Security Basics mailing list archives
RE: Cisco Workaround (VPN PROBLEM)
From: "Paul Benedek" <paul.benedek () excis co uk>
Date: Fri, 1 Aug 2003 16:37:29 +0100
Hi, The issue may be based around NAT if you are using it. If you have upgraded to an IOS version that does not support NAT transparency, you will not establish your VPN tunnels. NAT transparency wraps the ESP header in UDP, and then strips it as it passes through the translation, thereby leaving the ESP header intact and allowing the establishment of the tunnels. Check to see if these version support NAT / PAT transparency. Regards, Paul Benedek Director Excis Networks Limited http://www.excis.co.uk -----Original Message----- From: Adam Overlin [mailto:adam.overlin () content-mgmt com] Sent: 01 August 2003 00:04 To: jamesworld () intelligencia com Cc: security-basics () securityfocus com Subject: RE: Cisco Workaround (VPN PROBLEM) I did state in my first mail that it was the pixes that were controlling the vpn/encryption, but I may not have been clear. So there it is again. :) Anyway, the 2 versions that we tried to upgrade to are: c820-k9osy6-mz.12.3-1a (24/8) and 12.2(15)T4/5 Currently we are running: 12.2 (sorry this is all i could tell from the "show run" that I did) The router is an 827-v4. Thanks for helping me out on this. Adam -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Thursday, July 31, 2003 3:16 PM To: Adam Overlin Cc: security-basics () securityfocus com Subject: RE: Cisco Workaround (VPN PROBLEM) Adam, Question: (surprised nobody asked) What is doing the VPN the routers or the PIX's? I'm sure we are all assuming that it's the PIX's -James Everyone else (who is involved and or want's to jump in)...update your subject line to clearly identify this new offshoot thread At 12:59 7/31/2003, Adam Overlin wrote:
My network consultant is the one who has the cheat sheet now, but all that was on there was how to upgrade the IOS. No other commands or anything.
If
my memory serves me right, all that was on there was: copy tftp flash <source IP where file is located> <source filename> <destination filename> At that point it starts the flash process. When it's done, just reboot and it *should* work. Obviously it did not. All the other config info is supposed to stay put. Which, when we do a "show run," everything did look the same as it was before. Just the IOS version changed. Adam -----Original Message----- From: John Canty [mailto:John.Canty () Vibro-Meter com] Sent: Thursday, July 31, 2003 10:37 AM To: Adam Overlin Subject: RE: Cisco Workaround send us along a copy of this cheat sheet, and I am willing to bet there might a few more answers to give :) //John -----Original Message----- From: Adam Overlin [mailto:adam.overlin () content-mgmt com] Sent: Thursday, July 31, 2003 12:59 PM To: security-basics () securityfocus com Subject: RE: Cisco Workaround I just joined this list so I haven't seen the whole thread on this issue, thus my company's particular issue may have been discussed already, but I thought I would see if I could get some help anyway. Background: We have a Cisco 827 router and a PIX 506e locally. Router being in front of the PIX. We also have a co-location facility that we are connected via a constant VPN tunnel. There we have a PIX 515e. The two pixes are what control the VPN/encryption. Issue: The pixes don't run IOS so we didn't have to worry about upgrading those. However, the router does. So we upgraded the router to the latest version. Everything worked ok, except, the VPN tunnel. That got knocked out. Keep in mind that I am no Cisco expert. I did the upgrade with the help of a *cheat* sheet that Cisco sent us. All I did was copy the information. I didn't really understand what I was actually typing into the console (we have another network consultant that is responsible for the "understanding part, although he didn't know why it wasn't working either). :) So after a little messing around we reverted back to the old IOS and everything was peachy. A couple days later they sent us another version to upgrade with and that did the same thing. Needless to say, we are still upgradeless. If there are any suggestions out there, I would really appreciate it. If I didn't give enough info, please let me know, and I will get you whatever you need (within my power of course). Thanks in advance, Adam ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Cisco Workaround (VPN PROBLEM) Paul Benedek (Aug 01)
- <Possible follow-ups>
- RE: Cisco Workaround (VPN PROBLEM) Vachon, Scott (Aug 01)
- RE: Cisco Workaround (VPN PROBLEM) stephen at unix dot za dot net (Aug 11)