RE: VPN Error [7:30415]
sorry about the cryptic msg. earlier, i realised that there were a few more errors in the config as well.. * use aaa and specify local authentication (you can use radius or tacacs) * specify terminate-from hostname (NAS) local name (HGW) Rest all seems to be ok... On the router, turn debug vpdn error , debug vpdn event on, and turn the debugs on authentication as well. That will point to where its failing. Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30423t=30415 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Error [7:30415]
Thanks Nick but I am using Win2K server authentication , and not the Radius server or any ACS server , how should I go about then ? I am now able to get the establish the connection and the tunnel is created as well and I am getting the following message as well : 4# r4# r4#sh vpdn %No active L2TP tunnels %No active L2F tunnels PPTP Tunnel and Session Information Total tunnels 1 sessions 1 LocID Remote Name StateRemote Address Port Sessions 5 estabd 202.157.71.47 1120 1 LocID RemID TunID IntfUsername State Last Chg 5 49152 5 Vi1 technosys\adm estabd 00:26:29 %No active PPPoE tunnels r4# but I am still now able to come in to the Win2K domain . Do guide me what I should do . thanks, Navin Parwal Nick S. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... sorry about the cryptic msg. earlier, i realised that there were a few more errors in the config as well.. * use aaa and specify local authentication (you can use radius or tacacs) * specify terminate-from hostname (NAS) local name (HGW) Rest all seems to be ok... On the router, turn debug vpdn error , debug vpdn event on, and turn the debugs on authentication as well. That will point to where its failing. Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30430t=30415 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Error [7:30415]
Hi All , I am facing an error for accessing my network from my lap top via VPN which had windows Millimieum to my router which has got a static Ip address from the bri0/0 interface . I want to connect to my win2K server which is configured as a domain controller on the ethernet , it is configured properly. As soon as I give the Ip address of my router on the vpn dialer and the username and password of cisco , it tries to connect for some time and then disconnects. my setting on the router is given below , do let me if it is correct and is there anything else I am missing out on . thanks in advance . -- Navin Parwal r4# r4# r4# r4# r4# r4# r4#sh run Building configuration... Current configuration : 1533 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r4 ! enable password ZZZ ! username cisco password 0 cisco username technosys.com\cisco password 0 cisco ip subnet-zero ! ! no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! isdn switch-type basic-net3 call rsvp-sync ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside speed auto full-duplex ! interface Serial0/0 no ip address encapsulation ppp ! interface BRI0/0 ip address negotiated ip nat outside encapsulation ppp dialer string 226476 dialer-group 1 isdn switch-type basic-net3 no cdp enable ppp chap refuse ppp pap sent-username jbc password 7 025756085F53 ! interface Virtual-Template1 ip unnumbered BRI0/0 no keepalive peer default ip address pool testpool ppp encrypt mppe 40 ppp authentication ms-chap pap chap ! ip local pool testpool 192.168.2.1 192.168.2.254 ip nat inside source route-map nat interface BRI0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 BRI0/0 no ip http server ip pim bidir-enable ! access-list 101 permit ip 192.168.1.0 0.0.0.255 any dialer-list 1 protocol ip permit route-map nat permit 10 match ip address 101 ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password XXX login ! no scheduler allocate end r4# r4# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30415t=30415 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how do I add the vpn dial network adapter in win98 [7:30072]
From what I remember you need a particular version of DUN (Dial up network) I think it was 4.3 . Check the CCO under TEchnical Documents -- VPN Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30168t=30072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how do I add the vpn dial network adapter in win98 [7:30173]
Win 98 second edition has it already as an adapter -Original Message- From: Nick S. [mailto:[EMAIL PROTECTED]] Sent: 27 December 2001 12:33 PM To: [EMAIL PROTECTED] Subject: RE: how do I add the vpn dial network adapter in win98 [7:30072] From what I remember you need a particular version of DUN (Dial up network) I think it was 4.3 . Check the CCO under TEchnical Documents -- VPN Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30173t=30173 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how do I add the vpn dial network adapter in w [7:30173]
aah... Didnt know that, I had worked on it twice, once with a WIN95 and at other time with WIN98 (first edition), and both the times we had to download the DUN. thanks Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30174t=30173 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how do I add the vpn dial network adapter in win98 [7:30223]
It's not in network properties, It's in... StartSettingsControl Panel Add Remove SoftwareWindows SetupCommunications VPN Adapter. -Original Message- From: Nick S. [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 27, 2001 5:33 AM To: [EMAIL PROTECTED] Subject: RE: how do I add the vpn dial network adapter in win98 [7:30072] From what I remember you need a particular version of DUN (Dial up network) I think it was 4.3 . Check the CCO under TEchnical Documents -- VPN Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30223t=30223 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off Topic - My Employer's VPN! I'm so happy!! [7:30267]
Off topic VPN comment. My employer is FINALLY moving to VPN access to our company network. This instead of that crappy ISDN RAS telco solution they've been running for years. I'm so lucky to have been chosen as one of the beta testers. Probably because I've been complaining so loud for so long. In any case, our laptops are Window NT 4.0 and W2K. the client is the Cisco secure client, and because we are a Cisco partner, I presume that we are connecting via one of another of the Cisco VPN products. One can hope it is a CVPN3xxx box, but with my employer, you never can tell ;- In any case, the scripted installation worked like a charm and I am happy as a clam doing company work via a much faster connection. In my job I often have to move some very large Excel and Visio files from here to there. Not to mention the kinds of things I have to download from vendor sites for study and meeting preparation. So yes VPN stuff can work, can be easy ( recognizing the front end preparation that obviously took place ) and so far, the Cisco client has been flawless to work with. Knock on my wooden head :- I know there are a lot of people from my company who read this list. All I can say is I hope you keep the pressure up on your managers. this is so much better! Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30267t=30267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - My Employer's VPN! I'm so happy!! [7:30267]
Sound's like you don't have AOL! I rolled out a 3015 VPN concentrator (Altiga) not too long ago for a client who had a ton of roaming sales people and outside vendors that I got working with this. Found out the hard way that AOL will overwrite .dll's used by the Cisco client software. Don't know if this has been fixed outside of uninstalling AOL. It rock's after setting it up though, especially if you have a broadband connection. Another BIG issue will be some ISP's use NAT or a Proxy Server or some other type of firewall and will block all ports outside the basics. This will kill the VPN setup connection. Eric - Original Message - From: Chuck Larrieu To: Sent: Thursday, December 27, 2001 7:08 PM Subject: Off Topic - My Employer's VPN! I'm so happy!! [7:30267] Off topic VPN comment. My employer is FINALLY moving to VPN access to our company network. This instead of that crappy ISDN RAS telco solution they've been running for years. I'm so lucky to have been chosen as one of the beta testers. Probably because I've been complaining so loud for so long. In any case, our laptops are Window NT 4.0 and W2K. the client is the Cisco secure client, and because we are a Cisco partner, I presume that we are connecting via one of another of the Cisco VPN products. One can hope it is a CVPN3xxx box, but with my employer, you never can tell ;- In any case, the scripted installation worked like a charm and I am happy as a clam doing company work via a much faster connection. In my job I often have to move some very large Excel and Visio files from here to there. Not to mention the kinds of things I have to download from vendor sites for study and meeting preparation. So yes VPN stuff can work, can be easy ( recognizing the front end preparation that obviously took place ) and so far, the Cisco client has been flawless to work with. Knock on my wooden head :- I know there are a lot of people from my company who read this list. All I can say is I hope you keep the pressure up on your managers. this is so much better! Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30270t=30267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT - My Employer's VPN! I'm so happy!! [7:30272]
You do indeed hope that it's one of their VPN Concentrators... I've set up three of those things for three different clients in the past three weeks. They are super sweet! My favorite installation so far was integrated into the networks OSPF routing domain, and utilized SecureID/Radius for user authentication. I also got to dink around with one of the 3002 Hardware clients, which basically provides the VPN connection for an entire remote location (Small LAN... 8-ish users). You should not be some random beta tester though, Chuck... You ought to be on the head-end side. What is your company thinking? - Original Message - From: Chuck Larrieu To: Sent: Thursday, December 27, 2001 10:08 PM Subject: Off Topic - My Employer's VPN! I'm so happy!! [7:30267] Off topic VPN comment. My employer is FINALLY moving to VPN access to our company network. This instead of that crappy ISDN RAS telco solution they've been running for years. I'm so lucky to have been chosen as one of the beta testers. Probably because I've been complaining so loud for so long. In any case, our laptops are Window NT 4.0 and W2K. the client is the Cisco secure client, and because we are a Cisco partner, I presume that we are connecting via one of another of the Cisco VPN products. One can hope it is a CVPN3xxx box, but with my employer, you never can tell ;- In any case, the scripted installation worked like a charm and I am happy as a clam doing company work via a much faster connection. In my job I often have to move some very large Excel and Visio files from here to there. Not to mention the kinds of things I have to download from vendor sites for study and meeting preparation. So yes VPN stuff can work, can be easy ( recognizing the front end preparation that obviously took place ) and so far, the Cisco client has been flawless to work with. Knock on my wooden head :- I know there are a lot of people from my company who read this list. All I can say is I hope you keep the pressure up on your managers. this is so much better! Chuck [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30272t=30272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how do I add the vpn dial network adapter in win98 ? [7:30082]
Follow these steps to add the virtual private network (VPN) component of Windows 98: Double-click My Computer, then Control Panel, and finally Add/Remove Programs. Select the Windows Setup tab, then double-click Communications. Check the box next to Virtual Private Networking. Click OK. Insert your Windows CD if you are prompted for it. To create a VPN connection, follow these steps: Double-click My Computer, then Dial-Up Networking, and finally Make New Connection. Type a name for your connection. In the Select a Device: field, choose Microsoft VPN Adapter. Click the Next button. Type the name or IP address of the VPN server. Click Next. Click the Finish button. Right-click the new connection and, from the menu that appears, select Properties. Click the Server Types tab. Uncheck the NetBEUI and IPX/SPX Compatible protocols. Click the OK button. Double-click My Computer, then Control Panel, and finally Network. In the list of installed components, select Client for Microsoft Networks and click the Properties button. In the Windows NT domain: field, enter the domain names. Click OK twice. Restart your computer if you are prompted to do so. To establish the VPN connection, follow these steps below: Double-click My Computer, then Dial-Up Networking. Double-click the connection with the name you created above. You will be prompted for a username and password. Click the Connect button. When the connection is established, you should see a new icon in the system tray. (This icon is the same as the icon for dial-up connections.) To disconnect and terminate the connection, double-click the icon and choose Disconnect. - Original Message - From: chenyan To: Sent: Tuesday, December 25, 2001 2:15 AM Subject: how do I add the vpn dial network adapter in win98 ? [7:30072] qwe Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30082t=30082 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Activating VPN slows connnection drastically, Why? [7:30043]
We have a DSL line connected through a Cisco 800 series router. The connection is very fast until the checkpoint client software is activated to access a checkpoint firewall vpn in the corporate office. This slows down the connection drastically. What in the VPN could cause this? I just want to get an idea where to start troubleshooting? Bruce Williams Verizon mailto:[EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30043t=30043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Activating VPN slows connection drastically, Why? [7:30043]
can you clarify for me? HQinternet827bunch of PC's PC's are running the Checkpoint VPN client. VPN tunnels go from PC to HQ Checkpoint device, with the 827 doing only routing/bridging ( depending on how the ISP is set up ) Is this correct? When you say the connection slows down does that mean that prior to using the VPN client, connection to HQ was fast? Or were you gauging by internet access, as the PC's cannot access HQ without the client? You will want to differentiate what is slow and what is fast. Then it will be easier to focus in on a cause. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruce Williams Sent: Monday, December 24, 2001 12:38 PM To: [EMAIL PROTECTED] Subject: Activating VPN slows connnection drastically, Why? [7:30043] We have a DSL line connected through a Cisco 800 series router. The connection is very fast until the checkpoint client software is activated to access a checkpoint firewall vpn in the corporate office. This slows down the connection drastically. What in the VPN could cause this? I just want to get an idea where to start troubleshooting? Bruce Williams Verizon mailto:[EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30065t=30043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Activating VPN slows connection drastically, Why? [7:30043]
I don't know much about CheckPoint's VPN solutions but the logical things that could cause degradation in performance could be either client PC's that now with VPN are required to encrypt/decrypt data, the end point machine that has to do the same things, some issues within the infrastructure beyond the VPN Checkpoint machine, all or some of the above issues could cause problems. Simply more information is required for better analysis. Chuck Larrieu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... can you clarify for me? HQinternet827bunch of PC's PC's are running the Checkpoint VPN client. VPN tunnels go from PC to HQ Checkpoint device, with the 827 doing only routing/bridging ( depending on how the ISP is set up ) Is this correct? When you say the connection slows down does that mean that prior to using the VPN client, connection to HQ was fast? Or were you gauging by internet access, as the PC's cannot access HQ without the client? You will want to differentiate what is slow and what is fast. Then it will be easier to focus in on a cause. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bruce Williams Sent: Monday, December 24, 2001 12:38 PM To: [EMAIL PROTECTED] Subject: Activating VPN slows connnection drastically, Why? [7:30043] We have a DSL line connected through a Cisco 800 series router. The connection is very fast until the checkpoint client software is activated to access a checkpoint firewall vpn in the corporate office. This slows down the connection drastically. What in the VPN could cause this? I just want to get an idea where to start troubleshooting? Bruce Williams Verizon mailto:[EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30068t=30043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Issue with VPN 3015 behind a FW-1 [7:29759]
I hope this answers your question about esp rules working through your f/w. ESP uses protocol 50, but you have to set ip filters for tcp and udp as well. You did not say what type of vpn box you are using, so you will need to verify. Also, if you have a Net Ranger or similar device, you might be getting shunned by it. If you do a tcp dump on the internal and external burb and you see terminal resets, check your Net Ranger Sensors and change the alarm thresholds. Chris Gordon Joel Satterley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, does anyone know what rule should allow ESP back thru a FW-1 firewall from a VPN concentrator ? I have it coming INBOUND ok, but the replies get dropped on the FW internal rule. Very odd. ?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29904t=29759 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Issue with VPN 3015 behind a FW-1 [7:29759]
Hi, does anyone know what rule should allow ESP back thru a FW-1 firewall from a VPN concentrator ? I have it coming INBOUND ok, but the replies get dropped on the FW internal rule. Very odd. ?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29759t=29759 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco to CheckPoint VPN problem, help!! [7:29858]
Hello, I followed this link to configure a 1605 router to CheckPoint 4.1: http://www.cisco.com/warp/public/707/cp-r.shtml My network is: 192.168.2.1-(1605)-16.191.40.9916.191.40.39-(checkpoint)-192.168.1.1 VPN tunnel could not established, here is the debug output from 1605 router: 00:01:29: ISAKMP: reserved not zero on payload 5! 00:01:29: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 16.191.40.39 failed it s sanity check or is malformed 00:01:29: ISAKMP (1): sending packet to 16.191.40.39 (I) QM_IDLE 00:01:29: ISAKMP (1): received packet from 16.191.40.39 (I) QM_IDLE 00:01:29: ISAKMP: reserved not zero on payload 5! 00:01:29: ISAKMP (1): sending packet to 16.191.40.39 (I) QM_IDLE 00:01:29: generate hmac context for conn id 1 00:01:29: ISAKMP (1): deleting SA Looks like there is something wrong on the CheckPoint. Log was turned on at CheckPoint but didn't capture any info. Is there anything wrong with Cisco sample configuration? Or anything I missed? Thanks in advance. Jim __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29858t=29858 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*** VPN IPSec Client *** Urgent Please reply [7:29271]
Hi, I have to configure Cisco 801 with IP/Fw plus IPSec feature pack as a VPN client for PIX 6.0 What details and information do I need from the PIX side to configure 801. Swapnil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29271t=29271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: *** VPN IPSec Client *** Urgent Please reply [7:29271]
Swapnil, I would defintely go to the cisco site for this one. Use this link. It should have examples and there may very well be an example close to what you are seeking. http://www.cisco.com/warp/public/707/index.shtml#pix Swapnil Jain wrote: Hi, I have to configure Cisco 801 with IP/Fw plus IPSec feature pack as a VPN client for PIX 6.0 What details and information do I need from the PIX side to configure 801. Swapnil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29281t=29271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: *** VPN IPSec Client *** Urgent Please reply [7:29271]
thanks a lot George. I found here a lot about security. swapnil George Murphy CCNP, CCDP wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Swapnil, I would defintely go to the cisco site for this one. Use this link. It should have examples and there may very well be an example close to what you are seeking. http://www.cisco.com/warp/public/707/index.shtml#pix Swapnil Jain wrote: Hi, I have to configure Cisco 801 with IP/Fw plus IPSec feature pack as a VPN client for PIX 6.0 What details and information do I need from the PIX side to configure 801. Swapnil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29282t=29271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN IPSec client [7:29172]
Hi, I have to configure Cisco 801 with IP/Fw plus IPSec feature pack as a VPN client for PIX 6.0 What details and information do I need from the PIX side to configure 801. Swapnil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29172t=29172 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Vpn issue [7:28806]
Folx, Ther serial port of my router is connected to PVT network and ethernet is connected to Internet,throught which i am going to establish VPN(Ipsec). My question are... 1)I am not running nat on my router,do i still need to add the following on my router... access-list 130 deny ip 10.65.0.0 0.0.255.255 172.16.2.11 0.0.0.0 access-list 130 permit ip 10.65.0.0 0.0.255.255 any route-map nonat permit 10 match ip address 130 ip nat pool branch netmask ip nat inside source route-map nonat pool branch overload 2)My PVT network mask is 252...so would my access_list mask would be 0.0.0.3 access_list permit ip 192.168.5.36 0.0.0.3 172.16.3.2 0.0.0.255 Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28806t=28806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Vpn issue [7:28806]
Ramesh c wrote: Ther serial port of my router is connected to PVT network and ethernet is connected to Internet,throught which i am going to establish VPN(Ipsec). My question are... 1)I am not running nat on my router,do i still need to add the following on my router... access-list 130 deny ip 10.65.0.0 0.0.255.255 172.16.2.11 0.0.0.0 access-list 130 permit ip 10.65.0.0 0.0.255.255 any route-map nonat permit 10 match ip address 130 ip nat pool branch netmask ip nat inside source route-map nonat pool branch overload Dude, without knowing your whole config how do u expect us to advise. btw, the access-list referred in this route-map is indeed 130, from the partial info that you have provided, you can safely remove it. 2)My PVT network mask is 252...so would my access_list mask would be 0.0.0.3 access_list permit ip 192.168.5.36 0.0.0.3 172.16.3.2 0.0.0.255 The first bit 0.0.0.3 is correct, but 172.16.3.2 0.0.0.255 do u mean 172.16.3.0 0.0.0.255 (note 0 instead of 2) unless you are trying to match on the 2nd last bit, which can achieve something much different than trying to match the whole /24 Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28813t=28806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
to upgrade nortel contivity 1600 VPN DES-56 bit to TRIPLE [7:28271]
Hi Everybody, I have two Nortels contivity 1600 VPN appliance,and one contvity-1600 i got 128 bit encryption but in another end i have 56 DES option.so i want to upgrade this to 128 DES.Please help to get the solution. Regards Rajneesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28271t=28271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[6]: VPN is a Backdoor !!! [7:27725]
On Apr 27, 6:24pm, Chuck Larrieu wrote: } } one interesting solution I heard was to require two partitions on the hard } drive. One partition boots to the VPN, the other to normal use. completely } separate OS installations on both, so that if the non VPN partition is } compromised, it still does not effect the other. anyone heard of this or } doing it now? any comments? I really don't think this will work. For this to work, the unused partition would have to be completely untouchable. In the situation you describe, the unused partition is normally available as D:. The malware would simply have to search for other writable partitions and infect the files on it as well. }-- End of excerpt from Chuck Larrieu Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28274t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN stuff [7:28289]
Folx, 1)I have set VPN between 2 private networks over the internet.I want to know how the packets are forwarded to the destination Or in other words what really happens on the router when a packet for VPN arrives? I got a static route ip route 0.0.0.0 0.0.0.0 210.23.5.6 2)Do i need to enable ip routing,if I got static routes? Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28289t=28289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN stuff [7:28289]
Hi Ramesh, When the VPN is established, the originating host will encrypt the packet with a key, and send across the internet via a virtual tunnel. When the destination receive the packet, the VPN box will decrypt the packet with the same key. If you are connecting to the destination private network, then the default route will not make sense. You should have a static route something like the following : ip route In order for the packet to go through the VPN tunnel. Hope this helps. Regards, Cheeyong At 09:58 AM 12/6/01 -0500, Ramesh c wrote: Folx, 1)I have set VPN between 2 private networks over the internet.I want to know how the packets are forwarded to the destination Or in other words what really happens on the router when a packet for VPN arrives? I got a static route ip route 0.0.0.0 0.0.0.0 210.23.5.6 2)Do i need to enable ip routing,if I got static routes? Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28298t=28289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN/Frame redundant connection? [7:28252]
well... if you insist I'd use a floating static, with the higher distance pointing to the 56K link. keeps life simple. I had a similar project dropped into my lap recently. This kind of stuff offends my persnickety sense of security, but what the hell, it pays the bills, right? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of user true Sent: Wednesday, December 05, 2001 9:39 PM To: [EMAIL PROTECTED] Subject: VPN/Frame redundant connection? [7:28252] Hi All... I have been put into a project where someone else pitched a solution to implement a redundant connection over a dedicated private line (56K) and a VPN internet connection (frac T1). the hardware are 2 cisco 2611 routers with the 2 ethernet interfaces, 2 watchguard firebox 1000's, and some equipment for the private frame (already has CSU and RJ45 cable to hook up directly to ethernet interface on router). The internet connection is a fractional T1 on each side and as stated before 2 watchguard firewalls. The sides would be addressed like 172.16.x.x/16 and 172.17.x.x/16 and they were given this solution by someone who has since bailed on them after getting the equipment. What I am looking for is what is the easiest way to implement a solution that would allow the VPN connection to be the preferred route, but also allow the private frame to pick-up if they internet connection should become latent or go down. It could grind along slowly, but would function. I was just curious if anyone has gotten this type of solution to work with a watchguard in the middle? I was thinking of using something easy like EIGRP, but am a little miffed by how exactly to make this work across the VPN and the Frame at once |router|---|watchguard|---internet---|watchguard|---|router| | Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28333t=28252 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re[6]: VPN is a Backdoor !!! [7:27725]
I try to explain what I mean : You have a mobile user who uses your VPN. You have an L2TP or Layer 3 transport agreement some of the ISPs (exp : ATT) Now if your user call ISP which has an agreement with you, this user transported to you. And you authenticate again (if you want) than give him/her an IP. At this point they don't have any internet connection. After authenticate (or not) your mobile user, you give some restrictions to their. ( they can use some of your servers or not; they can access internet via you or not, etc.) Now if you give them internet connection access permit, they have to access internet over your main gateway. This mean; if any hacker want to put Backdoor ob your mobile users via the internet, they must bypass your main gateway. If they can bypass your main gateway, there is another problem, but this is not a VPN problem. Monday, December 03, 2001, 8:29:59 PM, you wrote: KH Not sure what you mean by this. The VPN technology used is irrelevant. If KH I have a home user who uses their laptop to access the Internet, there are KH various ways that machine could become compromised. If that user then KH attaches to the VPN, I have a machine on my VPN that is compromised. It KH doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's KH not going to keep a compromised machine from continuing to be compromised. KH All the VPN can do is keep a non-compromised machine from becoming KH compromised through the VPN. If the machine is compromised before it KH connects to the VPN, no amount of VPN technology is going to help. KH This issue is not solvable through VPN technology because it isn't a VPN KH problem. It's an end-station access control problem. At the end of the KH day, if your users are allowed to completely control their own machines, the KH liklihood that someones machine will be compromised approaches 1.0. (in KH other words, certainty) This risk can be mitigated through various software KH and poliices, but it cannot be eliminated. KH -Kent --- cut here --- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28166t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re[6]: VPN is a Backdoor !!! [7:27725]
While that scenario might be possible, very few laptops out there *never* connect to the internet. And if they have connected once, then they risk being hacked. What's worse is if they have dsl or cable connected directly to their laptop with no router or firewall between them and the internet. all is takes is *ONE* machine with BO on it to wreak havoc on a network! -Patrick SentinuS 12/05/01 04:42AM I try to explain what I mean : You have a mobile user who uses your VPN. You have an L2TP or Layer 3 transport agreement some of the ISPs (exp : ATT) Now if your user call ISP which has an agreement with you, this user transported to you. And you authenticate again (if you want) than give him/her an IP. At this point they don't have any internet connection. After authenticate (or not) your mobile user, you give some restrictions to their. ( they can use some of your servers or not; they can access internet via you or not, etc.) Now if you give them internet connection access permit, they have to access internet over your main gateway. This mean; if any hacker want to put Backdoor ob your mobile users via the internet, they must bypass your main gateway. If they can bypass your main gateway, there is another problem, but this is not a VPN problem. Monday, December 03, 2001, 8:29:59 PM, you wrote: KH Not sure what you mean by this. The VPN technology used is irrelevant. If KH I have a home user who uses their laptop to access the Internet, there are KH various ways that machine could become compromised. If that user then KH attaches to the VPN, I have a machine on my VPN that is compromised. It KH doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's KH not going to keep a compromised machine from continuing to be compromised. KH All the VPN can do is keep a non-compromised machine from becoming KH compromised through the VPN. If the machine is compromised before it KH connects to the VPN, no amount of VPN technology is going to help. KH This issue is not solvable through VPN technology because it isn't a VPN KH problem. It's an end-station access control problem. At the end of the KH day, if your users are allowed to completely control their own machines, the KH liklihood that someones machine will be compromised approaches 1.0. (in KH other words, certainty) This risk can be mitigated through various software KH and poliices, but it cannot be eliminated. KH -Kent --- cut here --- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28183t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[6]: VPN is a Backdoor !!! [7:27725]
Right, but this again assumes that the user is not going to do something silly like, oh, use their own ISP some of the time because you are blocking and/or logging all the interesting sites on the Internet they want to use. They connect through a local ISP, go to the chat rooms, get some new software and presto, their machine has a nasty virus/worm/trojan. That nicely designed, expensive VPN cannot stop this. I understand perfectly that there are VPN technologies that can pretty sucessfully ensure that an uncompromised machine stays uncompromised, _just as long as the user does what they are supposed to do_. (i.e. only connect to the Internet through the methods you have setup) However, I say again the problem is that users behave in silly, erratic and unsafe ways and this is the problem that VPN's cannot solve in and of themselves. You can mitigate this through policies, procedures and various lockdown mechanisms on the machines used to access your VPN, but the issue is still going to be there. (what one person designs, another person can circumvent) Securing the endpoints is difficult because of the humans that use them. Getting the VPN built is the easy part. Getting humans to use it correctly is where the problems arise. -Kent -Original Message- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 05, 2001 1:44 AM To: Kent Hundley Cc: [EMAIL PROTECTED] Subject: Re[6]: VPN is a Backdoor !!! [7:27725] I try to explain what I mean : You have a mobile user who uses your VPN. You have an L2TP or Layer 3 transport agreement some of the ISPs (exp : ATT) Now if your user call ISP which has an agreement with you, this user transported to you. And you authenticate again (if you want) than give him/her an IP. At this point they don't have any internet connection. After authenticate (or not) your mobile user, you give some restrictions to their. ( they can use some of your servers or not; they can access internet via you or not, etc.) Now if you give them internet connection access permit, they have to access internet over your main gateway. This mean; if any hacker want to put Backdoor ob your mobile users via the internet, they must bypass your main gateway. If they can bypass your main gateway, there is another problem, but this is not a VPN problem. Monday, December 03, 2001, 8:29:59 PM, you wrote: KH Not sure what you mean by this. The VPN technology used is irrelevant. If KH I have a home user who uses their laptop to access the Internet, there are KH various ways that machine could become compromised. If that user then KH attaches to the VPN, I have a machine on my VPN that is compromised. It KH doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's KH not going to keep a compromised machine from continuing to be compromised. KH All the VPN can do is keep a non-compromised machine from becoming KH compromised through the VPN. If the machine is compromised before it KH connects to the VPN, no amount of VPN technology is going to help. KH This issue is not solvable through VPN technology because it isn't a VPN KH problem. It's an end-station access control problem. At the end of the KH day, if your users are allowed to completely control their own machines, the KH liklihood that someones machine will be compromised approaches 1.0. (in KH other words, certainty) This risk can be mitigated through various software KH and poliices, but it cannot be eliminated. KH -Kent --- cut here --- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28187t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[6]: VPN is a Backdoor !!! [7:27725]
it is always fun to watch customers' eyes glaze over as you talk to them about exactly this kind of stuff. it is far easier for management to fire their CTO for a security breach than it is to enforce policy violated by their big producers and powerful cronies in the management suite. alas, the problem is indeed insoluble. for obvious reasons, VPN's are growing like crazy. I probably talk to two or three customers a week who want to set one up. hell, I wish my employer would set one up, because ISDN RAS is such a pain. one interesting solution I heard was to require two partitions on the hard drive. One partition boots to the VPN, the other to normal use. completely separate OS installations on both, so that if the non VPN partition is compromised, it still does not effect the other. anyone heard of this or doing it now? any comments? Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Wednesday, December 05, 2001 7:00 AM To: [EMAIL PROTECTED] Subject: RE: Re[6]: VPN is a Backdoor !!! [7:27725] Right, but this again assumes that the user is not going to do something silly like, oh, use their own ISP some of the time because you are blocking and/or logging all the interesting sites on the Internet they want to use. They connect through a local ISP, go to the chat rooms, get some new software and presto, their machine has a nasty virus/worm/trojan. That nicely designed, expensive VPN cannot stop this. I understand perfectly that there are VPN technologies that can pretty sucessfully ensure that an uncompromised machine stays uncompromised, _just as long as the user does what they are supposed to do_. (i.e. only connect to the Internet through the methods you have setup) However, I say again the problem is that users behave in silly, erratic and unsafe ways and this is the problem that VPN's cannot solve in and of themselves. You can mitigate this through policies, procedures and various lockdown mechanisms on the machines used to access your VPN, but the issue is still going to be there. (what one person designs, another person can circumvent) Securing the endpoints is difficult because of the humans that use them. Getting the VPN built is the easy part. Getting humans to use it correctly is where the problems arise. -Kent -Original Message- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 05, 2001 1:44 AM To: Kent Hundley Cc: [EMAIL PROTECTED] Subject: Re[6]: VPN is a Backdoor !!! [7:27725] I try to explain what I mean : You have a mobile user who uses your VPN. You have an L2TP or Layer 3 transport agreement some of the ISPs (exp : ATT) Now if your user call ISP which has an agreement with you, this user transported to you. And you authenticate again (if you want) than give him/her an IP. At this point they don't have any internet connection. After authenticate (or not) your mobile user, you give some restrictions to their. ( they can use some of your servers or not; they can access internet via you or not, etc.) Now if you give them internet connection access permit, they have to access internet over your main gateway. This mean; if any hacker want to put Backdoor ob your mobile users via the internet, they must bypass your main gateway. If they can bypass your main gateway, there is another problem, but this is not a VPN problem. Monday, December 03, 2001, 8:29:59 PM, you wrote: KH Not sure what you mean by this. The VPN technology used is irrelevant. If KH I have a home user who uses their laptop to access the Internet, there are KH various ways that machine could become compromised. If that user then KH attaches to the VPN, I have a machine on my VPN that is compromised. It KH doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's KH not going to keep a compromised machine from continuing to be compromised. KH All the VPN can do is keep a non-compromised machine from becoming KH compromised through the VPN. If the machine is compromised before it KH connects to the VPN, no amount of VPN technology is going to help. KH This issue is not solvable through VPN technology because it isn't a VPN KH problem. It's an end-station access control problem. At the end of the KH day, if your users are allowed to completely control their own machines, the KH liklihood that someones machine will be compromised approaches 1.0. (in KH other words, certainty) This risk can be mitigated through various software KH and poliices, but it cannot be eliminated. KH -Kent --- cut here --- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28250t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN/Frame redundant connection? [7:28252]
Hi All... I have been put into a project where someone else pitched a solution to implement a redundant connection over a dedicated private line (56K) and a VPN internet connection (frac T1). the hardware are 2 cisco 2611 routers with the 2 ethernet interfaces, 2 watchguard firebox 1000's, and some equipment for the private frame (already has CSU and RJ45 cable to hook up directly to ethernet interface on router). The internet connection is a fractional T1 on each side and as stated before 2 watchguard firewalls. The sides would be addressed like 172.16.x.x/16 and 172.17.x.x/16 and they were given this solution by someone who has since bailed on them after getting the equipment. What I am looking for is what is the easiest way to implement a solution that would allow the VPN connection to be the preferred route, but also allow the private frame to pick-up if they internet connection should become latent or go down. It could grind along slowly, but would function. I was just curious if anyone has gotten this type of solution to work with a watchguard in the middle? I was thinking of using something easy like EIGRP, but am a little miffed by how exactly to make this work across the VPN and the Frame at once |router|---|watchguard|---internet---|watchguard|---|router| | Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28252t=28252 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN/Frame redundant connection(2) [7:28255]
Hi All... I have been put into a project where someone else pitched a solution to implement a redundant connection over a dedicated private line (56K) and a VPN internet connection (frac T1). the hardware are 2 cisco 2611 routers with the 2 ethernet interfaces, 2 watchguard firebox 1000's, and some equipment for the private frame (already has CSU and RJ45 cable to hook up directly to ethernet interface on router). The internet connection is a fractional T1 on each side and as stated before 2 watchguard firewalls. The sides would be addressed like 172.16.x.x/16 and 172.17.x.x/16 and they were given this solution by someone who has since bailed on them after getting the equipment. What I am looking for is what is the easiest way to implement a solution that would allow the VPN connection to be the preferred route, but also allow the private frame to pick-up if they internet connection should become latent or go down. It could grind along slowly, but would function. I was just curious if anyone has gotten this type of solution to work with a watchguard in the middle? I was thinking of using something easy like EIGRP, but am a little miffed by how exactly to make this work across the VPN and the Frame at once -|x|--- private frame (56K)-- | | |router|---|watchguard|---(internet)---|watchguard|--|router| (switch) (swtich) 172.16.x.x/16 172.17.x.x/16 Just tried to show the 2 interfaces and the initial configuration of how the person before had it setup. What does anyone see as the best way to make this work reliably? Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28255t=28255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN [7:21120]
Hi corness, Thanks fer your earlier replies My setup as follows.. pvt network-RouterInternet-Pixpvt network I want to do a VPN between the private networks using ipsec.I am concerned with router side.The s0 (10.1.0.1/24) of router is connected to pvt network and e0(210.11.3.1/24) to internet. I do the following on my router access-list 101 permit 10.1.0.0 255.255.255.0 172.1.0.0 255.255.255.255 crypto ipsec transform-set set1 esp-des esp-sha-hmac crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match-address 101 crypto map vpn set peer 210.14.7.2 crypto map vpn set transform-set set1 isakmp enable e0 isakmp policy 20 isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 authentication rsa-sig isakmp policy 20 group 1 interface e0 crypto map vpn My questions... 1)What kind of static route should I add?(I want only 10.1.0.0 to talk to 172.1.0.0 and vice versa using vpn.Rest all denied) 2)Do I need this if I don`t use nat on my router? route-map nonat permit 10 match ip address 130 3)Will this access list help me with security((i.e)except for 172.1.0.0 all other network cannot reach pvt network)? access_list 140 permit ip 172.1.0.0 0.0.0.0 any access_list 140 deny ip any any acl_group 140 e0 out cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28256t=21120 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re[4]: VPN is a Backdoor !!! [7:27725]
I'm not sure I follow... At any time, regardless of protocol, a remote user coming in on a vpn has the potential to bring a hacker in with him. SentinuS 12/01/01 08:35AM May be. But if you use L2TP or Layer 3 transport on VPN, all your mobile users could be Local. Thus you don't need to additional security on your Mobile user (I mean firewall or anti-virus app.) SentinuS Friday, November 30, 2001, 6:07:02 PM, you wrote: KH Your right, but it is nearly impossible to secure the client. The problem KH is that no matter how much education you give users, most will still do the KH wrong thing given the right circumstances. For example, if they are in a KH chat room and someone they are communicating with sends them a file, most KH will open it, no matter how many times you tell them not to. --cut here--- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27989t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[4]: VPN is a Backdoor !!! [7:27725]
Not sure what you mean by this. The VPN technology used is irrelevant. If I have a home user who uses their laptop to access the Internet, there are various ways that machine could become compromised. If that user then attaches to the VPN, I have a machine on my VPN that is compromised. It doesn't matter what the method of VPN is (L2TP with IPsec, PPTP, etc), it's not going to keep a compromised machine from continuing to be compromised. All the VPN can do is keep a non-compromised machine from becoming compromised through the VPN. If the machine is compromised before it connects to the VPN, no amount of VPN technology is going to help. This issue is not solvable through VPN technology because it isn't a VPN problem. It's an end-station access control problem. At the end of the day, if your users are allowed to completely control their own machines, the liklihood that someones machine will be compromised approaches 1.0. (in other words, certainty) This risk can be mitigated through various software and poliices, but it cannot be eliminated. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of SentinuS Sent: Saturday, December 01, 2001 5:35 AM To: [EMAIL PROTECTED] Subject: Re[4]: VPN is a Backdoor !!! [7:27725] May be. But if you use L2TP or Layer 3 transport on VPN, all your mobile users could be Local. Thus you don't need to additional security on your Mobile user (I mean firewall or anti-virus app.) SentinuS Friday, November 30, 2001, 6:07:02 PM, you wrote: KH Your right, but it is nearly impossible to secure the client. The problem KH is that no matter how much education you give users, most will still do the KH wrong thing given the right circumstances. For example, if they are in a KH chat room and someone they are communicating with sends them a file, most KH will open it, no matter how many times you tell them not to. --cut here--- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28000t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re[4]: VPN is a Backdoor !!! [7:27725]
May be. But if you use L2TP or Layer 3 transport on VPN, all your mobile users could be Local. Thus you don't need to additional security on your Mobile user (I mean firewall or anti-virus app.) SentinuS Friday, November 30, 2001, 6:07:02 PM, you wrote: KH Your right, but it is nearly impossible to secure the client. The problem KH is that no matter how much education you give users, most will still do the KH wrong thing given the right circumstances. For example, if they are in a KH chat room and someone they are communicating with sends them a file, most KH will open it, no matter how many times you tell them not to. --cut here--- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27915t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN between Checkpoint and Pix [7:27787]
Hi guys, Is there any site which give details(Configuration,specs)abt VPN between Pix firewall and checkpt firewall using IPSec. TIA Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27787t=27787 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN between Checkpoint and Pix [7:27787]
do a search on the cco and this comes up. http://www.cisco.com/warp/public/707/cp-r.shtml jason -Original Message- From: Ramesh c [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 05:04 AM To: [EMAIL PROTECTED] Subject: VPN between Checkpoint and Pix [7:27787] Hi guys, Is there any site which give details(Configuration,specs)abt VPN between Pix firewall and checkpt firewall using IPSec. TIA Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27798t=27787 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[2]: VPN is a Backdoor !!! [7:27725]
Your right, but it is nearly impossible to secure the client. The problem is that no matter how much education you give users, most will still do the wrong thing given the right circumstances. For example, if they are in a chat room and someone they are communicating with sends them a file, most will open it, no matter how many times you tell them not to. If it is a virus or a trojan, their entire machine can become compromised and no amount of firewall software and strong authentication can completely fix that. When prompted about a new app trying to reach the Internet, they may just answer 'yes'. If there's no prompt and the software doesn't work, they may just disable their firewall. (yes, it does happen) The problem is worse if users use their home machines for VPN access. If they use company assigned laptops with WinNT or 2K, you can fix some of this by not giving them admin access to their own machines. This will severely limit their ability to install new software and offer some protection, but its not a guarantee. I can see someone breaking into their machine to install the hot new game they just got sent from a friend they met on yahoo chat who's only too happy to help them get the software installed. The weakest link in the security chain is almost always human factors. In the end, there's no silver bullet for this problem. Policies and user education help, but there's always a risk involved once you rely on users for security, which is what you must do when you allow users remote access to the corporate goodies. Creating a secure link is easy, it's the endpoints that tend to bite you. ;-) Good luck, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of SentinuS Sent: Thursday, November 29, 2001 3:35 PM To: [EMAIL PROTECTED] Subject: Re[2]: VPN is a Backdoor !!! [7:27725] But I think VPN is not Backdoor if you use right Security Policy and right configuration. There is one issue : Client. If you can secure your client, there is no weakness. Thursday, November 29, 2001, 11:47:08 PM, you wrote: PR Even then though, you're not secure. If the box is compromised before you PR connect then even when the firewall is enforced, malicious activity could PR still take a place...the attacker would not be able to connect to the PR machine but could leave dastardly code behind to do his job for him. PR I am working on this scenario now as well. I am attempting to come up with PR a best practice for cleaning a machine, installing a firewall, etc for PR any vpn client. Let me know how yours goes! PR -Patrick ---cut--- SentinuS Best Regards [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27832t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN + 1720 [7:27841]
Maby i am asking to much ;) anyway, here goes 'nothing'; Can anyone show me a sample config(or a url) for a VPN on a router 1720?( assuming it connects through a frame-relay cloud) thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27841t=27841 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN + 1720 [7:27841]
to the conditions stated in this warning. *^C ! line con 0 exec-timeout 5 0 password x login line aux 0 password x login line vty 0 4 exec-timeout 5 0 password x login line vty 5 15 no login ! end paul wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Maby i am asking to much ;) anyway, here goes 'nothing'; Can anyone show me a sample config(or a url) for a VPN on a router 1720?( assuming it connects through a frame-relay cloud) thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27842t=27841 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN + 1720 [7:27841]
Good timing Paul, I just installed a VPN module in a 1720 last week. I have configured the router (after updating the IOS) to establish a tunnel as a simple router to router peer over the internet, but it is not complete because the other side is not completely installed yet. Here are the links I used to get tips. Scroll down to about 1/2 of the page and you will see examples for several scenarios. They are pretty handy and should save you some time. There is even a link to enable SSH on the routerGood Luck! http://www.cisco.com/warp/public/707/index.shtml paul wrote: Maby i am asking to much ;) anyway, here goes 'nothing'; Can anyone show me a sample config(or a url) for a VPN on a router 1720?( assuming it connects through a frame-relay cloud) thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27846t=27841 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[2]: VPN is a Backdoor !!! [7:27725]
The problem is usually between the keyboard and chair. ;-) Priscilla At 11:07 AM 11/30/01, Kent Hundley wrote: Your right, but it is nearly impossible to secure the client. The problem is that no matter how much education you give users, most will still do the wrong thing given the right circumstances. For example, if they are in a chat room and someone they are communicating with sends them a file, most will open it, no matter how many times you tell them not to. If it is a virus or a trojan, their entire machine can become compromised and no amount of firewall software and strong authentication can completely fix that. When prompted about a new app trying to reach the Internet, they may just answer 'yes'. If there's no prompt and the software doesn't work, they may just disable their firewall. (yes, it does happen) The problem is worse if users use their home machines for VPN access. If they use company assigned laptops with WinNT or 2K, you can fix some of this by not giving them admin access to their own machines. This will severely limit their ability to install new software and offer some protection, but its not a guarantee. I can see someone breaking into their machine to install the hot new game they just got sent from a friend they met on yahoo chat who's only too happy to help them get the software installed. The weakest link in the security chain is almost always human factors. In the end, there's no silver bullet for this problem. Policies and user education help, but there's always a risk involved once you rely on users for security, which is what you must do when you allow users remote access to the corporate goodies. Creating a secure link is easy, it's the endpoints that tend to bite you. ;-) Good luck, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of SentinuS Sent: Thursday, November 29, 2001 3:35 PM To: [EMAIL PROTECTED] Subject: Re[2]: VPN is a Backdoor !!! [7:27725] But I think VPN is not Backdoor if you use right Security Policy and right configuration. There is one issue : Client. If you can secure your client, there is no weakness. Thursday, November 29, 2001, 11:47:08 PM, you wrote: PR Even then though, you're not secure. If the box is compromised before you PR connect then even when the firewall is enforced, malicious activity could PR still take a place...the attacker would not be able to connect to the PR machine but could leave dastardly code behind to do his job for him. PR I am working on this scenario now as well. I am attempting to come up with PR a best practice for cleaning a machine, installing a firewall, etc for PR any vpn client. Let me know how yours goes! PR -Patrick ---cut--- SentinuS Best Regards [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27859t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN + 1720 [7:27858]
Just want to say thankx to Murphy and Steve for helping out. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27858t=27858 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[2]: VPN is a Backdoor !!! [7:27725]
Does anyone have a best practice written up concerning this? (I thought mooching a lot of the content would keep me from typing a lot!) : ) -Patrick Priscilla Oppenheimer 11/30/01 01:19PM The problem is usually between the keyboard and chair. ;-) Priscilla At 11:07 AM 11/30/01, Kent Hundley wrote: Your right, but it is nearly impossible to secure the client. The problem is that no matter how much education you give users, most will still do the wrong thing given the right circumstances. For example, if they are in a chat room and someone they are communicating with sends them a file, most will open it, no matter how many times you tell them not to. If it is a virus or a trojan, their entire machine can become compromised and no amount of firewall software and strong authentication can completely fix that. When prompted about a new app trying to reach the Internet, they may just answer 'yes'. If there's no prompt and the software doesn't work, they may just disable their firewall. (yes, it does happen) The problem is worse if users use their home machines for VPN access. If they use company assigned laptops with WinNT or 2K, you can fix some of this by not giving them admin access to their own machines. This will severely limit their ability to install new software and offer some protection, but its not a guarantee. I can see someone breaking into their machine to install the hot new game they just got sent from a friend they met on yahoo chat who's only too happy to help them get the software installed. The weakest link in the security chain is almost always human factors. In the end, there's no silver bullet for this problem. Policies and user education help, but there's always a risk involved once you rely on users for security, which is what you must do when you allow users remote access to the corporate goodies. Creating a secure link is easy, it's the endpoints that tend to bite you. ;-) Good luck, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of SentinuS Sent: Thursday, November 29, 2001 3:35 PM To: [EMAIL PROTECTED] Subject: Re[2]: VPN is a Backdoor !!! [7:27725] But I think VPN is not Backdoor if you use right Security Policy and right configuration. There is one issue : Client. If you can secure your client, there is no weakness. Thursday, November 29, 2001, 11:47:08 PM, you wrote: PR Even then though, you're not secure. If the box is compromised before you PR connect then even when the firewall is enforced, malicious activity could PR still take a place...the attacker would not be able to connect to the PR machine but could leave dastardly code behind to do his job for him. PR I am working on this scenario now as well. I am attempting to come up with PR a best practice for cleaning a machine, installing a firewall, etc for PR any vpn client. Let me know how yours goes! PR -Patrick ---cut--- SentinuS Best Regards [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27861t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN client, PIX, internet access [7:27870]
Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27870t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
Don't enable split tunneling on the concentrator for that grop when using the Cisco VPN client or simply route all traffic through the VPN tunnel. -Jake -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: VPN client, PIX, internet access [7:27870] Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27872t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
I know but how do you make it so that the client using the VPN client can access the internet with netscape or whatever without doing a split tunnel. At 01:48 PM 11/30/2001 -0600, Gibb, Jake wrote: Don't enable split tunneling on the concentrator for that grop when using the Cisco VPN client or simply route all traffic through the VPN tunnel. -Jake -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: VPN client, PIX, internet access [7:27870] Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27873t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
Without split tunneling they will send all traffic back to your local network. It is up to you to setup DNS settings to be pushed to the client that they will use for resolution. These can be internal dns servers set to forward unknown requests or external dns servers. We use split tunneling to take advantage of the clients local ISP connection for unknown IP requests that are not in our split tunneling list. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:56 PM To: Gibb, Jake; [EMAIL PROTECTED] Subject: RE: VPN client, PIX, internet access [7:27870] I know but how do you make it so that the client using the VPN client can access the internet with netscape or whatever without doing a split tunnel. At 01:48 PM 11/30/2001 -0600, Gibb, Jake wrote: Don't enable split tunneling on the concentrator for that grop when using the Cisco VPN client or simply route all traffic through the VPN tunnel. -Jake -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: VPN client, PIX, internet access [7:27870] Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27875t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client, PIX, internet access [7:27870]
Do I have to do anything fancy to the PIX box to allow the client to do e-mail, netscape, ftp, or whatever on the internet? What do you mean about DNS settings on the client? The DNS server will be on the outside. We are not using a VPN concentrator. At 01:55 PM 11/30/2001 -0600, Gibb, Jake wrote: Without split tunneling they will send all traffic back to your local network. It is up to you to setup DNS settings to be pushed to the client that they will use for resolution. These can be internal dns servers set to forward unknown requests or external dns servers. We use split tunneling to take advantage of the clients local ISP connection for unknown IP requests that are not in our split tunneling list. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:56 PM To: Gibb, Jake; [EMAIL PROTECTED] Subject: RE: VPN client, PIX, internet access [7:27870] I know but how do you make it so that the client using the VPN client can access the internet with netscape or whatever without doing a split tunnel. At 01:48 PM 11/30/2001 -0600, Gibb, Jake wrote: Don't enable split tunneling on the concentrator for that grop when using the Cisco VPN client or simply route all traffic through the VPN tunnel. -Jake -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: VPN client, PIX, internet access [7:27870] Is there a way to configure a cisco PIX so that a user with a VPN client connects to the internal network and can also connects to the internet without doing a split tunnel on a windows 2000 professional? This would in essence make the remote workstation part of the internal network. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27877t=27870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN between Checkpoint and Pix [7:27787]
Ramesh, Here is what you are looking for: http://www.cisco.com/warp/public/110/cp-p.html many other at: http://www.cisco.com/warp/public/707/index.shtml#pix Hope this helps Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ramesh c Sent: Friday, November 30, 2001 4:04 AM To: [EMAIL PROTECTED] Subject: VPN between Checkpoint and Pix [7:27787] Hi guys, Is there any site which give details(Configuration,specs)abt VPN between Pix firewall and checkpt firewall using IPSec. TIA Cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27899t=27787 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN between Checkpoint and Pix [7:27787]
You could also try firetower.com - a good security consulting firm. From: Paul Holloway Reply-To: Paul Holloway To: [EMAIL PROTECTED] Subject: RE: VPN between Checkpoint and Pix [7:27787] Date: Fri, 30 Nov 2001 20:05:29 -0500 Ramesh, Here is what you are looking for: http://www.cisco.com/warp/public/110/cp-p.html many other at: http://www.cisco.com/warp/public/707/index.shtml#pix Hope this helps Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ramesh c Sent: Friday, November 30, 2001 4:04 AM To: [EMAIL PROTECTED] Subject: VPN between Checkpoint and Pix [7:27787] Hi guys, Is there any site which give details(Configuration,specs)abt VPN between Pix firewall and checkpt firewall using IPSec. TIA Cheers Ramesh _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27902t=27787 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN is a Backdoor !!! [7:27725]
Hi Guys; I wonder that VPN is a Backdoor? I really need answers. Please do it. thanks SentinuS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27725t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN is a Backdoor !!! [7:27725]
VPN could be considered a backdoor. If Joe User has a broadband connection at home with no firewall or local client firewall installed then when he/she connects to your VPN that is essentially a conduit for attackers to potentially compromise. This is an issue that I am dealing with now. Ciscos VPN client and Concentrator has a new feature that will push a policy on the client requiring they have a firewall installed like BlackIce etc.. If they don't it will enforce it's own basic firewall on the client while connected. I am working on the scripted install for my company now. -Jake -Original Message- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 2:37 PM To: [EMAIL PROTECTED] Subject: VPN is a Backdoor !!! [7:27725] Hi Guys; I wonder that VPN is a Backdoor? I really need answers. Please do it. thanks SentinuS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27729t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN is a Backdoor !!! [7:27725]
Even then though, you're not secure. If the box is compromised before you connect then even when the firewall is enforced, malicious activity could still take a place...the attacker would not be able to connect to the machine but could leave dastardly code behind to do his job for him. I am working on this scenario now as well. I am attempting to come up with a best practice for cleaning a machine, installing a firewall, etc for any vpn client. Let me know how yours goes! -Patrick Gibb, Jake 11/29/01 03:53PM VPN could be considered a backdoor. If Joe User has a broadband connection at home with no firewall or local client firewall installed then when he/she connects to your VPN that is essentially a conduit for attackers to potentially compromise. This is an issue that I am dealing with now. Ciscos VPN client and Concentrator has a new feature that will push a policy on the client requiring they have a firewall installed like BlackIce etc.. If they don't it will enforce it's own basic firewall on the client while connected. I am working on the scripted install for my company now. -Jake -Original Message- From: SentinuS [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 2:37 PM To: [EMAIL PROTECTED] Subject: VPN is a Backdoor !!! [7:27725] Hi Guys; I wonder that VPN is a Backdoor? I really need answers. Please do it. thanks SentinuS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27731t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN back door [7:27734]
I recently installed a VPN at work (city goverment). You would be much better off disabling split-tunneling at the concentrator level rather than trying to push it out to each client. That will stop your back doors. And yes, it even cuts out all connections on a local network. I have 4 machines in a workgroup at home, with a shared music drive. When I VPN into work, that share are no longer available to other clients. Nat Somewhere in Kansas, USA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27734t=27734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN back door [7:27736]
The new version 3.5 of Cisco VPN Client allows local LAN browsing access with split tunneling. I know there is a big debate over sending all of your traffic over the VPN just to get to a website that's up the street. We have multiple PIX firewalls in failover configuration at our head office and that is certainly more secure esp. if the client does not have any firewall protection whatsover. The new client 3.5 and concentrator IOS 3.4 is supposed to add the firewall option/mandatory to the client. I'll be testing it this month. -Jake -Original Message- From: Nat Heidler [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 3:46 PM To: '[EMAIL PROTECTED]' Cc: Gibb, Jake Subject: RE: VPN back door I recently installed a VPN at work (city goverment). You would be much better off disabling split-tunneling at the concentrator level rather than trying to push it out to each client. That will stop your back doors. And yes, it even cuts out all connections on a local network. I have 4 machines in a workgroup at home, with a shared music drive. When I VPN into work, that share are no longer available to other clients. Nat Somewhere in Kansas, USA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27736t=27736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re[2]: VPN is a Backdoor !!! [7:27725]
But I think VPN is not Backdoor if you use right Security Policy and right configuration. There is one issue : Client. If you can secure your client, there is no weakness. Thursday, November 29, 2001, 11:47:08 PM, you wrote: PR Even then though, you're not secure. If the box is compromised before you PR connect then even when the firewall is enforced, malicious activity could PR still take a place...the attacker would not be able to connect to the PR machine but could leave dastardly code behind to do his job for him. PR I am working on this scenario now as well. I am attempting to come up with PR a best practice for cleaning a machine, installing a firewall, etc for PR any vpn client. Let me know how yours goes! PR -Patrick ---cut--- SentinuS Best Regards [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27748t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN back door [7:27734]
I did the same thing you did Nat. It works like a champ (except using Nortel Contivity). We have too many users with broadband to risk anything and most of them think a firewall is something stunt people try to run through without getting scorched Cheers.. George Somewhere In Texas, USA Nat Heidler wrote: I recently installed a VPN at work (city goverment). You would be much better off disabling split-tunneling at the concentrator level rather than trying to push it out to each client. That will stop your back doors. And yes, it even cuts out all connections on a local network. I have 4 machines in a workgroup at home, with a shared music drive. When I VPN into work, that share are no longer available to other clients. Nat Somewhere in Kansas, USA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27770t=27734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN back door [7:27734]
I did the same thing you did Nat. It works like a champ (except using Nortel Contivity). We have too many users with broadband to risk anything and most of them think a firewall is something stunt people try to run through without getting scorched Cheers.. George Somewhere In Texas, USA Nat Heidler wrote: I recently installed a VPN at work (city goverment). You would be much better off disabling split-tunneling at the concentrator level rather than trying to push it out to each client. That will stop your back doors. And yes, it even cuts out all connections on a local network. I have 4 machines in a workgroup at home, with a shared music drive. When I VPN into work, that share are no longer available to other clients. Nat Somewhere in Kansas, USA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27769t=27734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN nat twice [7:27589]
Hello, I've got clients using Cisco VPN client connect to VPN concentrator at HQ. There are some clients have to be NATed twice. Will this work? Theriotically, I think it should work, but it's not documented on CCO. Anyone got a link? Thanks in advance. Jim __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27589t=27589 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN nat twice [7:27589]
By NATed twice do you mean a different network or subnet? Each subnet is set as a rule in the client so you can connect to different networks as long as the network subnets don't overlap. Allen - Original Message - From: Jim Bond To: Sent: Wednesday, November 28, 2001 4:09 PM Subject: VPN nat twice [7:27589] Hello, I've got clients using Cisco VPN client connect to VPN concentrator at HQ. There are some clients have to be NATed twice. Will this work? Theriotically, I think it should work, but it's not documented on CCO. Anyone got a link? Thanks in advance. Jim __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27643t=27589 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco VPN behind Windows 200 ICS [7:27358]
Is anyone aware of a known incompatibility with Windows 2000 Pro Internet Connection Sharing and the Cisco VPN client. It would appear that I connect to the concentrator but there isn't any traffic going across the pipe. My configuration is as such Computer w/ Cisco VPN client -- Win2K w/ICS -- Internet Any help or suggestions would be greatly appreciated. George Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27358t=27358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
What port for Win2K VPN [7:26897]
I like to run Win2K VPN server behind the cisco PIX 520 firewall and wonderig what port would I need to open on PIX so it sends all vpn requests to Win2K box running behind the PIX or on SSN. Has anyone done this ? ANy recommendation would be helpful.. thanks Inamul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26897t=26897 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What port for Win2K VPN [7:26897]
Inamul- I run a similar setup with no problem. Here's a snipet of the PIX config. --- ! maps private address to real IP where 172.20.1.65 is MS VPN server. static (inside,outside) A.B.C.D 172.20.1.65 netmask 255.255.255.255 0 0 ! permits ports for incoming VPN conduit permit tcp host A.B.C.D eq 1723 any (hitcnt=314) conduit permit gre host A.B.C.D any (hitcnt=3514715) Hope this helps, Allen Erkman [EMAIL PROTECTED] MCSE, CCNA, CCDA, CCNP - Original Message - From: Inamul To: Sent: Tuesday, November 20, 2001 11:15 AM Subject: What port for Win2K VPN [7:26897] I like to run Win2K VPN server behind the cisco PIX 520 firewall and wonderig what port would I need to open on PIX so it sends all vpn requests to Win2K box running behind the PIX or on SSN. Has anyone done this ? ANy recommendation would be helpful.. thanks Inamul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26912t=26897 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What port for Win2K VPN [7:26897]
On the PIX, you need to open port tcp 1723 and GRE 47, assuming that you are using Microsoft PPTP buggy stuff. - Original Message - From: Inamul To: Sent: Tuesday, November 20, 2001 2:15 PM Subject: What port for Win2K VPN [7:26897] I like to run Win2K VPN server behind the cisco PIX 520 firewall and wonderig what port would I need to open on PIX so it sends all vpn requests to Win2K box running behind the PIX or on SSN. Has anyone done this ? ANy recommendation would be helpful.. thanks Inamul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26916t=26897 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What port for Win2K VPN [7:26897]
Thank you for your help, this will be temorary solution so MS buggy software will do it for now as VPN has to be up by tomorrow. Eventually, I would like to use PIX vpn sollution but do not much about PIX yet and do not have time to spend days to figure it out. I will be using PIX later when I know bit about PIX and how to set it up etc.. thanks Inamul David Tran wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On the PIX, you need to open port tcp 1723 and GRE 47, assuming that you are using Microsoft PPTP buggy stuff. - Original Message - From: Inamul To: Sent: Tuesday, November 20, 2001 2:15 PM Subject: What port for Win2K VPN [7:26897] I like to run Win2K VPN server behind the cisco PIX 520 firewall and wonderig what port would I need to open on PIX so it sends all vpn requests to Win2K box running behind the PIX or on SSN. Has anyone done this ? ANy recommendation would be helpful.. thanks Inamul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26924t=26897 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN monitoring software [7:26235]
It's supposed to allow you to manage multiple VPN tunnels using Cisco PIX firewalls and VPN concentrators. I am trying to get a copy from Cisco now. -Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hansraj Patil Sent: Friday, November 16, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: RE: VPN monitoring software [7:26235] Never heard of this VPN monitoring software. What does it do ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gibb, Jake Sent: Wednesday, November 14, 2001 8:09 AM To: [EMAIL PROTECTED] Subject: VPN monitoring software [7:26235] Has anyone used Ciscos VPN monitoring software? We have a handful of tunnels that we need remote management for.. -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26576t=26235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
vpn [7:26452]
In order to enable the vpn between the cisco 3640 with vpn function and the win2000,and communicate between both private networks. When the packets outbound into other side private network,if their real destination ip address is hided inside the packets and the destination ip address routed in the internet is the vpn server of other side? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26452t=26452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: vpn [7:26452]
If I understand you correctly, yes. The real destination IP is hidden, and the destination IP address visible to the internet is the VPN server on the other side. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26511t=26452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Client Internet access through PIX VPN [7:26530]
Hello, I have two offsite clients. Both connect to our LAN through a PIX 515 via the 3.1.1 client. One client uses DHCP, the other is static. I have split-tunnel enabled on the PIX referencing a separate access-list than my NAT statement. The client using DHCP can access the internet while connected to our LAN through VPN but the static client can not. He can only access the internet when disconnected from our LAN. I would like the static client to be able to access the Internet while connected to our LAN as well. Any ideas? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26530t=26530 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN monitoring software [7:26235]
Never heard of this VPN monitoring software. What does it do ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gibb, Jake Sent: Wednesday, November 14, 2001 8:09 AM To: [EMAIL PROTECTED] Subject: VPN monitoring software [7:26235] Has anyone used Ciscos VPN monitoring software? We have a handful of tunnels that we need remote management for.. -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26559t=26235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco VPN between two site on the same IP scheme [7:26346]
Hello, I've got two sites which use the same IP address (but there is no duplicate IP address) and I want to encrypt the serial link between them. So is it possible to create a VPN with a bridging configuration ? or do I need nat ? regards, steve __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26346t=26346 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Pix Firewall and Sonicwall VPN [7:26195]
Hi All, Can somebody help me out on configuring one of these setups? I have research the web and have documentation on getting Pix to work with Sonicwall using IKE. Basically one side would have a sonicwall while the other would be the Pix. That would work but my boss wants to use 2 Sonicwall boxes and wants one of them to be on the Pix's DMZ. My question is would this be possible. Sonicwall A would be at another company's A site which is providing me with a 192.168.100.1 for our Sonicwall for the LAN and a 205.202.22.12 for the WAN. Company A has given us an internal 194.100.1.230-249 range with 194.100.1.250 being the default gateway for our PCs. For pcs to go out through the VPN to our 192.168.1.x network, I would request that they put a route on their gateway which I think is their firewall to route 192.168.1.x traffic to the our sonicwall box. On the other end is a Pix Firewall with 3 interfaces, inside,outside, and dmz. All traffic going to the outside is Port Address Translated to a specific ip address. The DMZ is in the 172.22.100.x network. The pix is currently setup to do nat from the inside to the dmz via nat command. The Inside network is using private ip address network of 192.168.1.x.Is there a way to allow traffic that is originating from 192.168.1.x and going to 192.168.100.x to be allowed to reach the Sonicwall via the DMZ interface? I know you can do a route 192.168.100.x via 172.22.100.10(sonicwall's ip address on the dmz) but would this work? Would the system on the other side be able to figure out how to route the VPN traffic back? There's an access-list command nonat that I could use but I am not sure how I could get it to work here. Any ideas on whether this is possible or anyone who has done something like this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26195t=26195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN monitoring software [7:26235]
Has anyone used Ciscos VPN monitoring software? We have a handful of tunnels that we need remote management for.. -Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26235t=26235 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Linux client for Cisco VPN 3005 support internet sharing? [7:26096]
hi , anyone knows if Linux Client by Cisco for VPN concentrator 3005 supports Internet sharing . What I mean is if a Linux server dialups to the VPN 3005 server . Can it be installed for internet sharing for the rest of the Linux clients? regards, suaveguru __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26096t=26096 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPSec VPN [7:26137]
Hello, We've got 3660 at central office and PIX at satellite ofices to do IPSec VPN. Sometimes PIX couldn't connect 3660 and I have to reboot 3660 to make it work. I'm wondering if there is a easy way, say clear the connection, so I don't have to reboot the 3660? Thanks in advance. Jim __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26137t=26137 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPSec VPN [7:26137]
Hi Jim, Sounds like you're using an older IOS with flaky IPSEC code. Try upgrading to one of the 12.2 releases. Solves a lot of IPSEC issues. May also need a policy route map on the router side (internal interface) to set the DF bit to 0 (don't fragment). Will solve MTU issues with IPSEC between the two boxes. Paul Lalonde Jim Bond wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, We've got 3660 at central office and PIX at satellite ofices to do IPSec VPN. Sometimes PIX couldn't connect 3660 and I have to reboot 3660 to make it work. I'm wondering if there is a easy way, say clear the connection, so I don't have to reboot the 3660? Thanks in advance. Jim __ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26141t=26137 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
vpn client, windows 98 and RSA ACE [7:26149]
we are using vpn client (3.0.6 rel 2 and 3.1.1) to connect to vpn 3000 concentrator with RSA ACE server 5.0 authenticating the connections. put windows 98 in the mix and there tends to be problems. #1 problem - VPN Subsystem unavailable - cannot make IPSec Connection #2 problem - VPN client will not pass request for PIN creating (when securid token is in New PIN mode) If you have any information on the following symptoms and resolutions. It seems to be a limintation of windows 98 where the problem is most prominent. I checked out technet and bug navigator II as well as TAC thanks _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26149t=26149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed Cisco Secure VPN! [7:25635]
Great... Any study material you like to share... Theodore stout wrote in message news:[EMAIL PROTECTED]... Man this test was hard! I got over 850 on it. This was incredibly difficult. What I would recommend is to know the environment of VPNs and not just Cisco's implementation of them. What helped me- I read MCNS again twice before the test. I read the CSVPN text so many times that at least 30% of the pages have fallen out. Seriously! Work experience. The ADV PIX test. Do not attempt this test without the ADV PIX test first. Know the concentrators. Sleep with thempropose marriage. Start reading the recommended books for the CCIE Security exam. I have read about half of them and they really helped me to understand the environment of VPN. Finally, the RSA series of books. They really helped me again to understand where Cisco was coming from and why certain solutions are preferred. Coming from a router and trunking background, I personally feel very relaxed with the PIX but rather hostile towards the concentrators. It helped me to get to know other vendors and understand Cisco's marketing and sales strategy against them in context of their manuals. Just made life easier. IDS...Next week. I heard the Darth Maul was the exam protractor. Peace Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25647t=25635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN/Secure Connectivity [7:25668]
Try McGraw Hills book Implementing CISCO VPN's...it will give you practical advice as well as the needed explanation to understand it. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 [EMAIL PROTECTED] 8/11/01 23:00:31 This message has been scanned by MAILSweeper. Hi everybody, I have serious problem. In our office we have to implement VPN whereby 2 sites can have secure connections. We have ISP providers who has given us public IP addresses 202.145.x. x .We have ISDN dial up lines at both the ends upto ISP/VPN Service providers. We have Win2k as servers at one end and Windows98/WinNT Wks as clients to connect to Win2k m/cs at other end to access applications but I really don't know the procedure of what configuration to be done on Win2k , Win98 machines to provide the vpn /secure connectivity and encryption methods etc. Can anybody help me in doing so at least the documentation or URLs pertaining to these information. Thanks in advance. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25712t=25668 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed Cisco Secure VPN! [7:25635]
Just go read RFC 2401-9 They will help you a lot. I would give you my texts but they are sacred to me now. :-) I am sure that the official Cisco Study book for this is coming out soon. Just get that and read it, sleep with it, propose marriage...blah! Study tactic look here http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/9E0-570.html As you can see from the headlines, it is all about CAs and Pre-shared keys and how you use them in the client, 3000 Concentrator, IOS, and PIX. That is all. If you can organize your thinking about this then everything will work well for you. Khan-just go buy Boson and get 90% before you step foot in. It is worth the $40. Peace Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25724t=25635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: browsing network with VPN [7:25679]
Check the 'Release Notes for Cisco VPN Client, Release 3.0'. There are several open caveats which may be relevent, in particular CSCds65138 and CSCdt23662. Make sure, (1) that the user uses domain user logon. (2) your network's WIN server ip address appears on the ppp adaptor if it is dialup VPN and the PC is running Win98. Plantier, Spencer wrote in message news:[EMAIL PROTECTED]... We have VPN client 3.0 installed and we can get to the network fine but cannot browse the network. Any help would be appreciated. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25687t=25679 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Question [7:25593]
Thanks guys, I'm going to go with the hardware. Now I just need to figure out how I'm going to put voice over it. :-) Thanks again, -Original Message- From: Bill Carter [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 07, 2001 3:36 PM To: [EMAIL PROTECTED] Subject: RE: VPN Question [7:25593] You have to look at how much load you want to put on the 3600. IPSec VPN is processor intensive. What is CPU utilization now?? 0%-3%?? Using the hardware client would leave you more room for future expansion on the 3600. If you have the dollars I would buy the client. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Marshal Schoener Sent: Wednesday, November 07, 2001 1:41 PM To: [EMAIL PROTECTED] Subject: VPN Question [7:25593] Quick VPN question for you guys :-) I have a central site with a VPN3000 Concentrator. I want to setup a VPN with a client site that has a 3640 router available. Do you guys think it is wiser to go with some hardware, like the Cisco VPN 3002 Hardware Client to establish the connection? Or would you choose client software that goes directly into the router to establish the connection to the concentrator? The hardware client is around $700, which in my opinion isn't too bad. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25677t=25593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
1720 VPN setup [7:25022]
I have a 1720 router with the VPN/firewall software installed. Does any one have a sample config to setup the router to allow users to VPN in from home? All I can find on Cisco's site is how to create a branch to branch tunnel. It would be appreciated. - D.S __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25022t=25022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 1720 VPN setup [7:25022]
What will your users be using? Vpn client 3 or cisco secure client 1.1 or win2k vpn client? Now offering CCIE Security Lab Subscription Pacakge and Remote Bootcamp -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna Hello Computers Say Hello to Your Future! http://www.hellocomputers.com Toll-Free: 1.877.794.3556 Fremont: 510.795.6815 Santa Clara: 408.496.0801 Europe: +(44)20 7900 3011 Fax: 510.291.2250 -Original Message- From: Dave Shine [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 7:32 PM To: [EMAIL PROTECTED] Subject: 1720 VPN setup [7:25022] I have a 1720 router with the VPN/firewall software installed. Does any one have a sample config to setup the router to allow users to VPN in from home? All I can find on Cisco's site is how to create a branch to branch tunnel. It would be appreciated. - D.S __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25026t=25022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Pix 6.1.1 (on 515) VPN w/ W2K CA [7:24873]
I've been attempting to setup a Pix VPN with L2TP and IPSec on win2k clients with a pix/w2k-CA/PDC. I've installed the CA services, generated the appropriate keys and configured the algorithm and hash types on both sides. as follows isakmp enable outside isakmp peer ip 192.168.1.247 no-xauth isakmp policy 2 authentication rsa-sig isakmp policy 2 encryption des isakmp policy 2 hash md5 isakmp policy 2 group 2 isakmp policy 2 lifetime 86400 ca identity pdc 192.168.1.247:/certsrv/mscep/mscep.dll when attempting the auth/enroll the following errors occur: redfish(config)# ca auth pdc E2BA67F2537C1E110306A611F5B1A399F7AECB54 CI thread sleeps! Crypto CA thread wakes up! CRYPTO_PKI: http connection opened redfish(config)# CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps! CI thread wakes up! redfish(config)# ca enroll pdc % % Start certificate enrollment .. % The subject name in the certificate will be: redfish.themunicenter.com CI thread sleeps! Crypto CA thread wakes up! % Certificate request sent to Certificate Authority % The certificate request fingerprint will be displayed. redfish(config)# CI thread wakes up! CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! CRYPTO_PKI: can not find peer root public key. CRYPTO_PKI: status = 65535: failed to set up peer auth context CRYPTO_PKI: status = 65535: fail to send out pkcsreq CRYPTO_PKI: All sockets are closed. PKI: key process suspended and continued Insert Selfsigned Certificate: 30 82 01 c3 30 82 01 6d 02 20 30 63 34 63 64 62 35 65 37 33 64 65 64 65 34 63 65 39 65 61 39 38 34 64 35 37 34 61 64 37 61 66 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 5d 31 5b 30 0f 06 03 55 04 05 13 08 31 38 32 61 31 36 64 66 30 20 06 03 55 04 03 13 19 72 65 64 66 69 73 68 2e 74 68 65 6d 75 6e 69 63 65 6e 74 65 72 2e 63 6f 6d Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24873t=24873 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN [7:24231]
I've used a few variations of VPN products and here are some thoughts that might help. 1. Use something that supports industry-standard specs such as IPSEC, ISAKMP, etc. In the past I have primarily used Shiva (now Intel) which is REALLY easy to deploy and manage, but is also very proprietary. Now we are switching VPN solutions, and will be forced to redistribute client software (bummer). I believe Intel's new solution is headed more in the direction of industry standard specs, but may not quite be there yet. 2. Consider how your internal Internet connectivity is configured. If you are using NAT for your internal users to get to the Internet, and are going to try to run VPN through a NAT'd address, you have a problem. Industry standard VPN (IPSEC) uses TCP, and does not play well with NAT (because of the port # switching, etc). There is currently a big discussion underway about how to get around this problem, which they claim will be resolved soon. If your VPN solution uses UDP, such as Shiva does (or did until Intel dropped the product recently), you can get away with NAT because you are using UDP. There was a good article in last month's edition of Information Security Magazine that explained it much better than I could hope to. Anyway, hope that helps. Since my company is also looking into replacing our VPN solution, I'd be glad to work together with you and compare notes as we go along through the process. So drop me an email if you are interested. Best Of Luck, Brian Wilkins CNE / MCSE / CCNP khramov wrote: Does anyone have any recomendations on VPN producs? Links to articles and personal experience woudl be great. As far as know Cisco VPN concentrators, Check Point, and Nokia rules the market. What is your opinion on that. Thanks, Alex [GroupStudy.com removed an attachment of type text/x-vcard which had a name of khramov.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24420t=24231 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN [7:24231]
Have you looked at the Cisco 3000 series VPN concentrators? They are awesome! Very easy to setup and configure. Have an excellent client that currently supports Win95/98/ME/NT/2000/Linux and there is Mac support in beta now. It also has a hardware client (the 3002) if you need remote offices or home users with several machines. It will sit behind a Cable Modem or DSL and grab an IP and hand out DHCP (up to 254 addresses) inside. The 3000 series is also fully capable of creating site-to-site VPN connections with PIX and IOS routers as well as other 3000 series concentrators. They have 4 different models (I think) and the low end is very inexpensive. The top end scales to 10K concurrent connections and also fully supports VRRP for redundancy. If you want any more information just let me know! We have been using one for about 6 or 8 months and it has been perfect. The 3000 series also fully supports NAT, as it opens the packet up and looks at the actual IP address. Works great. Tim - Original Message - From: Brian Wilkins To: Sent: Sunday, October 28, 2001 11:51 AM Subject: RE: VPN [7:24231] I've used a few variations of VPN products and here are some thoughts that might help. 1. Use something that supports industry-standard specs such as IPSEC, ISAKMP, etc. In the past I have primarily used Shiva (now Intel) which is REALLY easy to deploy and manage, but is also very proprietary. Now we are switching VPN solutions, and will be forced to redistribute client software (bummer). I believe Intel's new solution is headed more in the direction of industry standard specs, but may not quite be there yet. 2. Consider how your internal Internet connectivity is configured. If you are using NAT for your internal users to get to the Internet, and are going to try to run VPN through a NAT'd address, you have a problem. Industry standard VPN (IPSEC) uses TCP, and does not play well with NAT (because of the port # switching, etc). There is currently a big discussion underway about how to get around this problem, which they claim will be resolved soon. If your VPN solution uses UDP, such as Shiva does (or did until Intel dropped the product recently), you can get away with NAT because you are using UDP. There was a good article in last month's edition of Information Security Magazine that explained it much better than I could hope to. Anyway, hope that helps. Since my company is also looking into replacing our VPN solution, I'd be glad to work together with you and compare notes as we go along through the process. So drop me an email if you are interested. Best Of Luck, Brian Wilkins CNE / MCSE / CCNP khramov wrote: Does anyone have any recomendations on VPN producs? Links to articles and personal experience woudl be great. As far as know Cisco VPN concentrators, Check Point, and Nokia rules the market. What is your opinion on that. Thanks, Alex [GroupStudy.com removed an attachment of type text/x-vcard which had a name of khramov.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24422t=24231 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN [7:24231]
Does anyone have any recomendations on VPN producs? Links to articles and personal experience woudl be great. As far as know Cisco VPN concentrators, Check Point, and Nokia rules the market. What is your opinion on that. Thanks, Alex [GroupStudy.com removed an attachment of type text/x-vcard which had a name of khramov.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24231t=24231 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
Thanks Hansraj! I looked at your config. There is only one command that I do not have isakmp identity outside I am downgrading my IOS to 5.2(5) and 5.2(3) to see if it works. I have had problems with the VPN concentrator 6.x IOS with partner and client tunneling and did the same thing, downgraded to 5.2.21 and got things to work I am confident that this will cause it to work. I additionally got the PAT-VPN and Internet access to work on one side. With a IOS Firewall Router VPN PIX 6.01 VPN PAT. I got 3 devices to encrypt and use the Internet at the same time from the PIX side. I think that to get it working I will need the 5.2 and above IOS. I looked at http://www.cisco.com/warp/public/110/pixhubspoke.html of course. What I found is that there are not Global commands for the PIX's there so it really didn't help me. However, Internet access was available and that configs and the isakmp identity outside command as did your config. If this works and you are ever in Japan I will get you a beer! To everyone else, remember that I have always used the NAT 0 and Global interface commands. Peace Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24203t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
IPSec does not work with PAT on a PIX. You can with NAT though. http://www.cisco.com/warp/public/707/ipsecnat.html Allen - Original Message - From: Theodore stout To: Sent: Wednesday, October 24, 2001 1:02 AM Subject: RE: PIX with PAT and VPN [7:23490] I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE
RE: PIX with PAT and VPN [7:23490]
You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Theodore stout 10/24/01 02:02AM I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24016t=23490 -- FAQ, list archives, and subscription info
Re: PIX with PAT and VPN [7:23490]
PAT can now use the same address as the outside interface with the 'interface' keyword: e.g., global (outside) 1 interface - Original Message - From: Patrick Ramsey To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Theodore stout 10/24/01 02:02AM I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT
Re: PIX with PAT and VPN [7:23490]
Started with PIX version 5.2 Don Claybrook wrote: PAT can now use the same address as the outside interface with the 'interface' keyword: e.g., global (outside) 1 interface - Original Message - From: Patrick Ramsey To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] You definately want to use a different ip addres for PAT than what you have set on the interface. I'm surprised PAT is even working, unless cisco has made some changes to their code recently. -Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24027t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
I know sometimes global (outside) 1 interface does not work. Make sure you have correct PIX IOS version. Or just upgrade to diff PIX software version. 5.2(5) should be good choice. Hare are the edited version of working config. access-list 100 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list 110 permit ip 10.5.1.0 255.255.255.0 10.5.0.0 255.255.255.0 access-list acl_out permit icmp any any interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 128.32.5.98 255.255.255.0 ip address inside 10.5.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 10.5.1.0 255.255.255.0 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 128.32.5.97 1 no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set standard esp-des esp-md5-hmac crypto map peer_map 10 ipsec-isakmp crypto map peer_map 10 match address 110 crypto map peer_map 10 set peer 128.32.19.194 crypto map peer_map 10 set transform-set standard isakmp enable outside isakmp key 123456 address 128.32.19.194 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 3600 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 11:02 PM To: [EMAIL PROTECTED] Subject: RE: PIX with PAT and VPN [7:23490] I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask
RE: help with troubleshooting Cisco VPN connection [7:23695]
Looks like you have the NAT 0 in place. I'm wondering about the IP Pool. I see your access-list 101 allows 172.16.1.0 to 172.16.2.0, both subnetted to /24. I wonder if maybe the PIX is looking at the IP Pool as a Class B address since you cannot specify the mask in the IP Pool statement? If so, would it work to do an access-list like: Access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.0.0 Just a guess. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Anh Lam Sent: Sunday, October 21, 2001 4:01 PM To: [EMAIL PROTECTED] Subject:help with troubleshooting Cisco VPN connection in [7:23695] Can someone in this group help me with this problem? I am trying to setup VPN connections for remote users (people who use laptops on the road or when people to who are on their own corporate network) to connect to my home network using IPSec. I am using a PIX515-UR Firewall at my home network. The external IP address (outside) of the PIX is 66.61.46.240 while the internal IP address (inside) of the PIX is 172.16.1.254. On the PIX, I also setup an IP pool so that the PIX will assign IP address to remote clients when they connect to my home network. This ip pool has ip range of 172.16.2.1-172.16.2.254. On the clients side, everyone is running Cisco VPN client software version 3.0.6.rel2-k9 which I download from Cisco website. The clients are running either WinNT 4.0 workstation, or Win2k Professional or RedHat Linux 7.1 with kernel 2.4.10. When a client attempts to make a VPN connection to the PIX (66.61.46.240), the connection is successfully and the client is also assigned an IP address of 172.16.2.1. So what is the problem you ask? Well, even though the client is successfully authenticated to my home network, he/she can NOT ping any of the devices in the 172.16.1.0/24 network. From the client, I can see the packet gets encrypted before sending out but nothing coming back (the counter on the packet decrypted on the client is zero). Rebooting the PIX several times didnot resolve the situation either. At this point, I decided to replace the PIX515 with a PIX520 with the exact configuration. With the PIX520, everything WORKS. Client can access devices on the 172.16.1.0/24 network. I am running the same PIX IOS code on both the 515 and 520. Am I missing something in the PIX515? I thought since I am running the Un-Restricted(UR) license, VPN is supported. Below is the configuration of the PIX515. Please help. Thanks. Anh ciscopix#sh ver Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.0(2) Compiled on Tue 11-Sep-01 07:45 by morlee ciscopix up 9 hours 37 mins Hardware: PIX-515, 96 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.7a24, irq 10 1: ethernet1: address is 0050.54ff.7a25, irq 7 2: ethernet2: address is 00aa.00bc.ba87, irq 11 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited ciscopix# wr t Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security99 enable password xxx encrypted passwd x encrypted hostname ciscopix domain-name micronet.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 100full shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 66.61.46.240 255.255.248.0 ip address inside 172.16.1.254 255.255.255.0 ip address dmz 127.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.16.2.1-172.16.2.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm location 164.109.0.0 255.255.0.0 outside pdm location 172.16.1.0 255.255.255.0 inside pdm history enable arp timeout 14400 nat (inside) 0 access-list 101 conduit permit ip any any route outside 0.0.0.0 0.0.0.0 66.61.40.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http 172.16.1.0 255.255.255.0 inside
Re: help with troubleshooting Cisco VPN connection [7:23695]
Chris, I don't know how long you have been working with PIX but on the VPN client, the client will get an IP between 172.16.2.1 and 172.16.2.254. The access-list will make the necessary connectivity to 172.16.1.0/24 network. If you've read this post from start to finish, you would know that the exact configuration works on the PIX520 but not the PIX515. Even Cisco TAC guy is also scratching his head over this. From: chris Reply-To: chris To: [EMAIL PROTECTED] Subject: Re: help with troubleshooting Cisco VPN connection [7:23695] Date: Mon, 22 Oct 2001 23:35:41 -0400 In your config below the vpn client is being assigned an address that is on a different subnet than the inside interface of the pix and there is no sign of a router on that subnet (no default inside route to a router). BTW, you may want to get rid of the conduit permit any any! Chris Anh Lam wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone in this group help me with this problem? I am trying to setup VPN connections for remote users (people who use laptops on the road or when people to who are on their own corporate network) to connect to my home network using IPSec. I am using a PIX515-UR Firewall at my home network. The external IP address (outside) of the PIX is 66.61.46.240 while the internal IP address (inside) of the PIX is 172.16.1.254. On the PIX, I also setup an IP pool so that the PIX will assign IP address to remote clients when they connect to my home network. This ip pool has ip range of 172.16.2.1-172.16.2.254. On the clients side, everyone is running Cisco VPN client software version 3.0.6.rel2-k9 which I download from Cisco website. The clients are running either WinNT 4.0 workstation, or Win2k Professional or RedHat Linux 7.1 with kernel 2.4.10. When a client attempts to make a VPN connection to the PIX (66.61.46.240), the connection is successfully and the client is also assigned an IP address of 172.16.2.1. So what is the problem you ask? Well, even though the client is successfully authenticated to my home network, he/she can NOT ping any of the devices in the 172.16.1.0/24 network. From the client, I can see the packet gets encrypted before sending out but nothing coming back (the counter on the packet decrypted on the client is zero). Rebooting the PIX several times didnot resolve the situation either. At this point, I decided to replace the PIX515 with a PIX520 with the exact configuration. With the PIX520, everything WORKS. Client can access devices on the 172.16.1.0/24 network. I am running the same PIX IOS code on both the 515 and 520. Am I missing something in the PIX515? I thought since I am running the Un-Restricted(UR) license, VPN is supported. Below is the configuration of the PIX515. Please help. Thanks. Anh ciscopix#sh ver Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.0(2) Compiled on Tue 11-Sep-01 07:45 by morlee ciscopix up 9 hours 37 mins Hardware: PIX-515, 96 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.7a24, irq 10 1: ethernet1: address is 0050.54ff.7a25, irq 7 2: ethernet2: address is 00aa.00bc.ba87, irq 11 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited ciscopix# wr t Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security99 enable password xxx encrypted passwd x encrypted hostname ciscopix domain-name micronet.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 100full shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 66.61.46.240 255.255.248.0 ip address inside 172.16.1.254 255.255.255.0 ip address dmz 127.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.16.2.1-172.16.2.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0
