Re: ASA Easy VPN access problem from karim jamali on 2010-12-13 (Ccielab archives 12/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Mon, 13 Dec 2010 11:47:13 +0300

Dear Mahmoud,

IPSec is a suite of protocols and not a single port. I believe deny ISAKMP
(UDP Port 500) you can as well deny ESP (IP Protocol 50) or AH (IP Protocol
51) depending on which one you use. If you deny ISAKMP alone I guess it
should do the job.

Best Regards,
On Mon, Dec 13, 2010 at 11:35 AM, Mahmoud Nossair <mahmoud.nossair_at_gmail.com
> wrote:

> The ISAKMP port that will allowed on the firewall is UDP 500, am I
> right??? But what is the IPsec port.
>
>
>
> * *
>
> *Best Regards, *
>
> * *
>
> ==============================
>
> *Mahmoud Nossair***
>
>
>
>
>
> *From:* Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> *Sent:* Monday, December 13, 2010 11:23 AM
> *To:* Mahmoud Nossair
> *Cc:* karim jamali; Cisco certification
>
> *Subject:* Re: ASA Easy VPN access problem
>
>
>
> A DDOS attack will happen in any event, whether you have an ACL or not. The
> 'DOS" attack will target your outside IP address on the ASA and the ASA
will
> still have to process those packets ie drop them according to the ACL.
>
>
>
>
>
> CCIE # 23962 (SP)
>
> On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <
> mahmoud.nossair_at_gmail.com> wrote:
>
> This is my manager policy that nobody can access our site unless he have a
> registered/static IP address , I think he afraid of DOS attack.
>
>
> Best Regards,
>
> ==============================
> Mahmoud Nossair
>
>
>
> -----Original Message-----
> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>
> Sent: Monday, December 13, 2010 11:09 AM
> To: karim jamali
> Cc: Mahmoud Nossair; Cisco certification
> Subject: Re: ASA Easy VPN access problem
>
> I am just trying to understand why you want to do that ?
>
> Surely some of the remote users are going to have dynamic ip address's from
> time to time.
>
> CCIE # 23962 (SP)
>
> Sent from my iPhone 4
>
> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
>
> > Dear Mahmoud,
> >
> > Hope you are doing fine. I am sure there is a better way of implementing
> it
> > but a simple approach would be to put an ACL on the outside interface in
> the
> > incoming direction that will only allow ISAKMP/IPSec from certain peers
> > (public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
> > Remember to allow any incoming traffic in the ACL if needed otherwise you
> > will fall to the "implicit deny".
> >
> > I am not sure if this is the best method, but I believe this should work.
> >
> > Best Regards,
> >
> > On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
> <mahmoud.nossair_at_gmail.com
> >> wrote:
> >
> >> Thanks for replying me..
> >>
> >>
> >>
> >> My point is how can I allow only a certain IPs or Subnet (Public IPs) to
> be
> >> accepted as a remote VPN users?
> >>
> >>
> >>
> >> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
> address
> >> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
> >> firewall will grant you access while dropping me.
> >>
> >>
> >>
> >>
> >>
> >> Best Regards,
> >>
> >>
> >>
> >> ==============================
> >>
> >> Mahmoud Nossair
> >>
> >>
> >>
> >>
> >>
> >> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >> Sent: Monday, December 13, 2010 9:52 AM
> >> To: Mahmoud Nossair
> >> Cc: ccielab_at_groupstudy.com
> >> Subject: Re: ASA Easy VPN access problem
> >>
> >>
> >>
> >> I dont see the point. Only users who succesfully authenticate can gain
> >> access via the VPN. What Auth method are you using, radius, tacacs+,
> Local
> >> etc
> >>
> >>
> >>
> >>
> >> CCIE # 23962 (SP)
> >>
> >> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
> >> mahmoud.nossair_at_gmail.com>
> >> wrote:
> >>
> >> Dear Experts
> >>
> >>
> >>
> >> I had configured an Easy VPN access to the Cisco ASA 5520, but the
> problem
> >> is anybody from the OUTSIDE can initiate a remote VPN access.
> >>
> >> So how can restrict the access to only a HOST or IP subnet from the
> OUTSIDE
> >> interface? (i.e nobody can initiate a remote VPN access unless
> explicitly
> >> permitted through an access list or any method elese).
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Best Regards,
> >>
> >>
> >>
> >> ==============================
> >>
> >> Mahmoud Nossair
> >>
> >> CCIE network Engineer.
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
>
>

--
KJ
Blogs and organic groups at http://www.ccie.net

Received on Mon Dec 13 2010 - 11:47:13 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART