Security Basics mailing list archives

RE: Cisco Workaround

From: "Paul Benedek" <paul.benedek () excis co uk>
Date: Thu, 31 Jul 2003 20:59:37 +0100

Hi Adam,

This sounds like an interesting problem.  Please could you send details of
the cheat sheet and the versions of IOS that you upgraded to?  My thoughts
are that you may have created an access list that denied the protocols
needed for your VPN tunnel, these being IKE and IPSEC.  With access lists
you need to be specific after you create them otherwise they will implicitly
deny traffic.  Once I have seen the cheat sheet, I can advise you of what
may work.

Regards,

Paul Benedek
Director 
Excis Networks Limited
http://www.excis.co.uk

-----Original Message-----
From: Adam Overlin [mailto:adam.overlin () content-mgmt com] 
Sent: 31 July 2003 17:59
To: security-basics () securityfocus com
Subject: RE: Cisco Workaround

I just joined this list so I haven't seen the whole thread on this issue,
thus my company's particular issue may have been discussed already, but I
thought I would see if I could get some help anyway.

Background:
We have a Cisco 827 router and a PIX 506e locally.  Router being in front of
the PIX.  We also have a co-location facility that we are connected via a
constant VPN tunnel.  There we have a PIX 515e.  The two pixes are what
control the VPN/encryption.

Issue:
The pixes don't run IOS so we didn't have to worry about upgrading those.
However, the router does.  So we upgraded the router to the latest version.
Everything worked ok, except, the VPN tunnel.  That got knocked out.  Keep
in mind that I am no Cisco expert.  I did the upgrade with the help of a
*cheat* sheet that Cisco sent us.  All I did was copy the information.  I
didn't really understand what I was actually typing into the console (we
have another network consultant that is responsible for the "understanding
part, although he didn't know why it wasn't working either).  :)

So after a little messing around we reverted back to the old IOS and
everything was peachy.  A couple days later they sent us another version to
upgrade with and that did the same thing.  Needless to say, we are still
upgradeless.

If there are any suggestions out there, I would really appreciate it.  If I
didn't give enough info, please let me know, and I will get you whatever you
need (within my power of course).

Thanks in advance,
Adam


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Cisco Workaround, (continued)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
  - Re: Cisco Workaround joshua sahala (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 29)
  - Re: Cisco Workaround stephane nasdrovisky (Jul 29)
    - Re: Cisco Workaround Jac (Jul 30)
    - RE: Cisco Workaround Todd Mitchell - lists (Jul 30)
    - Re: Cisco Workaround James Fields (Jul 30)
    - Re: Cisco Workaround Jac (Jul 31)
    - RE: Cisco Workaround Adam Overlin (Jul 31)
    - RE: Cisco Workaround Paul Benedek (Jul 31)
  - RE: Cisco Workaround James Fields (Jul 29)
- RE: Cisco Workaround Dozal, Tim (Jul 30)
- RE: Cisco Workaround Adam Overlin (Jul 31)
- RE: Cisco Workaround Vachon, Scott (Jul 31)