RE: Cisco Workaround

["Cesar Osorio" <COsorio () awb com au>]

David,

Have you got a Syslog server where you can check the errors appearing, then
send them to Cisco or who ever is your CISCO support,  looking at the logs
it should give a good indication onto why you clients a droping the VPN,
maybee they need another client as well ?


Regards,

Cesar




                      "David Gillett"

                      <gillettdavid@fh         To:      "'stephen at unix
dot za dot net'"
                      da.edu>                  <stephen () unix za net>

                                               cc:
<security-basics () securityfocus com>
                      12/08/2003 02:07         Subject: RE: Cisco
Workaround
                      Please respond

                      to gillettdavid







  Whether your VPN users need GRE or ESP+AH will depend on what
particular VPN technology they use.  (In our case, some users need
one and some the other, but that's probably not typical.)

David Gillett

> -----Original Message-----
> From: stephen at unix dot za dot net [mailto:stephen () unix za net]
> Sent: August 10, 2003 23:27
> To: David Gillett
> Cc: 'Douglas Gullett'; 'Adam Overlin';
> security-basics () securityfocus com
> Subject: RE: Cisco Workaround
>
>
>
> hi guys,
>
> all the posts i've seen replying to this guy's problem don't included
> references to needing GRE (proto 47).
>
> it is needed for VPN connectivity, who are we all just
> assuming everyone
> knows this?  (even though there's no mention of it)
>
>
> stephen
>
>
>
> On Mon, 4 Aug 2003, David Gillett wrote:
>
> >   ESP is protocol 50 and AH is 51.  Neither opening 52 nor
> > leaving 50 closed is likely to help.
> >
> > David Gillett
> >
> > > -----Original Message-----
> > > From: Douglas Gullett [mailto:dougg03 () comcast net]
> > > Sent: August 2, 2003 08:49
> > > To: Adam Overlin; security-basics () securityfocus com
> > > Subject: RE: Cisco Workaround
> > >
> > >
> > > Adam,
> > >
> > > If the "cheat" sheet you are referring to is the Cisco
> > > Security Alert, I am
> > > guessing that you put in their access-list.  For IPSEC you
> > > need to have
> > > Protocol Port 51 (ESP) and Protocol Port 52 (AH) open, as
> > > well as UDP Port
> > > 500 (isakmp).
> > >
> > > Doug
> > >
> > > -----Original Message-----
> > > From: Adam Overlin [mailto:adam.overlin () content-mgmt com]
> > > Sent: Thursday, July 31, 2003 12:59 PM
> > > To: security-basics () securityfocus com
> > > Subject: RE: Cisco Workaround
> > >
> > >
> > > I just joined this list so I haven't seen the whole thread on
> > > this issue,
> > > thus my company's particular issue may have been discussed
> > > already, but I
> > > thought I would see if I could get some help anyway.
> > >
> > > Background:
> > > We have a Cisco 827 router and a PIX 506e locally.  Router
> > > being in front of
> > > the PIX.  We also have a co-location facility that we are
> > > connected via a
> > > constant VPN tunnel.  There we have a PIX 515e.  The two
> > > pixes are what
> > > control the VPN/encryption.
> > >
> > > Issue:
> > > The pixes don't run IOS so we didn't have to worry about
> > > upgrading those.
> > > However, the router does.  So we upgraded the router to the
> > > latest version.
> > > Everything worked ok, except, the VPN tunnel.  That got
> > > knocked out.  Keep
> > > in mind that I am no Cisco expert.  I did the upgrade with
> > > the help of a
> > > *cheat* sheet that Cisco sent us.  All I did was copy the
> > > information.  I
> > > didn't really understand what I was actually typing into the
> > > console (we
> > > have another network consultant that is responsible for the
> > > "understanding
> > > part, although he didn't know why it wasn't working either).  :)
> > >
> > > So after a little messing around we reverted back to the
> old IOS and
> > > everything was peachy.  A couple days later they sent us
> > > another version to
> > > upgrade with and that did the same thing.  Needless to say,
> > > we are still
> > > upgradeless.
> > >
> > > If there are any suggestions out there, I would really
> > > appreciate it.  If I
> > > didn't give enough info, please let me know, and I will get
> > > you whatever you
> > > need (within my power of course).
> > >
> > > Thanks in advance,
> > > Adam
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > --------------
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > --------------
> --------------------------------------------------------------
> -------------
> >
> --------------------------------------------------------------
> --------------
> >

---------------------------------------------------------------------------
----------------------------------------------------------------------------











---------------------------------------------------------------------------
----------------------------------------------------------------------------