Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: "Default VPN Security Policies"

"Default VPN Security Policies" 7 years 7 months ago #29360

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
Well I think I put myself into a corner now. I just got back from a 3rd Party location where we have a computer for our clinicians that are on site at this location.

I attempted to install the Cisco client and move them off our Watchguard. It wouldn't connect so I thought maybe I screwed up the passwords or something.

So I got out my laptop and tried to use it and got the same thing....so I think I have locked things down to well......

So the question becomes, for users to be able to move from place to place and use the VPN software what is my "default rule" supposed to look like for connecting.

Source Destination Protocol
any external FW int. ????

I think I was a little early in my thinking I was done, since my work from home is a bit jaded since I am also testing and working on the 871 Routers for a couple of our remote sites.

TIA.
The administrator has disabled public write access.

Re: "Default VPN Security Policies" 7 years 7 months ago #29371

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
this apparently is a non-issue now. I tested a different router at home last night with an IP from TWC that isn't in my work ASA and I connected fine.

This is leading me to think that the admin at the remote site is doing some mac filtering or something odd on their network. He isn't a network guy but thinks he is. Their network has been suspect for some other problems from Day 1, so now I can go back and "complain"
The administrator has disabled public write access.

New to the Site! 7 years 6 months ago #29422

Hello!

I would check my Transport. Just to make sure if we are doing IP
Sec-over UDP or IPSEC-Over TCP. Check to see my ports are open.
Make sure Third party Ports are open at their end. IPSec-over Tcp is 1000. I am sure you ahve done this already when you install Cisco VPN Client. Plus i'll check the Client Ver.
The administrator has disabled public write access.

Re: "Default VPN Security Policies" 7 years 6 months ago #29432

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
When doing Site-to-Site VPN's i wouldn't recommend going over NAT as it can add all sorts of complications. The main thing here is to ensure that nothing is blocking the IPSec Ports/Protocols;

ESP
UDP 500 (IKE)

If you need to do NAT then you need to ensure that NAT-T is open (UDP 4500) and if IPSec-Over TCP then its actually Port 10,000 (although this is configurable)

You can do some debugging to see if its failing at any of the stages (Phase 1 or Phase 2).

Phase 1 will typically go over UDP 500 as this is the Key Exchange Phase (also known as Main Mode)
Phase 2 will then start utilising ESP (or UDP 500/TCP 10000 if it needs encapsulating into UDP/TCP for NAT). (also known as Quick Mode)

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup