Those are the correct ports, but anyone behind a nat device will fail. You'll want to open UDP/4500 and TCP/10000 for future users and troubleshooting. I would look at possible sysopt commands to force ACL review, but if u enable at dynamic map the firewall starts listening for IKE connections from anywhere. Another option is individual tunnel-groups for each static IP.
Probably the best option is to educate your manager.
Sent from handheld
On Dec 13, 2010, at 3:49 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
> Dear Mahmoud,
>
> IPSec is a suite of protocols and not a single port. I believe deny ISAKMP
> (UDP Port 500) you can as well deny ESP (IP Protocol 50) or AH (IP Protocol
> 51) depending on which one you use. If you deny ISAKMP alone I guess it
> should do the job.
>
> Best Regards,
> On Mon, Dec 13, 2010 at 11:35 AM, Mahmoud Nossair <mahmoud.nossair_at_gmail.com
>> wrote:
>
>> The ISAKMP port that will allowed on the firewall is UDP 500, am I
>> right??? But what is the IPsec port�.
>>
>>
>>
>> * *
>>
>> *Best Regards, *
>>
>> * *
>>
>> ==============================
>>
>> *Mahmoud Nossair***
>>
>>
>>
>>
>>
>> *From:* Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>> *Sent:* Monday, December 13, 2010 11:23 AM
>> *To:* Mahmoud Nossair
>> *Cc:* karim jamali; Cisco certification
>>
>> *Subject:* Re: ASA Easy VPN access problem
>>
>>
>>
>> A DDOS attack will happen in any event, whether you have an ACL or not. The
>> 'DOS" attack will target your outside IP address on the ASA and the ASA
> will
>> still have to process those packets ie drop them according to the ACL.
>>
>>
>>
>>
>>
>> CCIE # 23962 (SP)
>>
>> On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <
>> mahmoud.nossair_at_gmail.com> wrote:
>>
>> This is my manager policy that nobody can access our site unless he have a
>> registered/static IP address , I think he afraid of DOS attack.
>>
>>
>> Best Regards,
>>
>> ==============================
>> Mahmoud Nossair
>>
>>
>>
>> -----Original Message-----
>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>>
>> Sent: Monday, December 13, 2010 11:09 AM
>> To: karim jamali
>> Cc: Mahmoud Nossair; Cisco certification
>> Subject: Re: ASA Easy VPN access problem
>>
>> I am just trying to understand why you want to do that ?
>>
>> Surely some of the remote users are going to have dynamic ip address's from
>> time to time.
>>
>> CCIE # 23962 (SP)
>>
>> Sent from my iPhone 4
>>
>> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
>>
>>> Dear Mahmoud,
>>>
>>> Hope you are doing fine. I am sure there is a better way of implementing
>> it
>>> but a simple approach would be to put an ACL on the outside interface in
>> the
>>> incoming direction that will only allow ISAKMP/IPSec from certain peers
>>> (public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
>>> Remember to allow any incoming traffic in the ACL if needed otherwise you
>>> will fall to the "implicit deny".
>>>
>>> I am not sure if this is the best method, but I believe this should work.
>>>
>>> Best Regards,
>>>
>>> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
>> <mahmoud.nossair_at_gmail.com
>>>> wrote:
>>>
>>>> Thanks for replying me..
>>>>
>>>>
>>>>
>>>> My point is how can I allow only a certain IPs or Subnet (Public IPs) to
>> be
>>>> accepted as a remote VPN users?
>>>>
>>>>
>>>>
>>>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
>> address
>>>> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
>>>> firewall will grant you access while dropping me.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>>
>>>> ==============================
>>>>
>>>> Mahmoud Nossair
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>>>> Sent: Monday, December 13, 2010 9:52 AM
>>>> To: Mahmoud Nossair
>>>> Cc: ccielab_at_groupstudy.com
>>>> Subject: Re: ASA Easy VPN access problem
>>>>
>>>>
>>>>
>>>> I dont see the point. Only users who succesfully authenticate can gain
>>>> access via the VPN. What Auth method are you using, radius, tacacs+,
>> Local
>>>> etc
>>>>
>>>>
>>>>
>>>>
>>>> CCIE # 23962 (SP)
>>>>
>>>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
>>>> mahmoud.nossair_at_gmail.com>
>>>> wrote:
>>>>
>>>> Dear Experts
>>>>
>>>>
>>>>
>>>> I had configured an Easy VPN access to the Cisco ASA 5520, but the
>> problem
>>>> is anybody from the OUTSIDE can initiate a remote VPN access.
>>>>
>>>> So how can restrict the access to only a HOST or IP subnet from the
>> OUTSIDE
>>>> interface? (i.e nobody can initiate a remote VPN access unless
>> explicitly
>>>> permitted through an access list or any method elese).
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Best Regards,
>>>>
>>>>
>>>>
>>>> ==============================
>>>>
>>>> Mahmoud Nossair
>>>>
>>>> CCIE network Engineer.
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> KJ
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 13 2010 - 14:38:26 ART