Security Basics mailing list archives
RE: Cisco Workaround
From: "Cesar Osorio" <COsorio () awb com au>
Date: Tue, 12 Aug 2003 15:12:04 +1000
David, Have you got a Syslog server where you can check the errors appearing, then send them to Cisco or who ever is your CISCO support, looking at the logs it should give a good indication onto why you clients a droping the VPN, maybee they need another client as well ? Regards, Cesar "David Gillett" <gillettdavid@fh To: "'stephen at unix dot za dot net'" da.edu> <stephen () unix za net> cc: <security-basics () securityfocus com> 12/08/2003 02:07 Subject: RE: Cisco Workaround Please respond to gillettdavid Whether your VPN users need GRE or ESP+AH will depend on what particular VPN technology they use. (In our case, some users need one and some the other, but that's probably not typical.) David Gillett
-----Original Message----- From: stephen at unix dot za dot net [mailto:stephen () unix za net] Sent: August 10, 2003 23:27 To: David Gillett Cc: 'Douglas Gullett'; 'Adam Overlin'; security-basics () securityfocus com Subject: RE: Cisco Workaround hi guys, all the posts i've seen replying to this guy's problem don't included references to needing GRE (proto 47). it is needed for VPN connectivity, who are we all just assuming everyone knows this? (even though there's no mention of it) stephen On Mon, 4 Aug 2003, David Gillett wrote:ESP is protocol 50 and AH is 51. Neither opening 52 nor leaving 50 closed is likely to help. David Gillett-----Original Message----- From: Douglas Gullett [mailto:dougg03 () comcast net] Sent: August 2, 2003 08:49 To: Adam Overlin; security-basics () securityfocus com Subject: RE: Cisco Workaround Adam, If the "cheat" sheet you are referring to is the Cisco Security Alert, I am guessing that you put in their access-list. For IPSEC you need to have Protocol Port 51 (ESP) and Protocol Port 52 (AH) open, as well as UDP Port 500 (isakmp). Doug -----Original Message----- From: Adam Overlin [mailto:adam.overlin () content-mgmt com] Sent: Thursday, July 31, 2003 12:59 PM To: security-basics () securityfocus com Subject: RE: Cisco Workaround I just joined this list so I haven't seen the whole thread on this issue, thus my company's particular issue may have been discussed already, but I thought I would see if I could get some help anyway. Background: We have a Cisco 827 router and a PIX 506e locally. Router being in front of the PIX. We also have a co-location facility that we are connected via a constant VPN tunnel. There we have a PIX 515e. The two pixes are what control the VPN/encryption. Issue: The pixes don't run IOS so we didn't have to worry about upgrading those. However, the router does. So we upgraded the router to the latest version. Everything worked ok, except, the VPN tunnel. That got knocked out. Keep in mind that I am no Cisco expert. I did the upgrade with the help of a *cheat* sheet that Cisco sent us. All I did was copy the information. I didn't really understand what I was actually typing into the console (we have another network consultant that is responsible for the "understanding part, although he didn't know why it wasn't working either). :) So after a little messing around we reverted back to theold IOS andeverything was peachy. A couple days later they sent us another version to upgrade with and that did the same thing. Needless to say, we are still upgradeless. If there are any suggestions out there, I would really appreciate it. If I didn't give enough info, please let me know, and I will get you whatever you need (within my power of course). Thanks in advance, Adam -------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------- -------------------------------------------------------------- ------------- -------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Cisco Workaround Dozal, Tim (Jul 31)
- <Possible follow-ups>
- RE: Cisco Workaround Douglas Gullett (Aug 04)
- RE: Cisco Workaround Adam Overlin (Aug 04)
- RE: Cisco Workaround David Gillett (Aug 04)
- RE: Cisco Workaround stephen at unix dot za dot net (Aug 11)
- RE: Cisco Workaround David Gillett (Aug 11)
- RE: Cisco Workaround Cesar Osorio (Aug 12)
- RE: Cisco Workaround Cesar Osorio (Aug 12)