add-on to IIS so you have to de-install the CA,
de-install IIS!, re-install IIS and the CA, then re-install SCEP, and even
then your CA is going to be all F'd up.  Somehow, I got to the point where
you could only request user and efs certs, not web server or server
certs like you can on another CA we have installed same version of
everything), plus you can't specify the OU, so you can't match that to a
group name.

We are using OpenSSL just fine, even on a Windows box with cygwin.

I hate Windows.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 06, 2003 5:01 AM
To: [EMAIL PROTECTED]
Subject: RE: Largest CA Keylength on VPN 3000 [7:73409]

Is it a size or allocation issue?


CSCdv48299 
If fewer than three spots remain in the CA certificate store of a VPN 3000
Concentrator, and an attempt is made to install a CA certificate with
associated RAs, then the RA or RAs are installed (filling the store) and the
root certificate is not installed. This is incorrect behavior. Instead, the
software should check to see if there is enough room in the store before
installing a partial CA certificate. Partial certificates should not be
installed. If the RAs and the Root certificate cannot be installed, the
software should install nothing.

Or just RTFM below?

Martijn


Key Size
 -
man Yes
scep Yes
 The algorithm for generating the public-key/private-key pair, and the key
size. If you are requesting an SSL certificate, of if you are requesting an
identity certificate using SCEP, only the RSA options are available.

RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman)
algorithm. This key size provides sufficient security and is the default
selection. It is the most common, and requires the least processing.

RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size
provides normal security. It requires approximately 2 to 4 times more
processing than the 512-bit key.

RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key
size provides high security, and it requires approximately 4 to 8 times more
processing than the 512-bit key.

man Yes
csep No
DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature
Algorithm).

DSA 768 bits = Generate 768-bit keys using the DSA algorithm.

DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm.


 

-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: zaterdag 2 augustus 2003 14:49
Aan: [EMAIL PROTECTED]
Onderwerp: Largest CA Keylength on VPN 3000 [7:73409]


Let's see if anyone here can answer faster than Cisco TAC.

 

What is the largest CA root key length supported by the Cisco VPN
Concentrator 3000 series hardware?  I have a 4096 bit key and it won't
accept the root key because it can't validate it.

 

Fred Reimer - CCNA

Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050

NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73604t=73409
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http

RE: VPN Best Hardware to use? [7:73793]

[[EMAIL PROTECTED]]

That is adsl over isdn.

Thought to only COMMON flavours were adsl async up/down and sdsl sync
up/down freq ranges.

SEEMS YOU CAN USE A BRI WIC!!!



Developed by Ascend Communications (acquired by Lucent Technologies), ISDN
Digital Subscriber Line (IDSL) transmits data digitally across existing ISDN
lines, at a rate of 128 Kbps. The benefits of IDSL over ISDN are that the
former service offers always-on connections, transmits data via a data
network rather than the phone companybs voice network, and avoids per-call
fees by being billed at a flat-rate. 

http://www.cisco.com/en/US/partner/tech/tk175/tk349/technologies_q_and_a_ite
m09186a00800946d3.shtml

Q. What is IDSL?
IDSL is a cross between ISDN and xDSL. As with ISDN, it uses a single wire
pair to transmit full-duplex data at 128 Kbps and at distances of up to the
Revised Resistance Distance range of 15,000 to 18,000 feet. IDSL also uses a
2B1Q line code to enable transparent operation through the ISDN U
interface. IDSL is essentially a leased line ISDN Basic Rate Interface
(BRI), or an ISDN BRI that is not switched and does not contain signaling (a
D channel). IDSL and ISDN BRI use the same 2B1Q line modulation. On the
router, this equates to putting the BRI interface in a leased line
configuration. The line can be configured for a speed of 64 Kbps, 128 Kbps,
or 144 Kbps.

The frames that are going across the wire are standard High-Level Data Link
Control (HDLC) frames. IDSL can be configured with Point-to-Point Protocol
(PPP) or Frame Relay encapsulation for the leased line BRI interface. The
easiest way to think about it is as if the BRI interface was a slow speed
synchronous serial port. Also, existing Customer Premises Equipment (CPE)
(ISDN BRI terminal adapters, bridges, and routers) can be used to connect to
the central office.
  
   
  
 IDSL Frequently Asked Questions  
 
 
 
 
 Downloads   
IDSL Frequently Asked Questions
 
 
 
 
 





Questions
What is IDSL?
Does the Cisco 2500 series router support IDSL?
Does the Cisco 2600 support IDSL?
What routers support IDSL?
Is PPP over Frame Relay supported on IDSL?
Does a SPID or phone number need to be defined to configure IDSL?
Do I need the ISDN switch type command on the CPE when I configure IDSL?
Is the Cisco 804 IDSL router compatible with CopperMountain CE200?
Does the Cisco 804 IDSL router support PPP over Frame Relay?
Does the Cisco DSLAM chassis have IDSL modules?
What is the distance limitation for IDSL?
Does IDSL support voice?
How do I configure a basic IDSL interface?
Related Information





Q. What is IDSL?



IDSL is a cross between ISDN and xDSL. As with ISDN, it uses a single wire
pair to transmit full-duplex data at 128 Kbps and at distances of up to the
Revised Resistance Distance range of 15,000 to 18,000 feet. IDSL also uses a
2B1Q line code to enable transparent operation through the ISDN U
interface. IDSL is essentially a leased line ISDN Basic Rate Interface
(BRI), or an ISDN BRI that is not switched and does not contain signaling (a
D channel). IDSL and ISDN BRI use the same 2B1Q line modulation. On the
router, this equates to putting the BRI interface in a leased line
configuration. The line can be configured for a speed of 64 Kbps, 128 Kbps,
or 144 Kbps.

The frames that are going across the wire are standard High-Level Data Link
Control (HDLC) frames. IDSL can be configured with Point-to-Point Protocol
(PPP) or Frame Relay encapsulation for the leased line BRI interface. The
easiest way to think about it is as if the BRI interface was a slow speed
synchronous serial port. Also, existing Customer Premises Equipment (CPE)
(ISDN BRI terminal adapters, bridges, and routers) can be used to connect to
the central office.

Q. Does the Cisco 2500 series router support IDSL?



No. The Cisco 2500 series does not support IDSL because its BRI hardware
does not support channel aggregation.

Q. Does the Cisco 2600 support IDSL?



Yes. IDSL is currently supported with the ISDN WAN Interface Cards (WICs)
and network modules when they are configured in leased line mode.

Q. What routers support IDSL?



The following routers support IDSL:

800 b Cisco 801-805 ISDN, Serial, and IDSL Routers

1600 b Cisco 1600 Series Routers and WAN Interface Cards

1720 b Cisco 1720 Modular Access Router

1750 b Cisco 1750 Modular Access Router

2600 b Connecting WAN and Voice Interface Cards to a Network
 

Martijn 

-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: woensdag 13 augustus 2003 7:53
Aan: Jansen, M; [EMAIL PROTECTED]
Onderwerp: RE: VPN Best Hardware to use? [7:73793]


That is a ADSL WIC or am I missing something?  We are looking to use IDSL
but can not find a router that supports 3DES and IDSL 
 
 
Ryan

-Original Message- 
From: [EMAIL PROTECTED] [mailto

RE: VPN Best Hardware to use? [7:73793]

[Reimer, Fred]

I would certainly hope that the remotes wouldn't use different platforms.  I
don't know the business model, but it sounds to me like it's some kind of
service offering or something.  Maybe they have a 2000 site Frame Relay
network used to offer a service or something, and they want to switch to
something more economical.  Instead of paying monthly circuit fees, pay a
one-time hardware cost (assuming they don't own the FR routers at the
customer end) and use the customer's Internet connection.  Why in the world
would you want different hardware at each customer site in that situation?
Standardize on one hardware platform, and build the cost of that hardware
into the business model...

If that's the case then the cost of a 3005 can be justified in a small
number of months, depending on your FR cost.  Certainly you would recoup
your cost and start making more money, due to less operating cost,
relatively quickly.

Now, if this is something else, like a company with 2000 offices throughout
the world, then I can see your point and you may end up with different
requirements.  But, that's not how it sounds so far.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 6:57 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793]

Despite all hw issues, you really need to 
- describe the business req's first
- translate to technical req's

(you are talking 2000+ sites)

And you will see that you'll need more than one platform for de Remotes.

Dependig on your hierarchy concerning 
- messaging
- authentication
- client-server
- webapps 
- desktop/register maintenance/management
- security man

You will need to or may want to build an hierarchical design. Keep in mind
that differen platfroms use different (HQ) fail-over or 2nd ip techniques.

Martijn


-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: zondag 10 augustus 2003 4:36
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Best Hardware to use? [7:73793]


I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73876t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[[EMAIL PROTECTED]]

You mean? newest:

DSL WAN Interface Cards 
WIC-1ADSL-I-DG 1-port ADSLoISDN WAN Interface Card 

cco partner login:

http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_data_s
heet09186a0080088713.html


Martijn 


-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: woensdag 13 augustus 2003 3:57
Aan: [EMAIL PROTECTED]
Onderwerp: RE: VPN Best Hardware to use? [7:73793]


You are right it is a service offering.   Right now, we are using ISDN
dial-up and would like to move to a full time connection.  We would not be
using the customerbs connection but will be installing a 144K IDSL or 192K
SDSL line.  What I am going to do on Friday in the lab ( If we get the lines
from Covad on time) is use a 7200 at the head end and a 1700 on the other
end run the IPSec and NAT on the 1700 and see how that goes.  The only
problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL.

 

 

Ryan

 
 
Message- 
From: [EMAIL PROTECTED] on behalf of Reimer, Fred 
Sent: Mon 8/11/2003 10:02 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: VPN Best Hardware to use? [7:73793]



I would certainly hope that the remotes wouldn't use different
platforms. 
I
don't know the business model, but it sounds to me like it's some
kind of 
service offering or something.  Maybe they have a 2000 site Frame
Relay 
network used to offer a service or something, and they want to
switch to 
something more economical.  Instead of paying monthly circuit fees,
pay a 
one-time hardware cost (assuming they don't own the FR routers at
the 
customer end) and use the customer's Internet connection.  Why in
the world 
would you want different hardware at each customer site in that
situation? 
Standardize on one hardware platform, and build the cost of that
hardware 
into the business model... 

If that's the case then the cost of a 3005 can be justified in a
small 
number of months, depending on your FR cost.  Certainly you would
recoup 
your cost and start making more money, due to less operating cost, 
relatively quickly. 

Now, if this is something else, like a company with 2000 offices
throughout 
the world, then I can see your point and you may end up with
different 
requirements.  But, that's not how it sounds so far. 

Fred Reimer - CCNA 


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050 


NOTICE; This email contains confidential or proprietary information
which 
may be legally privileged. It is intended only for the named
recipient(s). 
If an addressing or transmission error has misdirected the email,
please 
notify the author by replying to this message. If you are not the
named 
recipient, you are not authorized to use, disclose, distribute,
copy, print 
or rely on this email, and should immediately delete it from your
computer. 


-Original Message- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 6:57 AM 
To: [EMAIL PROTECTED] 
Subject: RE: VPN Best Hardware to use? [7:73793] 

Despite all hw issues, you really need to 
- describe the business req's first 
- translate to technical req's 

(you are talking 2000+ sites) 

And you will see that you'll need more than one platform for de
Remotes. 

Dependig on your hierarchy concerning 
- messaging 
- authentication 
- client-server 
- webapps 
- desktop/register maintenance/management 
- security man 

You will need to or may want to build an hierarchical design. Keep
in mind 
that differen platfroms use different (HQ) fail-over or 2nd ip
techniques. 

Martijn 


-Oorspronkelijk bericht- 
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] 
Verzonden: zondag 10 augustus 2003 4:36 
Aan: [EMAIL PROTECTED] 
Onderwerp: VPN Best Hardware to use? [7:73793] 


I need to setup VPNs to about 2000 sites.  Each site will have an
IDSL line 
installed that will be used to connect to monitor network devices
and 
servers.  Some of the remote networks will be using the same network
block. 
I am looking to know what the best hardware to use on each end is.
On my 
end, would it be better to use a PIX or a 3030?  On the remote end,
I was 
looking at a PIX 501, SOHO 91 or the 831? 


Thank you 


Ryan 
**Please support GroupStudy by purchasing from the GroupStudy Store:

http://shop.groupstudy.com 
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html 
**Please support GroupStudy by purchasing from

RE: VPN Conncetion from Windows Client to nt domain [7:73720]

[Reimer, Fred]

Go in the client and choose Options | Windows Logon Properties and make sure
the Enable start before logon checkbox is checked.  Download the latest
client.  Enjoy.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Kai Bovermann [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 8:05 AM
To: [EMAIL PROTECTED]
Subject: VPN Conncetion from Windows Client to nt domain [7:73720]

Dear all

We have a cisco vpn concentrator 3000 series for vpn connection.
What we want to do is to establish a vpn conncetion from a windows
client(W2k or WinXP Pro) to the concentrator and then log on to our domain
and then get the shares connected to the pc.
I created a vpn connection and it works proberbly. Only the log on to the
domain will not work.
It should go like this way that the user is logged on to the pc and then if
it is needed establish the vpn connection and get also logged on to the
domain and get the shares connected to the pc.

How can I do this ?

Thanks a lot

Kai
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73728t=73720
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Cisco Secure VPN 642-511 [7:73919]

[Peter Walker]

Assorted comments in line.

--On 12 August 2003 13:45 + Reimer, Fred  
wrote:


 You should have six weeks to go through it.  I'd
 suggest taking a day off or spending a Saturday to go through the whole
 course, but that's just me.  I can't do the one hour here and there thing.

Hmmm, you should try running through the knowledgenet course after work in 
the evening, then heading back into the office at midnight and configuring 
your first concentrator before 8:30am when people start arriving for their 
days work.  That wasnt fun :-)


 They also include labs or simulations of setting up the hardware.
 However, they don't have an actual lab.  I think they are working on that,
 but I found it very useful to have a real 3000 available to go through
 the menus.


Yep.

 I have a side question myself.  Cisco changed their specialist program, so
 that now apparently there isn't a Firewall Specialist, VPN Specialist, and
 IDS Specialist, but rather just one Security Specialist.  So does that
 mean that I can't use the VPN Specialist designation anymore and have
 to wait until I pass all of the tests?  What about that INFOSEC
 designation, is that still valid?


I think you have things in reverse.  The Security specialist cert is being 
/ has been retired.  The three new specialist exams and CCSP replaced it. 
If you are interested, I expressed my opinion on that change in some detail 
(either on this list or security ie dot com) a while back. (I wasnt very 
complementary about the new specialist certs)


Regards

Peter Walker
CC[NID]P, CISSP, CSS1, etc
(yeah, my current employer is a reseller)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73937t=73919
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[[EMAIL PROTECTED]]

Despite all hw issues, you really need to 
- describe the business req's first
- translate to technical req's

(you are talking 2000+ sites)

And you will see that you'll need more than one platform for de Remotes.

Dependig on your hierarchy concerning 
- messaging
- authentication
- client-server
- webapps 
- desktop/register maintenance/management
- security man

You will need to or may want to build an hierarchical design. Keep in mind
that differen platfroms use different (HQ) fail-over or 2nd ip techniques.

Martijn


-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: zondag 10 augustus 2003 4:36
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Best Hardware to use? [7:73793]


I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73862t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]

[Reimer, Fred]

Why thanks!  I only have a CCNA now because I had to get it for our partner
level, and I'm supposed to get much more.  And I only have it on my sig
because I use the same sig for work and work-related lists.

You are correct that we would need more details if it is anything other than
what I think it is.  If it is just a small service, cookie cutter type deal,
then I don't see why they can't use a cookie cutter type solution.  Being in
healthcare, I envision something like Blue Cross/ Blue Shield payer
connections, where I think they use the IBM Advantis network (is that what
it was called?  Who owns them now, ATT?  Yep, they purchased them in 1999
for $5B) and have routers at each customer site.  Why not replace them with
a cookie cutter type connection?  They already have connections to each
customer, likely on a DMZ.  The communication is just patient financial
information (claims) between one host system at a hospital and a system at
BC/BS.  ATT certainly uses a cookie-cutter type connection for all of their
connections (wonder if they upgraded all of those thousands of routers for
the IOS patch).  There may be a one-off here and there, but for the VAST
majority of situations it's the same.  Same for ISP's.  You think they have
custom connections for each T1 line they install?  Stick a this type router
here and a that type router there?  No, unless a customer has a special
need, like shadow T3's as we do, then you're not going to get special
treatment.

At least that's my take on it.  So as to reduce complexity, administration,
maintenance, and increase scalability, security, stability, I'd attempt at
all cost to have a standard configuration.  Even if it cost a bit more.  The
3000 series may not be the answer, because we don't know the true
requirements, but whatever the answer is I'd attempt to standardize on it.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 10:51 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT:

Fred, I respect you. You are one of the top repliers at the moment, terms of
qual and freq. I am learning a lot from you, between work en heavy (i mean
heavy) cramming an typing for my coming lab. And I mean it. I get a laugh
out of your, Fred, (ccna) and answering ccie level qa!


More than one platform depending on req's MAYBE also deployment costs, EOL
(800 806-820's-830's series spinning like crazy, 501 here to stay, vpn hw
client okay.)

Please stop because we're fishing, we need facts.

RYAN,

Please give us a list of req's. 

When you design 10-20 sites you ask for a box.
When you design 2000 sites you design a total solution.

Management of 
- config, 
- change, 
- security, 
- availability, 
- performance and 
- capacity. 

I am sure I forgot one.
You catch my drift?
I am also curious about service offered, need front-end? back-end? DMZ's?
etc. 

Learnt as designer consultant etc that if you make a quicky of business
req's you'll pay afterwards, because it is not what customer had hoped
for

Trusted -untrusted client sites.

Martijn 

-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: maandag 11 augustus 2003 16:02
Aan: Jansen, M; [EMAIL PROTECTED]
Onderwerp: RE: VPN Best Hardware to use? [7:73793]


I would certainly hope that the remotes wouldn't use different platforms.  I
don't know the business model, but it sounds to me like it's some kind of
service offering or something.  Maybe they have a 2000 site Frame Relay
network used to offer a service or something, and they want to switch to
something more economical.  Instead of paying monthly circuit fees, pay a
one-time hardware cost (assuming they don't own the FR routers at the
customer end) and use the customer's Internet connection.  Why in the world
would you want different hardware at each customer site in that situation?
Standardize on one hardware platform, and build the cost of that hardware
into the business model...

If that's the case then the cost of a 3005 can be justified in a small
number of months, depending on your FR cost.  Certainly you would recoup
your cost and start making more money, due to less operating cost,
relatively quickly.

Now, if this is something else, like a company with 2000 offices throughout
the world, then I can see your

RE: VPN Best Hardware to use? [7:73793]

[Ryan Finnesey]

You are right it is a service offering.   Right now, we are using ISDN
dial-up and would like to move to a full time connection.  We would not be
using the customerbs connection but will be installing a 144K IDSL or 192K
SDSL line.  What I am going to do on Friday in the lab ( If we get the lines
from Covad on time) is use a 7200 at the head end and a 1700 on the other
end run the IPSec and NAT on the 1700 and see how that goes.  The only
problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL.

 

 

Ryan

 
 
Message- 
From: [EMAIL PROTECTED] on behalf of Reimer, Fred 
Sent: Mon 8/11/2003 10:02 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: VPN Best Hardware to use? [7:73793]



I would certainly hope that the remotes wouldn't use different platforms. 
I
don't know the business model, but it sounds to me like it's some kind of 
service offering or something.  Maybe they have a 2000 site Frame Relay 
network used to offer a service or something, and they want to switch to 
something more economical.  Instead of paying monthly circuit fees, pay a 
one-time hardware cost (assuming they don't own the FR routers at the 
customer end) and use the customer's Internet connection.  Why in the world 
would you want different hardware at each customer site in that situation? 
Standardize on one hardware platform, and build the cost of that hardware 
into the business model... 

If that's the case then the cost of a 3005 can be justified in a small 
number of months, depending on your FR cost.  Certainly you would recoup 
your cost and start making more money, due to less operating cost, 
relatively quickly. 

Now, if this is something else, like a company with 2000 offices throughout 
the world, then I can see your point and you may end up with different 
requirements.  But, that's not how it sounds so far. 

Fred Reimer - CCNA 


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050 


NOTICE; This email contains confidential or proprietary information which 
may be legally privileged. It is intended only for the named recipient(s). 
If an addressing or transmission error has misdirected the email, please 
notify the author by replying to this message. If you are not the named 
recipient, you are not authorized to use, disclose, distribute, copy, print 
or rely on this email, and should immediately delete it from your computer. 


-Original Message- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 6:57 AM 
To: [EMAIL PROTECTED] 
Subject: RE: VPN Best Hardware to use? [7:73793] 

Despite all hw issues, you really need to 
- describe the business req's first 
- translate to technical req's 

(you are talking 2000+ sites) 

And you will see that you'll need more than one platform for de Remotes. 

Dependig on your hierarchy concerning 
- messaging 
- authentication 
- client-server 
- webapps 
- desktop/register maintenance/management 
- security man 

You will need to or may want to build an hierarchical design. Keep in mind 
that differen platfroms use different (HQ) fail-over or 2nd ip techniques. 

Martijn 


-Oorspronkelijk bericht- 
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED] 
Verzonden: zondag 10 augustus 2003 4:36 
Aan: [EMAIL PROTECTED] 
Onderwerp: VPN Best Hardware to use? [7:73793] 


I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line 
installed that will be used to connect to monitor network devices and 
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my 
end, would it be better to use a PIX or a 3030?  On the remote end, I was 
looking at a PIX 501, SOHO 91 or the 831? 


Thank you 


Ryan 
**Please support GroupStudy by purchasing from the GroupStudy Store: 
http://shop.groupstudy.com 
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html 
**Please support GroupStudy by purchasing from the GroupStudy Store: 
http://shop.groupstudy.com 
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html 
**Please support GroupStudy by purchasing from the GroupStudy Store: 
http://shop.groupstudy.com 
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form

RE: VPN problems' still exist [7:73704]

[Reimer, Fred]

I don't think attachments make it through.  Go into the 3005 and modify the
events so that all of the IKE classes (under Configuration | System | Events
| Classes) have the highest level (1-13) and tell us what messages you get
when it tries to connect.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: suaveguru [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 1:00 AM
To: [EMAIL PROTECTED]
Subject: VPN problems' still exist [7:73704]

hi all, 

thanks for all the assistance given using xauth
regarding easyvpn . I have solved the problem by
configuring SITE-TO-SITE VPN. but still the VPN peer
cannot be established. I am actually doing a
site-to-site VPN from one 806 router to a cisco
concentrator 3005. attatched is the configuration of
my 805 router for your reference.

regards,
suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

[GroupStudy removed an attachment of type text/richtext which had a name of
Mendel's config.rtf]
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73725t=73704
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: 2501 VPN [7:73977]

[Reimer, Fred]

Well, you could look here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fipsenc/scfipsec.htm#1001813

And here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fipsenc/scfike.htm#1012737

And here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/fipsenc/scfinter.htm#1001485

One of the good things about IPsec, IMNSHO, is that you actually need to
know what the heck you are doing in order to get it to work.  Do you know
what a transform set is?  IKE?  An SA?  Crypto-map?  If not, Read The
Manuals.  It's not overly difficult.  Once you read the manuals, if you have
questions, I'm sure that everyone would be more than glad to answer any
specific questions.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Henry Volentine [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 14, 2003 12:49 PM
To: [EMAIL PROTECTED]
Subject: 2501 VPN [7:73977]

I need assistance configuring VPN between a Cisco 2501 and a Cisco 827H. 
Both routers have IOS that supports VPN.  The 2501 is connected to the ISP
via a 768kb fractional T1 and the 827H has an ADSL connection to the same
ISP.  If anyone could please send sample configurations for either router, I
would appreciate it.  [EMAIL PROTECTED]
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73979t=73977
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Cisco Secure VPN 642-511 [7:73919]

[Kevin Wigle]

I'm for the check CCO part of your post.

Visit
http://www.cisco.com/en/US/learning/le3/le30/le13/learning_learning_path.html

and you'll see all the Specialist certifications.  They are not going
anywhere - yet.

The CCSP is still going strong:
http://www.cisco.com/en/US/learning/le3/le2/le37/le54/learning_certification_type_home.html

on the same page is an INFOSEC Professional link.  Cisco has been granted
rights to award this cert.  It is NOT a Cisco cert.  Which is cool because
once it is awarded there is no need to recertify, it is permanent.

Which is opposite to everything Cisco does - especially CCSP - to recert
CCSP you have to take all 5 exams again.  Hopefully by the time people get 3
years in CCSP Cisco will have a single recert exam like they do for
CCIE/CCDP/CCNP

I might do the security exams once to get the INFOSEC cert and then forget
the recert on the Cisco stuff.

If you get the CCSP you'll also have the credits to be a Firewall Spec, IDS
Spec and a VPN Spec.  It would make for a crowded business card.

The specs are good for 2 years, the CCSP is good for 3 years.  Which is also
weird as you used the specs to get CCSP but they expire first.

I'm sure there are good reasons for these certification oddities.

Kevin Wigle
CCDP CCNP MCSE CBE Security+

- Original Message - 
From: Reimer, Fred 
To: 
Sent: Tuesday, August 12, 2003 9:45 AM
Subject: Cisco Secure VPN 642-511 [7:73919]


 Change of subject, and a massive trim.

 The KnowledgeNet course was good.  I took the Express with Mentor.
 Contrary to their recommendations, I didn't see much value in their
mentors.
 Not to say that they are not knowledgeable or anything, just that 90% of
the
 time my questions for the mentors were corrections in the Cisco
 courseware.  The course was for the new test.  I believe there were a few
 questions on the test that were not covered in the course.

 You get the Cisco courseware documentation, and access to their on-line
 power-point type slides with an instructor basically saying the same thing
 as is in the courseware.  However, they do talk about some things that are
 not in the manuals.  You should have six weeks to go through it.  I'd
 suggest taking a day off or spending a Saturday to go through the whole
 course, but that's just me.  I can't do the one hour here and there thing.

 They also include labs or simulations of setting up the hardware.
 However, they don't have an actual lab.  I think they are working on that,
 but I found it very useful to have a real 3000 available to go through
the
 menus.

 If you haven't taken this test before, don't skip the practice thing in
the
 beginning.  One of the simulations worked a bit differently than I was
 expecting, and although I'm sure I knew what I was doing I'm not sure if I
 got credit for that question.

 Know all the menus, and what items are on the actual configuration
screens.

 I have a side question myself.  Cisco changed their specialist program, so
 that now apparently there isn't a Firewall Specialist, VPN Specialist, and
 IDS Specialist, but rather just one Security Specialist.  So does that
mean
 that I can't use the VPN Specialist designation anymore and have to wait
 until I pass all of the tests?  What about that INFOSEC designation, is
that
 still valid?

 Perhaps I should just login to the new Certifications Community site and
 check there.

 http://forums.cisco.com/eforum/servlet/CertCom?page=main

 Fred Reimer - CCNA


 Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
 Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


 NOTICE; This email contains confidential or proprietary information which
 may be legally privileged. It is intended only for the named recipient(s).
 If an addressing or transmission error has misdirected the email, please
 notify the author by replying to this message. If you are not the named
 recipient, you are not authorized to use, disclose, distribute, copy,
print
 or rely on this email, and should immediately delete it from your
computer.


 -Original Message-
 From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 12, 2003 9:17 AM
 To: Reimer, Fred; [EMAIL PROTECTED]
 Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

 Can you comment on that particular Knowledgenet class? I'm signed up to
 take it in the not too distant future.
 Thanks,

 Michelle

 Michelle Truman   CCIE # 8098
 Principal Technical Consultant
 ATT Solutions Center
 mailto:[EMAIL PROTECTED]
 Work: 651-998-0949
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73951t=73919
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives

RE: Strange VPN problem [7:73641] OT:F funny [7:73722]

[[EMAIL PROTECTED]]

I mailed that! 

Only your explanation is superior.  ;-) 

When i have time, not studying for my lab, i study the English
language..  Say, getting dizzy over the CC BGP guide

(that should be during my sleep though, like very wannabee, I have not seen
a normal book in a while)

Martijn 


-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: donderdag 7 augustus 2003 15:33
Aan: [EMAIL PROTECTED]
Onderwerp: RE: Strange VPN problem [7:73641]


Does anyone read the manuals around here???

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu
r_r/sec_c2g.htm#1070272

You probably have your IKE proposal in your concentrator set for XAUTH, and
you don't have your router setup for that.  You can configure your router as
the reference manual says, or you }may{ be able to add in a new or modify an
existing IKE policy under Configuration | System | Tunneling Protocols |
IPSec | IKE Proposals so that the Authentication mode is not one that has
(XAUTH) at the end of it.  Probably Preshared Keys would be the one you
want.  If you create a new one (recommended) they you would have to change
the IKE policy used for your SA under Configuration | Policy Management |
Traffic Management | SAs.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: suaveguru [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 1:08 AM
To: [EMAIL PROTECTED]
Subject: Strange VPN problem [7:73641]

hi all, 

I am trying to setup a easy VPN solution for a cisco
837 to a cisco VPN concentrator 3005 using network
extension mode but I keep getting this error msg Aug 
7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
Request, Please enter the following command:
Aug  7 13:08:16.571: EZVPN: crypto ipsec client ezvpn
xauth

Any form of input will be appreciated 

suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73722t=73722
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73882]

[[EMAIL PROTECTED]]

Fred, I respect you. You are one of the top repliers at the moment, terms of
qual and freq. I am learning a lot from you, between work en heavy (i mean
heavy) cramming an typing for my coming lab. And I mean it. I get a laugh
out of your, Fred, (ccna) and answering ccie level qa!


More than one platform depending on req's MAYBE also deployment costs, EOL
(800 806-820's-830's series spinning like crazy, 501 here to stay, vpn hw
client okay.)

Please stop because we're fishing, we need facts.

RYAN,

Please give us a list of req's. 

When you design 10-20 sites you ask for a box.
When you design 2000 sites you design a total solution.

Management of 
- config, 
- change, 
- security, 
- availability, 
- performance and 
- capacity. 

I am sure I forgot one.
You catch my drift?
I am also curious about service offered, need front-end? back-end? DMZ's?
etc. 

Learnt as designer consultant etc that if you make a quicky of business
req's you'll pay afterwards, because it is not what customer had hoped
for

Trusted -untrusted client sites.

Martijn 

-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: maandag 11 augustus 2003 16:02
Aan: Jansen, M; [EMAIL PROTECTED]
Onderwerp: RE: VPN Best Hardware to use? [7:73793]


I would certainly hope that the remotes wouldn't use different platforms.  I
don't know the business model, but it sounds to me like it's some kind of
service offering or something.  Maybe they have a 2000 site Frame Relay
network used to offer a service or something, and they want to switch to
something more economical.  Instead of paying monthly circuit fees, pay a
one-time hardware cost (assuming they don't own the FR routers at the
customer end) and use the customer's Internet connection.  Why in the world
would you want different hardware at each customer site in that situation?
Standardize on one hardware platform, and build the cost of that hardware
into the business model...

If that's the case then the cost of a 3005 can be justified in a small
number of months, depending on your FR cost.  Certainly you would recoup
your cost and start making more money, due to less operating cost,
relatively quickly.

Now, if this is something else, like a company with 2000 offices throughout
the world, then I can see your point and you may end up with different
requirements.  But, that's not how it sounds so far.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 6:57 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793]

Despite all hw issues, you really need to 
- describe the business req's first
- translate to technical req's

(you are talking 2000+ sites)

And you will see that you'll need more than one platform for de Remotes.

Dependig on your hierarchy concerning 
- messaging
- authentication
- client-server
- webapps 
- desktop/register maintenance/management
- security man

You will need to or may want to build an hierarchical design. Keep in mind
that differen platfroms use different (HQ) fail-over or 2nd ip techniques.

Martijn


-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: zondag 10 augustus 2003 4:36
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Best Hardware to use? [7:73793]


I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73882t=73882
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com

RE: Strange VPN problem [7:73641]

[[EMAIL PROTECTED]]

XAUTH is in my perception for authentication of users, (local) escpecially
radius or tacacs.

So what we do at the hub site for a static IKE peer is disable XAUTH, so
that a spoke router does not get an auth prompt, or the hub does not wait
for it. 

So I think the HUb is waiting for an answer, maybe used to authenticate VPN
users only.



WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You need Preshareds  keys
there!
8.
The following example shows the various policies used in the IKE policy
named CiscoVPNClient-3DES-MD. 
In this policy, Preshared Keys(XAUTH) for Authentication Mode is being used
so that the client will be prompted to supply a username and password at the
end of IKE negotiations.

http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
_example09186a008010edf4.shtml#task2_steps

Martijn 



-Oorspronkelijk bericht-
Van: suaveguru [mailto:[EMAIL PROTECTED]
Verzonden: donderdag 7 augustus 2003 9:40
Aan: Jansen, M
Onderwerp: RE: Strange VPN problem [7:73641]


thanks for your prompt reply , but I am using easyvpn
configuration for cisco 805 router to concentrator
3005 with the cisco 805 as client mode and
concentrator as hub . I can't find the line that you
indicate for my cisco 805 , could it be easyvpn
configuration that i am using?

suaveguru
--- [EMAIL PROTECTED] wrote:
 Guru.
 
 Type the no-xauth behind the key-mapping.
 
 
 
 isakmp key **NEWKEYNEWCUSTO** address  x.x.x.x
 netmask 255.255.255.255
 no-xauth no-config-mode
 
 
 
 Martijn 
 
 
 -Oorspronkelijk bericht-
 Van: suaveguru [mailto:[EMAIL PROTECTED]
 Verzonden: donderdag 7 augustus 2003 7:08
 Aan: [EMAIL PROTECTED]
 Onderwerp: Strange VPN problem [7:73641]
 
 
 hi all, 
 
 I am trying to setup a easy VPN solution for a cisco
 837 to a cisco VPN concentrator 3005 using network
 extension mode but I keep getting this error msg
 Aug 
 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
 Request, Please enter the following command:
 Aug  7 13:08:16.571: EZVPN: crypto ipsec client
 ezvpn
 xauth
 
 Any form of input will be appreciated 
 
 suaveguru
 
 __
 Do you Yahoo!?
 Yahoo! SiteBuilder - Free, easy-to-use web site
 design software
 http://sitebuilder.yahoo.com
 **Please support GroupStudy by purchasing from the
 GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73648t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[Ryan Finnesey]

That is a ADSL WIC or am I missing something?  We are looking to use IDSL
but can not find a router that supports 3DES and IDSL
 
 
Ryan

-Original Message- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wed 8/13/2003 1:40 AM 
To: Ryan Finnesey; [EMAIL PROTECTED] 
Cc: 
Subject: RE: VPN Best Hardware to use? [7:73793]



You mean? newest:

DSL WAN Interface Cards
WIC-1ADSL-I-DG 1-port ADSLoISDN WAN Interface Card

cco partner login:

http://www.cisco.com/en/US/partner/products/hw/routers/ps221/products_data_s
heet09186a0080088713.html


Martijn


-Oorspronkelijk bericht-
Van: Ryan Finnesey [mailto:[EMAIL PROTECTED]
Verzonden: woensdag 13 augustus 2003 3:57
Aan: [EMAIL PROTECTED]
Onderwerp: RE: VPN Best Hardware to use? [7:73793]


You are right it is a service offering.   Right now, we are using ISDN
dial-up and would like to move to a full time connection.  We would not be
using the customerbs connection but will be installing a 144K IDSL or 192K
SDSL line.  What I am going to do on Friday in the lab ( If we get the lines
from Covad on time) is use a 7200 at the head end and a 1700 on the other
end run the IPSec and NAT on the 1700 and see how that goes.  The only
problem is I cannot find an IDSL WIC on CCO I only see an ADSL and SDSL.





Ryan



Message-
From: [EMAIL PROTECTED] on behalf of Reimer, Fred
Sent: Mon 8/11/2003 10:02 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: VPN Best Hardware to use? [7:73793]



I would certainly hope that the remotes wouldn't use different
platforms.
I
don't know the business model, but it sounds to me like it's some
kind of
service offering or something.  Maybe they have a 2000 site Frame
Relay
network used to offer a service or something, and they want to
switch to
something more economical.  Instead of paying monthly circuit fees,
pay a
one-time hardware cost (assuming they don't own the FR routers at
the
customer end) and use the customer's Internet connection.  Why in
the world
would you want different hardware at each customer site in that
situation?
Standardize on one hardware platform, and build the cost of that
hardware
into the business model...

If that's the case then the cost of a 3005 can be justified in a
small
number of months, depending on your FR cost.  Certainly you would
recoup
your cost and start making more money, due to less operating cost,
relatively quickly.

Now, if this is something else, like a company with 2000 offices
throughout
the world, then I can see your point and you may end up with
different
requirements.  But, that's not how it sounds so far.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information
which
may be legally privileged. It is intended only for the named
recipient(s).
If an addressing or transmission error has misdirected the email,
please
notify the author by replying to this message. If you are not the
named
recipient, you are not authorized to use, disclose, distribute,
copy, print
or rely on this email, and should immediately delete it from your
computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 6:57 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793]

Despite all hw issues, you really need to
- describe the business req's first
- translate to technical req's

(you are talking 2000+ sites)

And you will see that you'll need more than one platform for de
Remotes.

Dependig on your hierarchy concerning
- messaging
- authentication

RE: VPN Best Hardware to use? [7:73793]

[Reimer, Fred]

The 3000's support fail-over just fine, and the new version even supports
multi-entry point VPNs (like Check Point has for years).  Basically
meaning that at your main site you can have two 3030's with connections to
different ISP's and totally different external addresses.

See:

Backup LAN-to-LAN

The Backup LAN-to-LAN feature lets you establish redundancy for your
LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN
Concentrator, Backup LAN-to-LAN provides a failover for the connection
itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing
continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN
provides certain advantages that VRRP does not.

* You can configure Backup LAN-to-LAN and load balancing on the same
device, but you cannot configure VRRP and load balancing on the same VPN
Concentrator.
* Redundant Backup LAN-to-LAN peers do not have to be located at the
same site. VRRP backup peers cannot be geographically dispersed,
Note   This feature does not work in conjunction with VRRP. If you
set up a Backup LAN-to-LAN configuration, disable VRRP.

I'm sure Cisco would entertain cutting a special deal on 2000 3002/3005
devices.  If not, send me a note offline and I'll see if our sales guys are
interested.  We usually only deal with hospitals, but they may make an
exception for a large number like that...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Andrey Tarasov [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 10, 2003 10:27 PM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793]

Hi Ryan,

For head-end 3030/3060 would be a better choice. PIX for example doesn't
provide connectivity between remote sites in hub-and-spoke topology.
On remote side 831 might be a best pick especially if you want to provide
some backup mechanism for VPN tunnel.

Regards,
Andrey.
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73875t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

[Howard C. Berkowitz]

At 4:57 PM + 8/11/03, Truman, Michelle, RTSLS wrote:
Advantis is actually now called AGNS for ATT Global Network (Was the
IBM Global Network after it was Advantis).

I still cherish memories of teaching a class to Advantis when it was 
still an IBM-Sears joint venture. It was a private ICRC, where we 
used their existing equipment, all token ring LAN. I finally 
understood why the lab exercises were acting so weirdly when I 
discovered they had connected the lab backbone to a production 
network.

Anyway, they gave me a hard time all week claiming they had much 
better routers than Cisco. At first, I thought they were referring to 
some of the IBM-labeled routers that were Wellfleet under the hood.

It was worse.

They finally identified the superior router brand.

Craftsman.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73893t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

wireless security and VPN software? [7:73988]

[Priscilla Oppenheimer]

For a large campus network that has a need for wireless access in conference
rooms, cafeterias, etc., would it be overkill to require wireless clients to
use VPN IPSec software to access the campus network? This is for a customer
who is paranoid about security and understands the tradeoff of ease-of-use
versus security.

There are othere downsides with requiring VPN software, of course, including
the usual issues of incompatibility with some apps, the lack of support for
protocols other than IP, and the lack of support for multicast applications
(from what I understand). Also, we have to consider the scalability of the
current VPN solution and whether it can support numerous transient wireless
users, but we think it can. There are many advantages with IPSec too, like
support for encryption that actually works...

What do you all think? Do any of you require your campus wireless users to
use VPN software?

Sorry if it's a stupid question.

Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73988t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[Andrey Tarasov]

Hi Ryan,

For head-end 3030/3060 would be a better choice. PIX for example doesn't
provide connectivity between remote sites in hub-and-spoke topology.
On remote side 831 might be a best pick especially if you want to provide
some backup mechanism for VPN tunnel.

Regards,
Andrey.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73853t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

[Daniel Cotts]

Groan. I'll bet they could really make the chIPs fly.

 -Original Message-
 From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]
 
 They finally identified the superior router brand.
 
 Craftsman.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73895t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[Reimer, Fred]

I'd consider the 3005 at the remote sites.  It has the capability to do a
LAN-to-LAN NAT, where if you had customer A and customer B that both used
10.1.x you could map them to 45.1 and 45.2 respectively, or any other
equal-mask network.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Ryan Finnesey [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 09, 2003 10:36 PM
To: [EMAIL PROTECTED]
Subject: VPN Best Hardware to use? [7:73793]

I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73825t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Conncetion from Windows Client to nt domain [7:73720]

[[EMAIL PROTECTED]]

PLease take every point I make seriously. Please also read the release notes
that belong to the vpn client. I believe you when you say you can do
everything.

Have you tried starting outlook (if you use exchange) or doing a rpc-ping,
when doing net use do you get a logon screen. I have had RPC problems
because of MTU/hardwareRPC settings once.

Radius is a tip for the authentication of users on the access-device. No
seperate user accounts, dial-in policies etc.

Martijn 

-Oorspronkelijk bericht-
Van: K. Bovermann [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 8 augustus 2003 15:39
Aan: Jansen, M
Onderwerp: AW: VPN Conncetion from Windows Client to nt domain [7:73720]


the windows 2k client got the connection and I can ping around the network 
without any porblems.
The client gets his ip from the concentrator (manually added ad the user 
configuration)
I can map the drives manually without problems only the log on to the 
domain e.g. the script wont work.so I have to add them manually. When I try 
to authenticate the user name and password for the domain at the vpn 
concentrator it works with no problem.
From windows site it wont work.

It is no problem with the ip adress or subnet mask or any permissions. Only 
the log on to the nt domain won4t work.
We have no RADIUS Server at  our domain. Will it work also with radius if I 
don4t have any radius server ??


Regards

Kai

-Urspr|ngliche Nachricht-
Von:[EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]
Gesendet am:Freitag, 8. August 2003 15:26
An: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Betreff:RE: VPN Conncetion from Windows Client to nt domain
[7:73720]

Check: (off my hat, or cap whatever)

access-listsnetbios time kerberos dns maybe wins if you use it
check bill's site   
dhcpgive client dns maybe wins
dhcp pool
domain  if 2k maybe add xtra subnet to site
mmc sites and services
route   has the server a route to the concentrator AND to the VPN
client subnet
ping client from server, IP AND name
route   has the client route to server, host file?
ping ip AND name from client

Tip: always use radius.

Tip2:   READ THE FEATURE (RELEASE NOTES) LIST FROM THE EXACT VPN CLIENT
VERSION NUMBER!

Martijn

-Oorspronkelijk bericht-
Van: Kai Bovermann [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 8 augustus 2003 14:05
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Conncetion from Windows Client to nt domain [7:73720]


Dear all

We have a cisco vpn concentrator 3000 series for vpn connection.
What we want to do is to establish a vpn conncetion from a windows
client(W2k or WinXP Pro) to the concentrator and then log on to our domain
and then get the shares connected to the pc.
I created a vpn connection and it works proberbly. Only the log on to the
domain will not work.
It should go like this way that the user is logged on to the pc and then if
it is needed establish the vpn connection and get also logged on to the
domain and get the shares connected to the pc.

How can I do this ?

Thanks a lot

Kai
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73729t=73720
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Ken Chipps]

Are they concerned about what is in the traffic going back and forth
from the wireless users to the wired network? In other words
interception of the signal. Or is it a desire to isolate the wireless
from the wired side of the network. If isolation is what is needed, it
would seem a lot easier to put the wireless users in their own network
and implement security where the wireless and wired networks join. If
they are concerned with the traffic going back and forth over the
wireless network, what about encrypting all of their traffic by default?
If they use a VPN solution, it does nothing for the rogue access point
problem. A group of users could setup their own wireless network and not
have to use a VPN. Whereas if all PCs encrypt their traffic, even over
the wired network, they could bypass the interception problem. Now I
cannot say I have ever attempted to encrypt traffic this way. What are
the problems with this approach?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 14, 2003 6:52 PM
To: [EMAIL PROTECTED]
Subject: wireless security and VPN software? [7:73988]

For a large campus network that has a need for wireless access in
conference
rooms, cafeterias, etc., would it be overkill to require wireless
clients to
use VPN IPSec software to access the campus network? This is for a
customer
who is paranoid about security and understands the tradeoff of
ease-of-use
versus security.

There are othere downsides with requiring VPN software, of course,
including
the usual issues of incompatibility with some apps, the lack of support
for
protocols other than IP, and the lack of support for multicast
applications
(from what I understand). Also, we have to consider the scalability of
the
current VPN solution and whether it can support numerous transient
wireless
users, but we think it can. There are many advantages with IPSec too,
like
support for encryption that actually works...

What do you all think? Do any of you require your campus wireless users
to
use VPN software?

Sorry if it's a stupid question.

Priscilla
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73996t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: wireless security and VPN software? [7:73988]

[annlee]

Priscilla Oppenheimer wrote:
 For a large campus network that has a need for wireless access in
conference
 rooms, cafeterias, etc., would it be overkill to require wireless clients
to
 use VPN IPSec software to access the campus network? This is for a customer
 who is paranoid about security and understands the tradeoff of ease-of-use
 versus security.
 
 There are othere downsides with requiring VPN software, of course,
including
 the usual issues of incompatibility with some apps, the lack of support for
 protocols other than IP, and the lack of support for multicast applications
 (from what I understand). Also, we have to consider the scalability of the
 current VPN solution and whether it can support numerous transient wireless
 users, but we think it can. There are many advantages with IPSec too, like
 support for encryption that actually works...
 
 What do you all think? Do any of you require your campus wireless users to
 use VPN software?
 
 Sorry if it's a stupid question.
 
 Priscilla
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 
I'll take a swing: It Depends.

Really, I think it does. This campus network may have wireless 
access in areas where traffic should be encrypted (is there a 
health clinic? think HIPAA; will HR or Finance be using wireless 
from these conference rooms?).

But there may also be many areas, if not most, where it is 
overkill. Security is always a balancing act between 
convenience/ease of use and  the cost incurred if information is 
somehow violated (lost, compromised,  kidnapped--it can happen, 
heavens--it has).  If the wireless is being added for low-value 
use and convenience, I don't see a need for IPSec, though I would 
certainly be careful to segregate the wirelss from the wired and 
control wireless access into significant segments of the wired 
network.

I would look very hard at the design issues of what apps and what 
data will be transiting where, and protect those areas which 
carry sensitive data. And I would pay especial attention to Layer 
8 issues [grin].

Annlee




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73991t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

VPN problems' still exist [7:73704]

[suaveguru]

hi all, 

thanks for all the assistance given using xauth
regarding easyvpn . I have solved the problem by
configuring SITE-TO-SITE VPN. but still the VPN peer
cannot be established. I am actually doing a
site-to-site VPN from one 806 router to a cisco
concentrator 3005. attatched is the configuration of
my 805 router for your reference.

regards,
suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

[GroupStudy removed an attachment of type text/richtext which had a name of
Mendel's config.rtf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73704t=73704
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Strange VPN problem [7:73641]

[[EMAIL PROTECTED]]

Guru.

Type the no-xauth behind the key-mapping.



isakmp key **NEWKEYNEWCUSTO** address  x.x.x.x netmask 255.255.255.255
no-xauth no-config-mode



Martijn 


-Oorspronkelijk bericht-
Van: suaveguru [mailto:[EMAIL PROTECTED]
Verzonden: donderdag 7 augustus 2003 7:08
Aan: [EMAIL PROTECTED]
Onderwerp: Strange VPN problem [7:73641]


hi all, 

I am trying to setup a easy VPN solution for a cisco
837 to a cisco VPN concentrator 3005 using network
extension mode but I keep getting this error msg Aug 
7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
Request, Please enter the following command:
Aug  7 13:08:16.571: EZVPN: crypto ipsec client ezvpn
xauth

Any form of input will be appreciated 

suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73645t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: wireless security and VPN software? [7:73988]

[Charlie Wehner]

What type of applications do they need to support?

What devices and OS's do they need to support?
-Watch out for PDAs.  Most PDAs have limited support for VPN clients.  

What type of users are they?  (Techie or basic AOL users?)

These are the main questions in my opinion.  VPNs aren't so bad.  I know
quite a few enterprises that are currently using VPN solutions for
wireless.  I honestly don't think most users notice the performance hit. 
Also, some VPN clients can be setup very seemlessly so there aren't multiple
logins.

I would also look into PEAP, EAP-TLS and LEAP.  PEAP is pretty secure if
setup correctly.  The PEAP client is already built into WinXP and PPC 2003.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73998t=73988
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Conncetion from Windows Client to nt domain [7:73720]

[[EMAIL PROTECTED]]

access-listsnetbios time kerberos dns maybe wins if you use it
check bill's site   
dhcpgive client dns maybe wins
dhcp pool 
domain  if 2k maybe add xtra subnet to site
mmc sites and services
route   has the server a route to the concentrator AND to the VPN
client subnet
ping client from server, IP AND name
route   has the client route to server, host file?
ping ip AND name from client

Tip: always use radius.

Tip2:   READ THE FEATURE (RELEASE NOTES) LIST FROM THE EXACT VPN CLIENT
VERSION NUMBER!

Martijn 

-Oorspronkelijk bericht-
Van: Kai Bovermann [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 8 augustus 2003 14:05
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Conncetion from Windows Client to nt domain [7:73720]


Dear all

We have a cisco vpn concentrator 3000 series for vpn connection.
What we want to do is to establish a vpn conncetion from a windows
client(W2k or WinXP Pro) to the concentrator and then log on to our domain
and then get the shares connected to the pc.
I created a vpn connection and it works proberbly. Only the log on to the
domain will not work.
It should go like this way that the user is logged on to the pc and then if
it is needed establish the vpn connection and get also logged on to the
domain and get the shares connected to the pc.

How can I do this ?

Thanks a lot

Kai
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73723t=73720
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Cisco Secure VPN 642-511 [7:73919]

[Reimer, Fred]

Change of subject, and a massive trim.

The KnowledgeNet course was good.  I took the Express with Mentor.
Contrary to their recommendations, I didn't see much value in their mentors.
Not to say that they are not knowledgeable or anything, just that 90% of the
time my questions for the mentors were corrections in the Cisco
courseware.  The course was for the new test.  I believe there were a few
questions on the test that were not covered in the course.

You get the Cisco courseware documentation, and access to their on-line
power-point type slides with an instructor basically saying the same thing
as is in the courseware.  However, they do talk about some things that are
not in the manuals.  You should have six weeks to go through it.  I'd
suggest taking a day off or spending a Saturday to go through the whole
course, but that's just me.  I can't do the one hour here and there thing.

They also include labs or simulations of setting up the hardware.
However, they don't have an actual lab.  I think they are working on that,
but I found it very useful to have a real 3000 available to go through the
menus.

If you haven't taken this test before, don't skip the practice thing in the
beginning.  One of the simulations worked a bit differently than I was
expecting, and although I'm sure I knew what I was doing I'm not sure if I
got credit for that question.

Know all the menus, and what items are on the actual configuration screens.

I have a side question myself.  Cisco changed their specialist program, so
that now apparently there isn't a Firewall Specialist, VPN Specialist, and
IDS Specialist, but rather just one Security Specialist.  So does that mean
that I can't use the VPN Specialist designation anymore and have to wait
until I pass all of the tests?  What about that INFOSEC designation, is that
still valid?

Perhaps I should just login to the new Certifications Community site and
check there.

http://forums.cisco.com/eforum/servlet/CertCom?page=main

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 12, 2003 9:17 AM
To: Reimer, Fred; [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

Can you comment on that particular Knowledgenet class? I'm signed up to
take it in the not too distant future. 
Thanks,

Michelle

Michelle Truman   CCIE # 8098
Principal Technical Consultant
ATT Solutions Center
mailto:[EMAIL PROTECTED]
Work: 651-998-0949




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73919t=73919
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

[Truman, Michelle, RTSLS]

Can you comment on that particular Knowledgenet class? I'm signed up to
take it in the not too distant future. 
Thanks,

Michelle

Michelle Truman   CCIE # 8098
Principal Technical Consultant
ATT Solutions Center
mailto:[EMAIL PROTECTED]
Work: 651-998-0949 





-Original Message-
From: Reimer, Fred [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 6:52 PM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]


Wow, I guess I'm dating myself a little there if that many changes have
happened.  I don't believe there were that many options, if any, in the
original network.  Glad to see things have changed.

More on-topic, I just took the CSVPN test and just squeezed by.  Note to
self, make sure you study for a test before taking one ;-)  I went
through
the KnowledgeNet Express course like a week or two ago, but didn't study
this weekend.  Probably not a good practice.  I'll have to remember that
one
later...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information
which
may be legally privileged. It is intended only for the named
recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy,
print
or rely on this email, and should immediately delete it from your
computer.


-Original Message-
From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 12:57 PM
To: Reimer, Fred; [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]

Advantis is actually now called AGNS for ATT Global Network (Was the
IBM Global Network after it was Advantis). You can get VPN's on just
about any remote client you like, from Cisco to Nortel to Checkpoint to
ATT proprietary Netgate boxes which are derived from Linux OS. You also
can run the VPN over the IP backbone for dedicated or DSL connections.
AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't
support 83x Cisco boxes yet because the Netgates have been so popular,
but it's under development. 

Massive IOS upgrades were already done because pretty much everything we
do is automated because of scale requirements. 

Personally speaking, I like the 3000 Concentrator at the headend with
Netgate at the client site. that is the most flexible and affordable
configuration. 

Michelle

Michelle Truman   CCIE # 8098
Principal Technical Consultant
ATT Solutions Center
mailto:[EMAIL PROTECTED]
Work: 651-998-0949 





-Original Message-
From: Reimer, Fred [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:18 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]


Why thanks!  I only have a CCNA now because I had to get it for our
partner
level, and I'm supposed to get much more.  And I only have it on my sig
because I use the same sig for work and work-related lists.

You are correct that we would need more details if it is anything other
than
what I think it is.  If it is just a small service, cookie cutter type
deal,
then I don't see why they can't use a cookie cutter type solution.
Being in
healthcare, I envision something like Blue Cross/ Blue Shield payer
connections, where I think they use the IBM Advantis network (is that
what
it was called?  Who owns them now, ATT?  Yep, they purchased them in
1999
for $5B) and have routers at each customer site.  Why not replace them
with
a cookie cutter type connection?  They already have connections to each
customer, likely on a DMZ.  The communication is just patient financial
information (claims) between one host system at a hospital and a system
at
BC/BS.  ATT certainly uses a cookie-cutter type connection for all of
their
connections (wonder if they upgraded all of those thousands of routers
for
the IOS patch).  There may be a one-off here and there, but for the VAST
majority of situations it's the same.  Same for ISP's.  You think they
have
custom connections for each T1 line they install?  Stick a this type
router
here and a that type router there?  No, unless a customer has a special
need, like shadow T3's as we do, then you're not going to get special
treatment.

At least that's my take on it.  So as to reduce complexity,
administration,
maintenance, and increase scalability, security, stability, I'd attempt
at
all cost to have a standard configuration.  Even if it cost a bit more.
The
3000 series may not be the answer, because we don't know the true
requirements, but whatever the answer is I'd attempt to standardize on
it.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential

RE: VPN Best Hardware to use? [7:73793]

[Reimer, Fred]

I'd consider the 3005 at the remote sites.  It has the capability to do a
LAN-to-LAN NAT, where if you had customer A and customer B that both used
10.1.x you could map them to 45.1 and 45.2 respectively, or any other
equal-mask network.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Ryan Finnesey [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 09, 2003 10:36 PM
To: [EMAIL PROTECTED]
Subject: VPN Best Hardware to use? [7:73793]

I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73837t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

[Truman, Michelle, RTSLS]

Advantis is actually now called AGNS for ATT Global Network (Was the
IBM Global Network after it was Advantis). You can get VPN's on just
about any remote client you like, from Cisco to Nortel to Checkpoint to
ATT proprietary Netgate boxes which are derived from Linux OS. You also
can run the VPN over the IP backbone for dedicated or DSL connections.
AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't
support 83x Cisco boxes yet because the Netgates have been so popular,
but it's under development. 

Massive IOS upgrades were already done because pretty much everything we
do is automated because of scale requirements. 

Personally speaking, I like the 3000 Concentrator at the headend with
Netgate at the client site. that is the most flexible and affordable
configuration. 

Michelle

Michelle Truman   CCIE # 8098
Principal Technical Consultant
ATT Solutions Center
mailto:[EMAIL PROTECTED]
Work: 651-998-0949 





-Original Message-
From: Reimer, Fred [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:18 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]


Why thanks!  I only have a CCNA now because I had to get it for our
partner
level, and I'm supposed to get much more.  And I only have it on my sig
because I use the same sig for work and work-related lists.

You are correct that we would need more details if it is anything other
than
what I think it is.  If it is just a small service, cookie cutter type
deal,
then I don't see why they can't use a cookie cutter type solution.
Being in
healthcare, I envision something like Blue Cross/ Blue Shield payer
connections, where I think they use the IBM Advantis network (is that
what
it was called?  Who owns them now, ATT?  Yep, they purchased them in
1999
for $5B) and have routers at each customer site.  Why not replace them
with
a cookie cutter type connection?  They already have connections to each
customer, likely on a DMZ.  The communication is just patient financial
information (claims) between one host system at a hospital and a system
at
BC/BS.  ATT certainly uses a cookie-cutter type connection for all of
their
connections (wonder if they upgraded all of those thousands of routers
for
the IOS patch).  There may be a one-off here and there, but for the VAST
majority of situations it's the same.  Same for ISP's.  You think they
have
custom connections for each T1 line they install?  Stick a this type
router
here and a that type router there?  No, unless a customer has a special
need, like shadow T3's as we do, then you're not going to get special
treatment.

At least that's my take on it.  So as to reduce complexity,
administration,
maintenance, and increase scalability, security, stability, I'd attempt
at
all cost to have a standard configuration.  Even if it cost a bit more.
The
3000 series may not be the answer, because we don't know the true
requirements, but whatever the answer is I'd attempt to standardize on
it.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information
which
may be legally privileged. It is intended only for the named
recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy,
print
or rely on this email, and should immediately delete it from your
computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 10:51 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT:

Fred, I respect you. You are one of the top repliers at the moment,
terms of
qual and freq. I am learning a lot from you, between work en heavy (i
mean
heavy) cramming an typing for my coming lab. And I mean it. I get a
laugh
out of your, Fred, (ccna) and answering ccie level qa!


More than one platform depending on req's MAYBE also deployment costs,
EOL
(800 806-820's-830's series spinning like crazy, 501 here to stay, vpn
hw
client okay.)

Please stop because we're fishing, we need facts.

RYAN,

Please give us a list of req's. 

When you design 10-20 sites you ask for a box.
When you design 2000 sites you design a total solution.

Management of 
- config, 
- change, 
- security, 
- availability, 
- performance and 
- capacity. 

I am sure I forgot one.
You catch my drift?
I am also curious about service offered, need front-end? back-end?
DMZ's?
etc. 

Learnt as designer consultant etc that if you make a quicky of business
req's you'll pay afterwards, because it is not what customer had hoped
for

Trusted -untrusted client sites.

Martijn 

-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: maandag

RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73793]

[Reimer, Fred]

Wow, I guess I'm dating myself a little there if that many changes have
happened.  I don't believe there were that many options, if any, in the
original network.  Glad to see things have changed.

More on-topic, I just took the CSVPN test and just squeezed by.  Note to
self, make sure you study for a test before taking one ;-)  I went through
the KnowledgeNet Express course like a week or two ago, but didn't study
this weekend.  Probably not a good practice.  I'll have to remember that one
later...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Truman, Michelle, RTSLS [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 11, 2003 12:57 PM
To: Reimer, Fred; [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]

Advantis is actually now called AGNS for ATT Global Network (Was the
IBM Global Network after it was Advantis). You can get VPN's on just
about any remote client you like, from Cisco to Nortel to Checkpoint to
ATT proprietary Netgate boxes which are derived from Linux OS. You also
can run the VPN over the IP backbone for dedicated or DSL connections.
AGNS is mainly a dial/ISDN/Broadband platform now. We actually don't
support 83x Cisco boxes yet because the Netgates have been so popular,
but it's under development. 

Massive IOS upgrades were already done because pretty much everything we
do is automated because of scale requirements. 

Personally speaking, I like the 3000 Concentrator at the headend with
Netgate at the client site. that is the most flexible and affordable
configuration. 

Michelle

Michelle Truman   CCIE # 8098
Principal Technical Consultant
ATT Solutions Center
mailto:[EMAIL PROTECTED]
Work: 651-998-0949 





-Original Message-
From: Reimer, Fred [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:18 AM
To: [EMAIL PROTECTED]
Subject: RE: VPN Best Hardware to use? [7:73793] LITTLE OT: [7:73883]


Why thanks!  I only have a CCNA now because I had to get it for our
partner
level, and I'm supposed to get much more.  And I only have it on my sig
because I use the same sig for work and work-related lists.

You are correct that we would need more details if it is anything other
than
what I think it is.  If it is just a small service, cookie cutter type
deal,
then I don't see why they can't use a cookie cutter type solution.
Being in
healthcare, I envision something like Blue Cross/ Blue Shield payer
connections, where I think they use the IBM Advantis network (is that
what
it was called?  Who owns them now, ATT?  Yep, they purchased them in
1999
for $5B) and have routers at each customer site.  Why not replace them
with
a cookie cutter type connection?  They already have connections to each
customer, likely on a DMZ.  The communication is just patient financial
information (claims) between one host system at a hospital and a system
at
BC/BS.  ATT certainly uses a cookie-cutter type connection for all of
their
connections (wonder if they upgraded all of those thousands of routers
for
the IOS patch).  There may be a one-off here and there, but for the VAST
majority of situations it's the same.  Same for ISP's.  You think they
have
custom connections for each T1 line they install?  Stick a this type
router
here and a that type router there?  No, unless a customer has a special
need, like shadow T3's as we do, then you're not going to get special
treatment.

At least that's my take on it.  So as to reduce complexity,
administration,
maintenance, and increase scalability, security, stability, I'd attempt
at
all cost to have a standard configuration.  Even if it cost a bit more.
The
3000 series may not be the answer, because we don't know the true
requirements, but whatever the answer is I'd attempt to standardize on
it.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information
which
may be legally privileged. It is intended only for the named
recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy,
print
or rely on this email, and should immediately delete it from your
computer.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL

RE: Strange VPN problem [7:73641]

[suaveguru]

I have done that but now more problems crop in look at
my latest mail with attatchment

suaveguru
--- [EMAIL PROTECTED] 
wrote:
 Guru.
 
 Type the no-xauth behind the key-mapping.
 
 
 
 isakmp key **NEWKEYNEWCUSTO** address  x.x.x.x
 netmask 255.255.255.255
 no-xauth no-config-mode
 
 
 
 Martijn 
 
 
 -Oorspronkelijk bericht-
 Van: suaveguru [mailto:[EMAIL PROTECTED]
 Verzonden: donderdag 7 augustus 2003 7:08
 Aan: [EMAIL PROTECTED]
 Onderwerp: Strange VPN problem [7:73641]
 
 
 hi all, 
 
 I am trying to setup a easy VPN solution for a cisco
 837 to a cisco VPN concentrator 3005 using network
 extension mode but I keep getting this error msg
 Aug 
 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
 Request, Please enter the following command:
 Aug  7 13:08:16.571: EZVPN: crypto ipsec client
 ezvpn
 xauth
 
 Any form of input will be appreciated 
 
 suaveguru
 
 __
 Do you Yahoo!?
 Yahoo! SiteBuilder - Free, easy-to-use web site
 design software
 http://sitebuilder.yahoo.com
 **Please support GroupStudy by purchasing from the
 GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 **Please support GroupStudy by purchasing from the
 GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73705t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Strange VPN problem [7:73641]

[suaveguru]

thanks for your reply , I will read the documentation
and see if I can solve my problem
--- Reimer, Fred  wrote:
 Does anyone read the manuals around here???
 

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu
 r_r/sec_c2g.htm#1070272
 
 You probably have your IKE proposal in your
 concentrator set for XAUTH, and
 you don't have your router setup for that.  You can
 configure your router as
 the reference manual says, or you }may{ be able to
 add in a new or modify an
 existing IKE policy under Configuration | System |
 Tunneling Protocols |
 IPSec | IKE Proposals so that the Authentication
 mode is not one that has
 (XAUTH) at the end of it.  Probably Preshared Keys
 would be the one you
 want.  If you create a new one (recommended) they
 you would have to change
 the IKE policy used for your SA under Configuration
 | Policy Management |
 Traffic Management | SAs.
 
 Fred Reimer - CCNA
 
 
 Eclipsys Corporation, 200 Ashford Center North,
 Atlanta, GA 30338
 Phone: 404-847-5177  Cell: 770-490-3071  Pager:
 888-260-2050
 
 
 NOTICE; This email contains confidential or
 proprietary information which
 may be legally privileged. It is intended only for
 the named recipient(s).
 If an addressing or transmission error has
 misdirected the email, please
 notify the author by replying to this message. If
 you are not the named
 recipient, you are not authorized to use, disclose,
 distribute, copy, print
 or rely on this email, and should immediately delete
 it from your computer.
 
 
 -Original Message-
 From: suaveguru [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, August 07, 2003 1:08 AM
 To: [EMAIL PROTECTED]
 Subject: Strange VPN problem [7:73641]
 
 hi all, 
 
 I am trying to setup a easy VPN solution for a cisco
 837 to a cisco VPN concentrator 3005 using network
 extension mode but I keep getting this error msg
 Aug 
 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
 Request, Please enter the following command:
 Aug  7 13:08:16.571: EZVPN: crypto ipsec client
 ezvpn
 xauth
 
 Any form of input will be appreciated 
 
 suaveguru
 
 __
 Do you Yahoo!?
 Yahoo! SiteBuilder - Free, easy-to-use web site
 design software
 http://sitebuilder.yahoo.com
 **Please support GroupStudy by purchasing from the
 GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73698t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Best Hardware to use? [7:73793]

[Reimer, Fred]

I'd consider the 3005 at the remote sites.  It has the capability to do a
LAN-to-LAN NAT, where if you had customer A and customer B that both used
10.1.x you could map them to 45.1 and 45.2 respectively, or any other
equal-mask network.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Ryan Finnesey [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 09, 2003 10:36 PM
To: [EMAIL PROTECTED]
Subject: VPN Best Hardware to use? [7:73793]

I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73806t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

VPN Best Hardware to use? [7:73793]

[Ryan Finnesey]

I need to setup VPNs to about 2000 sites.  Each site will have an IDSL line
installed that will be used to connect to monitor network devices and
servers.  Some of the remote networks will be using the same network block. 
I am looking to know what the best hardware to use on each end is.  On my
end, would it be better to use a PIX or a 3030?  On the remote end, I was
looking at a PIX 501, SOHO 91 or the 831?


Thank you


Ryan



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73793t=73793
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Strange VPN problem [7:73641]

[Joel Satterley]

Get the latest version of CRWS (Cisco Router Web Setup) then yo can use
Xauth with a nice web front end.  The IOS based version is in my opinion -
unusable  not for end users.

Joel.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 07 August 2003 15:31
To: [EMAIL PROTECTED]
Subject: RE: Strange VPN problem [7:73641]

XAUTH is in my perception for authentication of users, (local) escpecially
radius or tacacs.

So what we do at the hub site for a static IKE peer is disable XAUTH, so
that a spoke router does not get an auth prompt, or the hub does not wait
for it. 

So I think the HUb is waiting for an answer, maybe used to authenticate VPN
users only.



WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You need Preshareds  keys
there!
8.
The following example shows the various policies used in the IKE policy
named CiscoVPNClient-3DES-MD. 
In this policy, Preshared Keys(XAUTH) for Authentication Mode is being used
so that the client will be prompted to supply a username and password at the
end of IKE negotiations.

http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
_example09186a008010edf4.shtml#task2_steps

Martijn 



-Oorspronkelijk bericht-
Van: suaveguru [mailto:[EMAIL PROTECTED]
Verzonden: donderdag 7 augustus 2003 9:40
Aan: Jansen, M
Onderwerp: RE: Strange VPN problem [7:73641]


thanks for your prompt reply , but I am using easyvpn
configuration for cisco 805 router to concentrator
3005 with the cisco 805 as client mode and
concentrator as hub . I can't find the line that you
indicate for my cisco 805 , could it be easyvpn
configuration that i am using?

suaveguru
--- [EMAIL PROTECTED] wrote:
 Guru.
 
 Type the no-xauth behind the key-mapping.
 
 
 
 isakmp key **NEWKEYNEWCUSTO** address  x.x.x.x
 netmask 255.255.255.255
 no-xauth no-config-mode
 
 
 
 Martijn 
 
 
 -Oorspronkelijk bericht-
 Van: suaveguru [mailto:[EMAIL PROTECTED]
 Verzonden: donderdag 7 augustus 2003 7:08
 Aan: [EMAIL PROTECTED]
 Onderwerp: Strange VPN problem [7:73641]
 
 
 hi all, 
 
 I am trying to setup a easy VPN solution for a cisco
 837 to a cisco VPN concentrator 3005 using network
 extension mode but I keep getting this error msg
 Aug 
 7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
 Request, Please enter the following command:
 Aug  7 13:08:16.571: EZVPN: crypto ipsec client
 ezvpn
 xauth
 
 Any form of input will be appreciated 
 
 suaveguru
 
 __
 Do you Yahoo!?
 Yahoo! SiteBuilder - Free, easy-to-use web site
 design software
 http://sitebuilder.yahoo.com
 **Please support GroupStudy by purchasing from the
 GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html

===
  This message has been checked for all known viruses by the 
Sirocom Virus Scanning Service   
===

===
   This message has been checked for all known viruses by the
 Sirocom Virus Scanning Service

  WWW.SIROCOM.COM  
===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73668t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

VPN Conncetion from Windows Client to nt domain [7:73720]

[Kai Bovermann]

Dear all

We have a cisco vpn concentrator 3000 series for vpn connection.
What we want to do is to establish a vpn conncetion from a windows
client(W2k or WinXP Pro) to the concentrator and then log on to our domain
and then get the shares connected to the pc.
I created a vpn connection and it works proberbly. Only the log on to the
domain will not work.
It should go like this way that the user is logged on to the pc and then if
it is needed establish the vpn connection and get also logged on to the
domain and get the shares connected to the pc.

How can I do this ?

Thanks a lot

Kai




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73720t=73720
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN Conncetion from Windows Client to nt domain [7:73720]

[Steve Wilson]

There are a few things that you can try on the concentrator, like checking
all the settings in the group that the client/user is a member of. But the
most likely suspect is the settings on the PC. The network connection
settings must have Client for Microsoft Networks enabled and I would also
recommend NetBIOS over TCP/IP in the advanced settings. If you can ping the
devices on the LAN, then you will require NetBIOS to browse properly. This
is a simple solution to a possibly complicated scenario, but try it out
anyway.

Regards,
Steve Wilson CCNP 
Network Engineer

-Original Message-
From: Kai Bovermann [mailto:[EMAIL PROTECTED] 
Sent: 08 August 2003 13:05
To: [EMAIL PROTECTED]
Subject: VPN Conncetion from Windows Client to nt domain [7:73720]

Dear all

We have a cisco vpn concentrator 3000 series for vpn connection.
What we want to do is to establish a vpn conncetion from a windows
client(W2k or WinXP Pro) to the concentrator and then log on to our domain
and then get the shares connected to the pc.
I created a vpn connection and it works proberbly. Only the log on to the
domain will not work.
It should go like this way that the user is logged on to the pc and then if
it is needed establish the vpn connection and get also logged on to the
domain and get the shares connected to the pc.

How can I do this ?

Thanks a lot

Kai
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73726t=73720
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Strange VPN problem [7:73641]

[suaveguru]

hi all, 

I am trying to setup a easy VPN solution for a cisco
837 to a cisco VPN concentrator 3005 using network
extension mode but I keep getting this error msg Aug 
7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
Request, Please enter the following command:
Aug  7 13:08:16.571: EZVPN: crypto ipsec client ezvpn
xauth

Any form of input will be appreciated 

suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73641t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Strange VPN problem [7:73641]

[suaveguru]

thanks for your answer , I will try and let you know
the results.

regards,
suaveguru
--- [EMAIL PROTECTED] wrote:
 GURU:
 XAUTH is in my perception for authentication of
 users, (local) escpecially
 radius or tacacs.
 
 So what we do at the hub site for a static IKE peer
 is disable XAUTH, so
 that a spoke router does not get an auth prompt, or
 the hub does not wait
 for it. 
 
 So I think the HUb is waiting for an answer, maybe
 used to authenticate VPN
 users only.
 
 
 
 WHAT DID YOU PUT AT THE SCREEN IKE PROPOSALS? You
 need Preshareds  keys
 there!
 8.
 The following example shows the various policies
 used in the IKE policy
 named CiscoVPNClient-3DES-MD. 
 In this policy, Preshared Keys(XAUTH) for
 Authentication Mode is being used
 so that the client will be prompted to supply a
 username and password at the
 end of IKE negotiations.
 

http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
 _example09186a008010edf4.shtml#task2_steps
 
 Martijn 
 
 
 
 -Oorspronkelijk bericht-
 Van: suaveguru [mailto:[EMAIL PROTECTED]
 Verzonden: donderdag 7 augustus 2003 9:40
 Aan: Jansen, M
 Onderwerp: RE: Strange VPN problem [7:73641]
 
 
 thanks for your prompt reply , but I am using
 easyvpn
 configuration for cisco 805 router to concentrator
 3005 with the cisco 805 as client mode and
 concentrator as hub . I can't find the line that you
 indicate for my cisco 805 , could it be easyvpn
 configuration that i am using?
 
 suaveguru
 --- [EMAIL PROTECTED] wrote:
  Guru.
  
  Type the no-xauth behind the key-mapping.
  
  
  
  isakmp key **NEWKEYNEWCUSTO** address  x.x.x.x
  netmask 255.255.255.255
  no-xauth no-config-mode
  
  
  
  Martijn 
  
  
  -Oorspronkelijk bericht-
  Van: suaveguru [mailto:[EMAIL PROTECTED]
  Verzonden: donderdag 7 augustus 2003 7:08
  Aan: [EMAIL PROTECTED]
  Onderwerp: Strange VPN problem [7:73641]
  
  
  hi all, 
  
  I am trying to setup a easy VPN solution for a
 cisco
  837 to a cisco VPN concentrator 3005 using network
  extension mode but I keep getting this error msg
  Aug 
  7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
  Request, Please enter the following command:
  Aug  7 13:08:16.571: EZVPN: crypto ipsec client
  ezvpn
  xauth
  
  Any form of input will be appreciated 
  
  suaveguru
  
  __
  Do you Yahoo!?
  Yahoo! SiteBuilder - Free, easy-to-use web site
  design software
  http://sitebuilder.yahoo.com
  **Please support GroupStudy by purchasing from the
  GroupStudy Store:
  http://shop.groupstudy.com
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
 
 
 __
 Do you Yahoo!?
 Yahoo! SiteBuilder - Free, easy-to-use web site
 design software
 http://sitebuilder.yahoo.com


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73651t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Strange VPN problem [7:73641]

[Reimer, Fred]

Does anyone read the manuals around here???

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu
r_r/sec_c2g.htm#1070272

You probably have your IKE proposal in your concentrator set for XAUTH, and
you don't have your router setup for that.  You can configure your router as
the reference manual says, or you }may{ be able to add in a new or modify an
existing IKE policy under Configuration | System | Tunneling Protocols |
IPSec | IKE Proposals so that the Authentication mode is not one that has
(XAUTH) at the end of it.  Probably Preshared Keys would be the one you
want.  If you create a new one (recommended) they you would have to change
the IKE policy used for your SA under Configuration | Policy Management |
Traffic Management | SAs.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: suaveguru [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 07, 2003 1:08 AM
To: [EMAIL PROTECTED]
Subject: Strange VPN problem [7:73641]

hi all, 

I am trying to setup a easy VPN solution for a cisco
837 to a cisco VPN concentrator 3005 using network
extension mode but I keep getting this error msg Aug 
7 13:08:16.571: EZVPN(mendelvpn): Pending XAuth
Request, Please enter the following command:
Aug  7 13:08:16.571: EZVPN: crypto ipsec client ezvpn
xauth

Any form of input will be appreciated 

suaveguru

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73661t=73641
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: Largest CA Keylength on VPN 3000 [7:73409]

[[EMAIL PROTECTED]]

Is it a size or allocation issue?


CSCdv48299 
If fewer than three spots remain in the CA certificate store of a VPN 3000
Concentrator, and an attempt is made to install a CA certificate with
associated RAs, then the RA or RAs are installed (filling the store) and the
root certificate is not installed. This is incorrect behavior. Instead, the
software should check to see if there is enough room in the store before
installing a partial CA certificate. Partial certificates should not be
installed. If the RAs and the Root certificate cannot be installed, the
software should install nothing.

Or just RTFM below?

Martijn


Key Size
 -
man Yes
scep Yes
 The algorithm for generating the public-key/private-key pair, and the key
size. If you are requesting an SSL certificate, of if you are requesting an
identity certificate using SCEP, only the RSA options are available.

RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman)
algorithm. This key size provides sufficient security and is the default
selection. It is the most common, and requires the least processing.

RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size
provides normal security. It requires approximately 2 to 4 times more
processing than the 512-bit key.

RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key
size provides high security, and it requires approximately 4 to 8 times more
processing than the 512-bit key.

man Yes
csep No
DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature
Algorithm).

DSA 768 bits = Generate 768-bit keys using the DSA algorithm.

DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm.


 

-Oorspronkelijk bericht-
Van: Reimer, Fred [mailto:[EMAIL PROTECTED]
Verzonden: zaterdag 2 augustus 2003 14:49
Aan: [EMAIL PROTECTED]
Onderwerp: Largest CA Keylength on VPN 3000 [7:73409]


Let's see if anyone here can answer faster than Cisco TAC.

 

What is the largest CA root key length supported by the Cisco VPN
Concentrator 3000 series hardware?  I have a 4096 bit key and it won't
accept the root key because it can't validate it.

 

Fred Reimer - CCNA

Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050

NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73593t=73409
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Largest CA Keylength on VPN 3000 [7:73409]

[Reimer, Fred]

Let's see if anyone here can answer faster than Cisco TAC.

 

What is the largest CA root key length supported by the Cisco VPN
Concentrator 3000 series hardware?  I have a 4096 bit key and it won't
accept the root key because it can't validate it.

 

Fred Reimer - CCNA

Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050

NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73409t=73409
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: VPN logging ACS server [7:73297]

[Joel Satterley]

Sounds like you need to turn on accounting to get the start/stop records.

-Original Message-
From: Jim Devane [mailto:[EMAIL PROTECTED] 
Sent: 31 July 2003 18:42
To: [EMAIL PROTECTED]
Subject: VPN logging ACS server [7:73297]

Hello all,

I have 3.6 Clients connecting to a PIX 515 and using Xauth. Everything is
just grand except I need a way to get a reporting of everyuser that logs in
and how long they were connected. Preferably including start and stop times.

OUr ACS server is great for showing when the connection was made by making
an entry in the Passed Authentications

But it does not record when the VPN is torn down.

Any solutions, suggestions, comments on how to capture the teardown so I can
make a reporting of how long the user was connected?

I sthere and ACS fix, a PIX fix..someother fix ( using an ISA server) I am
open to all sorts of suggestions.

thanks,
jim
===
  This message has been checked for all known viruses by the 
Sirocom Virus Scanning Service   
===

===
   This message has been checked for all known viruses by the
 Sirocom Virus Scanning Service

  WWW.SIROCOM.COM  
===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73338t=73297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN Client cannot connect [7:73350]

[Tunde Kalejaiye]

Hi all,

my set up is a vpn client connection to a cisco ios router. i can connect
using an old version of the vpn client (3.6.4a) but  i cannot connect using
the newer versions (4.0.1  4.0.2)i actually get to the stage of putting
in my username and password but nothing happens after that and it eventually
times out. I have pasted the vpn clients loggs.

alll inputs are appreciated.

regards,

Tunde
Cisco Systems VPN Client Version 4.0.2 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

11315:11:19.082  08/01/03  Sev=Info/4 CM/0x6312
Begin connection process

11415:11:19.082  08/01/03  Sev=Info/4 CM/0x6314
Establish secure connection using Ethernet

11515:11:19.082  08/01/03  Sev=Info/4 CM/0x63100024
Attempt connection with server 217.37.10.173

11615:11:19.082  08/01/03  Sev=Info/6 IKE/0x633B
Attempting to establish a connection with 217.37.10.173.

11715:11:19.122  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T),
VID(Frag), VID(Unity)) to 217.37.10.173

11815:11:19.192  08/01/03  Sev=Info/4 IPSEC/0x6378
IPSec driver successfully started

11915:11:19.192  08/01/03  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

12015:11:19.773  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

12115:11:19.773  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?),
VID(Unity)) to 217.37.10.173

12815:11:19.823  08/01/03  Sev=Info/4 IKE/0x6382
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

12915:11:19.823  08/01/03  Sev=Info/4 CM/0x631E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA
in the system

13015:11:19.893  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

13115:11:19.893  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK TRANS *(HASH, ATTR) to 217.37.10.173

13515:11:22.957  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

13615:11:22.957  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK TRANS *(Retransmission) to 217.37.10.173

14215:11:30.208  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14315:11:30.208  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14415:11:50.237  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14515:11:50.237  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14615:12:10.265  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14715:12:10.265  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14815:12:30.294  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14915:12:30.294  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

15015:12:48.370  08/01/03  Sev=Info/4 CM/0x6316
Abort connection attempt before Phase 1 SA up

15115:12:48.370  08/01/03  Sev=Info/4 IKE/0x6301
IKE received signal to terminate VPN connection

15215:12:48.370  08/01/03  Sev=Info/4 IKE/0x6317
Marking IKE SA for deletion  (I_Cookie=492CE06BE33C37A0
R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB

15315:12:48.370  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, DWR) to 217.37.10.173

15415:12:48.380  08/01/03  Sev=Info/4 IKE/0x634A
Discarding IKE SA negotiation (I_Cookie=492CE06BE33C37A0
R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB

15515:12:48.380  08/01/03  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

15615:12:48.831  08/01/03  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

15715:12:48.831  08/01/03  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

15815:12:48.831  08/01/03  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

15915:12:48.831  08/01/03  Sev=Info/4 IPSEC/0x637A
IPSec driver successfully stopped




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73350t=73350
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com

RE: VPN Client cannot connect [7:73350]

[Reimer, Fred]

I think we'd need to logs on the router in order to diagnose why it is
aborting.  The client starts sending DPD keepalives, but there is no
indication that it received any.  It sends them out every 20 seconds, and
after sending 3 or four of them the connection attempt is aborted.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Tunde Kalejaiye [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 01, 2003 12:24 PM
To: [EMAIL PROTECTED]
Subject: VPN Client cannot connect [7:73350]

Hi all,

my set up is a vpn client connection to a cisco ios router. i can connect
using an old version of the vpn client (3.6.4a) but  i cannot connect using
the newer versions (4.0.1  4.0.2)i actually get to the stage of putting
in my username and password but nothing happens after that and it eventually
times out. I have pasted the vpn clients loggs.

alll inputs are appreciated.

regards,

Tunde
Cisco Systems VPN Client Version 4.0.2 (B)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

11315:11:19.082  08/01/03  Sev=Info/4 CM/0x6312
Begin connection process

11415:11:19.082  08/01/03  Sev=Info/4 CM/0x6314
Establish secure connection using Ethernet

11515:11:19.082  08/01/03  Sev=Info/4 CM/0x63100024
Attempt connection with server 217.37.10.173

11615:11:19.082  08/01/03  Sev=Info/6 IKE/0x633B
Attempting to establish a connection with 217.37.10.173.

11715:11:19.122  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T),
VID(Frag), VID(Unity)) to 217.37.10.173

11815:11:19.192  08/01/03  Sev=Info/4 IPSEC/0x6378
IPSec driver successfully started

11915:11:19.192  08/01/03  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

12015:11:19.773  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

12115:11:19.773  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?),
VID(Unity)) to 217.37.10.173

12815:11:19.823  08/01/03  Sev=Info/4 IKE/0x6382
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

12915:11:19.823  08/01/03  Sev=Info/4 CM/0x631E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA
in the system

13015:11:19.893  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

13115:11:19.893  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK TRANS *(HASH, ATTR) to 217.37.10.173

13515:11:22.957  08/01/03  Sev=Info/5 IKE/0x632F
Received ISAKMP packet: peer = 217.37.10.173

13615:11:22.957  08/01/03  Sev=Info/4 IKE/0x6314
RECEIVING  ISAKMP OAK TRANS *(Retransmission) to 217.37.10.173

14215:11:30.208  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14315:11:30.208  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14415:11:50.237  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14515:11:50.237  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14615:12:10.265  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14715:12:10.265  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

14815:12:30.294  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, NOTIFY:HEARTBEAT) to 217.37.10.173

14915:12:30.294  08/01/03  Sev=Info/6 IKE/0x6352
Sent a keepalive on the IKE SA

15015:12:48.370  08/01/03  Sev=Info/4 CM/0x6316
Abort connection attempt before Phase 1 SA up

15115:12:48.370  08/01/03  Sev=Info/4 IKE/0x6301
IKE received signal to terminate VPN connection

15215:12:48.370  08/01/03  Sev=Info/4 IKE/0x6317
Marking IKE SA for deletion  (I_Cookie=492CE06BE33C37A0
R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB

15315:12:48.370  08/01/03  Sev=Info/4 IKE/0x6313
SENDING  ISAKMP OAK INFO *(HASH, DWR) to 217.37.10.173

15415:12:48.380  08/01/03  Sev=Info/4 IKE/0x634A
Discarding IKE SA negotiation (I_Cookie=492CE06BE33C37A0
R_Cookie=EADFFC9A257201A9) reason = DEL_REASON_RESET_SADB

15515:12:48.380  08/01/03  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

15615:12:48.831  08/01/03  Sev=Info/4

Example of reflexive access list with VPN access [7:73269]

[Steven Aiello]

Hello all,

   I need some help with ACL's.  What my goal is to allow VNP traffic in 
to my network to one firewall (Static IP address).  Also I want to allow 
traffic out of my FE 0/1 interface out to the net using established 
access lists.  The services I want to let out are.

HTTP
HTTPS
SMTP
POP3
FTP
SFTP

If some one could help me out with a good start or at least a good 
explanation of the process and how established or reflexive lists work.

my network set up is fairly simple


( internet )---Serial 0/1 |CISCO 2621XM| FE 0/1 (continued below)


  FE 0/1--|Firewall 1| 12.40.100.131 (Needs VPN port passed through)
   \
\
 \
  |Firewall 2| 12.40.100.132 (NO VPN ACCESS)



All users need the above services.

Thanks for all your help,
Steven - CCNA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73269t=73269
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN Client cannot connect [7:73276]

[Tunde Kalejaiye]

I am using a vpn client version 4.0.1, i connect to internet using an adsl
modem and i dial my network using the client. the problem is after i put in
my
logon details into the logon screen..the connection times outwithout ever
connecting. i have pasted the router config, the debug cry isa output and the
cisco vpn client logg. your help will be highly appreciated.

regards,

Tunde

 [B]router config[/B]
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
logging buffered 4096 debugging
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authentication enable default enable
aaa authorization commands 15 default local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$.fkm$4O8.dVegwONw0eriy2Hzb/
enable password 7 02020555020303
!
username test password 7 09584B1A0D
memory-size iomem 15
ip subnet-zero
no ip source-route
!
!
ip domain-name rock
ip name-server 192.168.123.3
ip name-server 192.168.123.13
ip name-server 192.168.123.15
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco123 address x.x.x.x
!
crypto isakmp client configuration group remotevpn
 key cisco123
 dns 192.168.123.3
 wins 192.168.123.2
 domain rock.com
 pool VPN
!
!
crypto ipsec transform-set cabweb esp-des esp-md5-hmac
crypto ipsec transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto dynamic-map dynmap 30
 set transform-set vpn-transform-set
!
!
crypto map cabweb client authentication list userauthen
crypto map cabweb isakmp authorization list groupauthor
crypto map cabweb client configuration address respond
crypto map cabweb 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set cabweb
 match address 111
crypto map cabweb 30 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 1.1.1.1 255.255.255.248
 ip nat outside
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map cabweb
!
interface FastEthernet0
 ip address 192.168.123.252 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 no ip mroute-cache
 speed 100
 half-duplex
 ntp disable
 no cdp enable
 standby 2 ip 192.168.123.1
 standby 2 priority 150
 standby 2 preempt
!
ip local pool VPN 192.168.123.180 192.168.123.200
ip nat inside source list IP-NAT interface Ethernet0 overload
ip nat inside source static 192.168.123.13 1.1.1.2
ip nat inside source static 192.168.123.2  1.1.1.3
ip nat inside source static 192.168.123.3  1.1.1.4
no ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.6
ip route 0.0.0.0 0.0.0.0 192.168.123.4 100
no ip http server
ip pim bidir-enable
!
!
ip access-list standard IP-NAT
 deny   192.168.123.3
 deny   192.168.123.2
 deny   192.168.123.15
 deny   192.168.123.13
 permit 192.168.0.0 0.0.255.255
!

access-list 111 permit ip 192.168.123.0 0.0.0.255 192.168.124.0 0.0.0.255
no cdp run
!

line con 0
 exec-timeout 0 0
 password 7 1416160E0E0B3D2A282D
line aux 0
line vty 0 4
 password 7 0507071820425D0617
!
no scheduler allocate
end


 [B]debug output[/B]
2d06h: ISAKMP (0:2): retransmitting phase 1 AG_INIT_EXCH...
2d06h: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
2d06h: ISAKMP (0:2): retransmitting phase 1 AG_INIT_EXCH
2d06h: ISAKMP (0:2): sending packet to 81.134.114.66 (R) AG_INIT_EXCH
2d06h: ISAKMP (0:0): received packet from 81.134.114.66 (N) NEW SA
2d06h: ISAKMP: local port 500, remote port 500
2d06h: ISAKMP (0:3): (Re)Setting client xauth list userauthen and state
2d06h: ISAKMP: Locking CONFIG struct 0x814F42E0 from
crypto_ikmp_config_initialize_sa, count 3
2d06h: ISAKMP (0:3): processing SA payload. message ID = 0
2d06h: ISAKMP (0:3): processing ID payload. message ID = 0
2d06h: ISAKMP (0:3): processing vendor id payload
2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major
2d06h: ISAKMP (0:3): vendor ID is XAUTH
2d06h: ISAKMP (0:3): processing vendor id payload
2d06h: ISAKMP (0:3): vendor ID is DPD
2d06h: ISAKMP (0:3): processing vendor id payload
2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major
2d06h: ISAKMP (0:3): processing vendor id payload
2d06h: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major
2d06h: ISAKMP (0:3): processing vendor id payload
2d06h: ISAKMP (0:3): vendor ID is Unity
2d06h: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 30 policy
2d06h: ISAKMP:  encryption... What? 7?
2d06h: ISAKMP:  hash SHA
2d06h: ISAKMP:  default group 2
2d06h: ISAKMP:  auth XAUTHInitPreShared
2d06h: ISAKMP:  life type in seconds
2d06h: ISAKMP:  life duration (VPI) of  0x0 0x20 0xC4 0x9B
2d06h: ISAKMP:  attribute 14
2d06h: ISAKMP (0:3

RE: VPN Ports [7:73290]

[Priscilla Oppenheimer]

Steven Aiello wrote:
 
 Ok,
 
I haven't gotten much of a bit on my access list question. 
 But no
 worries I have a book and I'm going to try it my self.  However
 can any
 on give me a list run down of the ports needed for a VPN?

I didn't see your first message so I don't know what you're trying to
accomplish, so if this message is a non sequitor, I apoligize...
 
 
 exp
 
 IPSec portx tcp

IPSec doesn't use TCP ports. It uses IP protocol numbers. There are two
types: The Authentication Header (AH) and Encapsulating Security Payload
(ESP).

AH uses IP protocol number 51
ESP uses IP protocol number 50

 Lt\2TP porty tcp

You can run L2TP over UDP, in which case UDP port number 1701 is used. See
RFC 2661 for more info.

Talk to you later,

Priscilla


 
 I would greatly apprecate the help
 
 I am very new to the VPN side and I want to be sure I don't
 over look
 any thing
 
 Steven
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73292t=73290
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Ports [7:73290]

[Joel Satterley]

Don't forget UDP port 500 for ISAKMP!

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
Sent: 31 July 2003 18:32
To: [EMAIL PROTECTED]
Subject: RE: VPN Ports [7:73290]

Steven Aiello wrote:
 
 Ok,
 
I haven't gotten much of a bit on my access list question. 
 But no
 worries I have a book and I'm going to try it my self.  However
 can any
 on give me a list run down of the ports needed for a VPN?

I didn't see your first message so I don't know what you're trying to
accomplish, so if this message is a non sequitor, I apoligize...
 
 
 exp
 
 IPSec portx tcp

IPSec doesn't use TCP ports. It uses IP protocol numbers. There are two
types: The Authentication Header (AH) and Encapsulating Security Payload
(ESP).

AH uses IP protocol number 51
ESP uses IP protocol number 50

 Lt\2TP porty tcp

You can run L2TP over UDP, in which case UDP port number 1701 is used. See
RFC 2661 for more info.

Talk to you later,

Priscilla


 
 I would greatly apprecate the help
 
 I am very new to the VPN side and I want to be sure I don't
 over look
 any thing
 
 Steven
===
  This message has been checked for all known viruses by the 
Sirocom Virus Scanning Service   
===

===
   This message has been checked for all known viruses by the
 Sirocom Virus Scanning Service

  WWW.SIROCOM.COM  
===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73300t=73290
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN logging ACS server [7:73297]

[Jim Devane]

Hello all,

I have 3.6 Clients connecting to a PIX 515 and using Xauth. Everything is
just grand except I need a way to get a reporting of everyuser that logs in
and how long they were connected. Preferably including start and stop times.

OUr ACS server is great for showing when the connection was made by making
an entry in the Passed Authentications

But it does not record when the VPN is torn down.

Any solutions, suggestions, comments on how to capture the teardown so I can
make a reporting of how long the user was connected?

I sthere and ACS fix, a PIX fix..someother fix ( using an ISA server) I am
open to all sorts of suggestions.

thanks,
jim



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73297t=73297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider VPN Caveats [7:73207]

[Howard C. Berkowitz]

One thing that gets missed in the L2VPN versus L3VPN issue, with 
provider-provisioned LANs, is the people aspect both for the provider 
and customer.

If you provision a L2VPN, it's a familiar interface to the customer. 
It's also much more familiar to telco/TDM technicians. I've seen 
market estimates that of telco staff, perhaps 10% would really be 
able to support L3VPN without extensive training.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73309t=73207
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider VPN Caveats [7:73207]

[Network Phantom]

John Neiberger wrote:
 I've been researching different types of service provider VPNs in general
 and Qwest's PRN, in particular. From what I can gather their PRN is a
 2764-based VPN offering using IPSec tunneling. I've run into two fairly
 obvious caveats already and I'm wondering what other caveats might await
 that aren't so obvious.
 
 First, and most obvious, is that without the use of GRE or something
similar
 we won't get multiprotocol capability. Second, and a little less obvious
 until you think about it, is that we would lose multicasting capabilities
 without jumping through some GRE hoops.
 
 To those of you more familiar with this sort of thing, are there any other
 operational caveats like these that I'd need to be aware of?
 
 BTW, I think it was dre who suggested I read the RFCs, which I've started
to
 do, and suggested I check out the www.lightreading.com website. That site
is
 great! I did do a search on Kompella vs. Kompella. I feel that Kompella has
 some good points, but so does Kompella.  ;-)  I guess the real questions is
 which Kompella is most compelling?
 
 I didn't realize that there were so many competing VPN groups and
 technologies. At this rate, by the time we agree on any standard methods
all
 of the technologies will be obsolete!
test




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73237t=73207
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider VPN Caveats [7:73207]

[Howard C. Berkowitz]

At 9:54 PM + 7/29/03,  Chuck Whose Road is Ever Shorter  wrote:

  
  BTW, I think it was dre who suggested I read the RFCs, which I've started
to
  do, and suggested I check out the www.lightreading.com website. That site
is
  great! I did do a search on Kompella vs. Kompella. I feel that Kompella
has
  some good points, but so does Kompella.  ;-)  I guess the real questions
is
  which Kompella is most compelling?


Before burning out on this question, try a Martini.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73248t=73207
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Provider VPN Caveats [7:73207]

[John Neiberger]

I've been researching different types of service provider VPNs in general
and Qwest's PRN, in particular. From what I can gather their PRN is a
2764-based VPN offering using IPSec tunneling. I've run into two fairly
obvious caveats already and I'm wondering what other caveats might await
that aren't so obvious.

First, and most obvious, is that without the use of GRE or something similar
we won't get multiprotocol capability. Second, and a little less obvious
until you think about it, is that we would lose multicasting capabilities
without jumping through some GRE hoops.

To those of you more familiar with this sort of thing, are there any other
operational caveats like these that I'd need to be aware of?

BTW, I think it was dre who suggested I read the RFCs, which I've started to
do, and suggested I check out the www.lightreading.com website. That site is
great! I did do a search on Kompella vs. Kompella. I feel that Kompella has
some good points, but so does Kompella.  ;-)  I guess the real questions is
which Kompella is most compelling?

I didn't realize that there were so many competing VPN groups and
technologies. At this rate, by the time we agree on any standard methods all
of the technologies will be obsolete!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73207t=73207
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider VPN Caveats [7:73207]

John Neiberger  wrote in message
news:[EMAIL PROTECTED]
 I've been researching different types of service provider VPNs in general
 and Qwest's PRN, in particular. From what I can gather their PRN is a
 2764-based VPN offering using IPSec tunneling. I've run into two fairly
 obvious caveats already and I'm wondering what other caveats might await
 that aren't so obvious.

 First, and most obvious, is that without the use of GRE or something
similar
 we won't get multiprotocol capability. Second, and a little less obvious
 until you think about it, is that we would lose multicasting capabilities
 without jumping through some GRE hoops.

 To those of you more familiar with this sort of thing, are there any other
 operational caveats like these that I'd need to be aware of?

 BTW, I think it was dre who suggested I read the RFCs, which I've started
to
 do, and suggested I check out the www.lightreading.com website. That site
is
 great! I did do a search on Kompella vs. Kompella. I feel that Kompella
has
 some good points, but so does Kompella.  ;-)  I guess the real questions
is
 which Kompella is most compelling?

 I didn't realize that there were so many competing VPN groups and
 technologies. At this rate, by the time we agree on any standard methods
all
 of the technologies will be obsolete!

as the mainframe guys used to say, we love standards. that's why we have so
many of them!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73212t=73207
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

what's the bandwidth for this PIX-PIX VPN? [7:73088]

[Richard Campbell]

Hi..  I have a PIX 515 connected to internet, the bandwidth is 512K.  
Besides this PIX 515 also has PIX-PIX VPN to two of our branches.  I found 
that when I transfer a big file via the PIX-PIX VPN, the bandwidth 
utilisation will never reach the maximum.  But when I download big file from 
internet, it will reach Max.  Why??  Note that there is not traffic shaping 
in the router?  What is the Max bandwidth for PIX-PIX VPN on 512K link???

_
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73088t=73088
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: what's the bandwidth for this PIX-PIX VPN? (the numbers) [7:73097]

[[EMAIL PROTECTED]]

PIX 515E
Performance Summary
Cleartext throughput: 188 Mbps
Concurrent connections: 130,000
168-bit 3DES IPsec VPN throughput: Up to 140 Mbps with VAC+ or 63 Mbps with
VAC
128-bit AES IPsec VPN throughput: Up to 135 Mbps with VAC+
256-bit AES IPsec VPN throughput: Up to 140 Mbps with VAC+
Simultaneous VPN tunnels: 2000

from cco

Martijn Jansen

-Oorspronkelijk bericht-
Van: Richard Campbell [mailto:[EMAIL PROTECTED]
Verzonden: maandag 28 juli 2003 10:07
Aan: [EMAIL PROTECTED]
Onderwerp: what's the bandwidth for this PIX-PIX VPN? [7:73088]


Hi..  I have a PIX 515 connected to internet, the bandwidth is 512K.  
Besides this PIX 515 also has PIX-PIX VPN to two of our branches.  I found 
that when I transfer a big file via the PIX-PIX VPN, the bandwidth 
utilisation will never reach the maximum.  But when I download big file from

internet, it will reach Max.  Why??  Note that there is not traffic shaping 
in the router?  What is the Max bandwidth for PIX-PIX VPN on 512K link???

_
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73097t=73097
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: what's the bandwidth for this PIX-PIX VPN? [7:73088]

[[EMAIL PROTECTED]]

I only can think of the max troughput minus AH and new IP header. So
90%rougly?

Experience says that you maybe can do some tweaking on the MTU side?

Martijn Jansen

-Oorspronkelijk bericht-
Van: Richard Campbell [mailto:[EMAIL PROTECTED]
Verzonden: maandag 28 juli 2003 10:07
Aan: [EMAIL PROTECTED]
Onderwerp: what's the bandwidth for this PIX-PIX VPN? [7:73088]


Hi..  I have a PIX 515 connected to internet, the bandwidth is 512K.  
Besides this PIX 515 also has PIX-PIX VPN to two of our branches.  I found 
that when I transfer a big file via the PIX-PIX VPN, the bandwidth 
utilisation will never reach the maximum.  But when I download big file from

internet, it will reach Max.  Why??  Note that there is not traffic shaping 
in the router?  What is the Max bandwidth for PIX-PIX VPN on 512K link???

_
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73096t=73088
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Microsoft VPN through a router [7:72824]

[Steven Aiello]

I was wondering what ports I would need to have open for a Microsoft VPN 
  connection on my router.  If I have done my home work correctly I think

IPSec port: 50
L2TP port : 1701
PPTP port : 1723

Are these all TCP, UDP???

I don't really have a full understanding of how the protocal and port 
process of a VPN works.  I understand the theroy; how IPSec incryptes 
the info in a tunnel data portion of another IP packet blaa blaa blaa. 
But any more aditional detailed info would be great.

Thanks,
Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72908t=72824
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Microsoft VPN through a router [7:72824]

[Steven Aiello]

I was wondering what ports I would need to have open for a Microsoft VPN 
  connection on my router.  If I have done my home work correctly I think

IPSec port: 50
L2TP port : 1701
PPTP port : 1723

Are these all TCP, UDP???

I don't really have a full understanding of how the protocal and port 
process of a VPN works.  I understand the theroy; how IPSec incryptes 
the info in a tunnel data portion of another IP packet blaa blaa blaa. 
But any more aditional detailed info would be great.

Thanks,
Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72824t=72824
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft VPN through a router [7:72824]

[Reimer, Fred]

For IPSec I believe you need protocolsport 500.  The
50 is a protocol number, like UDP is 17 and TCP is what? 6?  It is not a TCP
or UDP port number...

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Steven Aiello [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 23, 2003 1:32 PM
To: [EMAIL PROTECTED]
Subject: Microsoft VPN through a router [7:72824]

I was wondering what ports I would need to have open for a Microsoft VPN 
  connection on my router.  If I have done my home work correctly I think

IPSec port: 50
L2TP port : 1701
PPTP port : 1723

Are these all TCP, UDP???

I don't really have a full understanding of how the protocal and port 
process of a VPN works.  I understand the theroy; how IPSec incryptes 
the info in a tunnel data portion of another IP packet blaa blaa blaa. 
But any more aditional detailed info would be great.

Thanks,
Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72833t=72824
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Microsoft VPN through a router [7:72824]

[Stevo]

Steve,

You need to open GRE to from any source to your VPN server and then
depending on whether you're using PPTP or L2TP make sure you have either
tcp/1723 or tcp/1701 open.

My ACL looks like this for PPTP access...

access-list 101 permit tcp any host  eq 1723
access-list 101 permit gre any host 

Stevo


Steven Aiello  wrote in message
news:[EMAIL PROTECTED]
 I was wondering what ports I would need to have open for a Microsoft VPN
   connection on my router.  If I have done my home work correctly I think

 IPSec port: 50
 L2TP port : 1701
 PPTP port : 1723

 Are these all TCP, UDP???

 I don't really have a full understanding of how the protocal and port
 process of a VPN works.  I understand the theroy; how IPSec incryptes
 the info in a tunnel data portion of another IP packet blaa blaa blaa.
 But any more aditional detailed info would be great.

 Thanks,
 Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72831t=72824
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft VPN through a router [7:72824]

[Zsombor Papp]

Steven Aiello wrote:
 
 I was wondering what ports I would need to have open for a
 Microsoft VPN
   connection on my router.  If I have done my home work
 correctly I think
 
 IPSec port: 50

This is protocol number (as in protocol above IP). You will also need 51 I
think.

 L2TP port : 1701

UDP

 PPTP port : 1723

TCP

 
 Are these all TCP, UDP???
 
 I don't really have a full understanding of how the protocal
 and port
 process of a VPN works.  I understand the theroy; how IPSec
 incryptes
 the info in a tunnel data portion of another IP packet blaa
 blaa blaa.
 But any more aditional detailed info would be great.

The RFCs are pretty detailed.

Thanks,

Zsombor


 
 Thanks,
 Steve
 
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72830t=72824
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]