RE: ASA Easy VPN access problem from Mahmoud Nossair on 2010-12-13 (Ccielab archives 12/2010)

From: Mahmoud Nossair <mahmoud.nossair_at_gmail.com>
Date: Mon, 13 Dec 2010 11:35:16 +0300

The ISAKMP port that will allowed on the firewall is UDP 500, am I right???
But what is the IPsec port..

Best Regards,

==============================

Mahmoud Nossair

From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
Sent: Monday, December 13, 2010 11:23 AM
To: Mahmoud Nossair
Cc: karim jamali; Cisco certification
Subject: Re: ASA Easy VPN access problem

A DDOS attack will happen in any event, whether you have an ACL or not. The
'DOS" attack will target your outside IP address on the ASA and the ASA will
still have to process those packets ie drop them according to the ACL.

CCIE # 23962 (SP)

On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair
<mahmoud.nossair_at_gmail.com> wrote:

This is my manager policy that nobody can access our site unless he have a
registered/static IP address , I think he afraid of DOS attack.

Best Regards,

==============================
Mahmoud Nossair

-----Original Message-----
From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]

Sent: Monday, December 13, 2010 11:09 AM
To: karim jamali
Cc: Mahmoud Nossair; Cisco certification
Subject: Re: ASA Easy VPN access problem

I am just trying to understand why you want to do that ?

Surely some of the remote users are going to have dynamic ip address's from
time to time.

CCIE # 23962 (SP)

Sent from my iPhone 4

On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:

> Dear Mahmoud,
>
> Hope you are doing fine. I am sure there is a better way of implementing
it
> but a simple approach would be to put an ACL on the outside interface in
the
> incoming direction that will only allow ISAKMP/IPSec from certain peers
> (public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
> Remember to allow any incoming traffic in the ACL if needed otherwise you
> will fall to the "implicit deny".
>
> I am not sure if this is the best method, but I believe this should work.
>
> Best Regards,
>
> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
<mahmoud.nossair_at_gmail.com
>> wrote:
>
>> Thanks for replying me..
>>
>>
>>
>> My point is how can I allow only a certain IPs or Subnet (Public IPs) to
be
>> accepted as a remote VPN users?
>>
>>
>>
>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
address
>> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
>> firewall will grant you access while dropping me.
>>
>>
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> ==============================
>>
>> Mahmoud Nossair
>>
>>
>>
>>
>>
>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>> Sent: Monday, December 13, 2010 9:52 AM
>> To: Mahmoud Nossair
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: ASA Easy VPN access problem
>>
>>
>>
>> I dont see the point. Only users who succesfully authenticate can gain
>> access via the VPN. What Auth method are you using, radius, tacacs+,
Local
>> etc
>>
>>
>>
>>
>> CCIE # 23962 (SP)
>>
>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
>> mahmoud.nossair_at_gmail.com>
>> wrote:
>>
>> Dear Experts
>>
>>
>>
>> I had configured an Easy VPN access to the Cisco ASA 5520, but the
problem
>> is anybody from the OUTSIDE can initiate a remote VPN access.
>>
>> So how can restrict the access to only a HOST or IP subnet from the
OUTSIDE
>> interface? (i.e nobody can initiate a remote VPN access unless explicitly
>> permitted through an access list or any method elese).
>>
>>
>>
>>
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> ==============================
>>
>> Mahmoud Nossair
>>
>> CCIE network Engineer.
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
<http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 13 2010 - 11:35:16 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART