Re: ASA Easy VPN access problem from Shaughn Smith on 2010-12-13 (Ccielab archives 12/2010)

From: Shaughn Smith <maniac.smg_at_gmail.com>
Date: Mon, 13 Dec 2010 10:23:08 +0200

A DDOS attack will happen in any event, whether you have an ACL or not. The
'DOS" attack will target your outside IP address on the ASA and the ASA will
still have to process those packets ie drop them according to the ACL.

CCIE # 23962 (SP)

On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <mahmoud.nossair_at_gmail.com
> wrote:

> This is my manager policy that nobody can access our site unless he have a
> registered/static IP address , I think he afraid of DOS attack.
>
>
> Best Regards,
>
> ==============================
> Mahmoud Nossair
>
>
> -----Original Message-----
> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> Sent: Monday, December 13, 2010 11:09 AM
> To: karim jamali
> Cc: Mahmoud Nossair; Cisco certification
> Subject: Re: ASA Easy VPN access problem
>
> I am just trying to understand why you want to do that ?
>
> Surely some of the remote users are going to have dynamic ip address's from
> time to time.
>
> CCIE # 23962 (SP)
>
> Sent from my iPhone 4
>
> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
>
> > Dear Mahmoud,
> >
> > Hope you are doing fine. I am sure there is a better way of implementing
> it
> > but a simple approach would be to put an ACL on the outside interface in
> the
> > incoming direction that will only allow ISAKMP/IPSec from certain peers
> > (public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
> > Remember to allow any incoming traffic in the ACL if needed otherwise you
> > will fall to the "implicit deny".
> >
> > I am not sure if this is the best method, but I believe this should work.
> >
> > Best Regards,
> >
> > On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
> <mahmoud.nossair_at_gmail.com
> >> wrote:
> >
> >> Thanks for replying me..
> >>
> >>
> >>
> >> My point is how can I allow only a certain IPs or Subnet (Public IPs) to
> be
> >> accepted as a remote VPN users?
> >>
> >>
> >>
> >> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
> address
> >> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
> >> firewall will grant you access while dropping me.
> >>
> >>
> >>
> >>
> >>
> >> Best Regards,
> >>
> >>
> >>
> >> ==============================
> >>
> >> Mahmoud Nossair
> >>
> >>
> >>
> >>
> >>
> >> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >> Sent: Monday, December 13, 2010 9:52 AM
> >> To: Mahmoud Nossair
> >> Cc: ccielab_at_groupstudy.com
> >> Subject: Re: ASA Easy VPN access problem
> >>
> >>
> >>
> >> I dont see the point. Only users who succesfully authenticate can gain
> >> access via the VPN. What Auth method are you using, radius, tacacs+,
> Local
> >> etc
> >>
> >>
> >>
> >>
> >> CCIE # 23962 (SP)
> >>
> >> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
> >> mahmoud.nossair_at_gmail.com>
> >> wrote:
> >>
> >> Dear Experts
> >>
> >>
> >>
> >> I had configured an Easy VPN access to the Cisco ASA 5520, but the
> problem
> >> is anybody from the OUTSIDE can initiate a remote VPN access.
> >>
> >> So how can restrict the access to only a HOST or IP subnet from the
> OUTSIDE
> >> interface? (i.e nobody can initiate a remote VPN access unless
> explicitly
> >> permitted through an access list or any method elese).
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Best Regards,
> >>
> >>
> >>
> >> ==============================
> >>
> >> Mahmoud Nossair
> >>
> >> CCIE network Engineer.
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 13 2010 - 10:23:08 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART