From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Sep 21 2007 - 09:03:19 ART
Mathew, I think Cisco added support for ESP inspection in the 7.2 release.
HTH
Farrukh
On 9/20/07, Matthew Long <mlong@comms-care.com> wrote:
>
> This problem often occurs where your office firewall is blocking the esp
> protocol (50).
>
> My understanding of how this works (I think, please someone correct me
> if I am wrong) is that your pc makes a connection using ISAKMP on UDP500
> outbound to setup the connection, this works fine the connection is
> setup and you get an IP. Because ISAKMP is a 2 way connection the return
> traffic is passed back through your office firewall.
> When you try to send data this uses the ESP protocol, this is 2 x one
> way connections (2 SAs) the outbound connection works fine but your
> office firewall blocks the return connection, hence no data.
>
> Why does it work at home, most home router/ firewalls support IPSEC pass
> through and avoid this issue by allowing the ESP traffic back through,
> and mapping the ESP protocol directly to your PC. On an office firewall
> this doesn't happen because they may be terminating a different VPN or
> because the IPSEC pass through is not scalable to many users.
>
> There are a number of ways that may allow you to work around this, IPSEC
> over UDP or TCP may help. The most reliable way I have found is to have
> static nat for your PC on the office firewall and allow inbound on
> UDP500, Proto50, Proto51
>
> Anyone else found a way round this on an ASA as there is no "inspect
> IPSEC"?
>
> Matt
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Mohammad Saeed
> Sent: 20 September 2007 15:13
> To: Joseph Brunner
> Cc: Cisco certification
> Subject: Re: Interesting VPN Access Issue
>
> Let me clarify the situation a little bit.
>
> I am in my office and have no idea what type of FW/Router is used in
> my office. So, I connect my laptop to office network get a unique IP,
> open up Cisco VPN Client, establish the tunnel to a PIX FW somewhere
> on the internet to its external interface which has a Public IP,
> tunnel is established and my VPN Adapter gets IP from 10.0.0.0 network
> as configured on PIX FW of our client. Now trunnel is stable but I can
> not reach any device on 10.0.0.0 network.
>
> Now I just took my laptop home, connected to my home internet
> connection, where I have LinkSys Wireless router connecting to cable
> modem, Now my laptop got the 192.168.1.100 IP from wireless router.
> Now I can browse the internet. I establish the VPN tunnel exactly same
> way as I establish in office without any change, tunnel is established
> and stable. My VPN Adapter received IP from same 10.0.0.0 network. I
> can ping/telnet to almost any device on the 10.0.0.0 network.
>
> Now my suspicion is that as IPSec uses just three packets in AGRESSIVE
> Mode for key exchange and probably after that tunnel is established,
> may be there is some IDS in our office network which does not detect
> that some thing suspecious is going on for first few packets and
> tunnel is established, and then it sees some unusual behaviour and
> block that connection???
>
> Secondly, my thoughts go to two phases that IPSec uses, can anyone
> tell what destination port numbers are used in both phases, may be in
> office the FW is blocking the second TCP session that is used to
> transfer data after tunnel being established????
>
> Any thoughts????
>
> Regards,
>
> Mohammad Zahed Saeed
>
> On 9/19/07, Joseph Brunner <joe@affirmedsystems.com> wrote:
> > Yes, the pix does not do same interface routing. So inside the network
> it
> > wont route on your behalf, as it does from the outside interface
> towards the
> > inside interface from home
> >
> > You can fix with pix 7 / asa code.
> >
> > -joe
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Mohammad Saeed
> > Sent: Wednesday, September 19, 2007 9:40 PM
> > To: Cisco certification
> > Subject: Interesting VPN Access Issue
> >
> > Hello Every body,
> >
> > I have Ciisoc VPN Cleint insttaled on my laptop windowsXP. Now if I
> > use this VPN Client from myhome Internet connection to establish VPN
> > Tunnel to the destination which is a PIX firewall from home, it gets
> > connected, and I can reach ping/telnet any device on remote side
> > network.
> >
> > But when I take my system to my office, hook my laptop to office
> > network, VPN Cleints gets authenticated and tunnel is established, VPN
> > Adapter gets the same IP that its gets when I establish tunnel from
> > home, but I can't ping/telnet to any deivces on the remotre network
> > that I used to ping/telnet when I am connecting from my home network.
> > If I say ping, it just times out, traceroute doesn't even show first
> > hop which shall be the other end of the tunnel and telnet times out.
> >
> > What can be the reason????
> >
> > If routing on remote end or firewall on the laptop would be issue,
> > then how VPN Tunnel is established on the first step?
> >
> > I will appreciate if any one can hint....
> >
> > Regards,
> >
> >
> > Mohammad Zahed Saeed
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART