Re: ASA Easy VPN access problem

This is just not a good solution. I agree with Ryan - educate your manager!
:-)

Isnt that the job of an engineer anyway? ;-)

On Mon, Dec 13, 2010 at 2:38 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Those are the correct ports, but anyone behind a nat device will fail.
> You'll want to open UDP/4500 and TCP/10000 for future users and
> troubleshooting. I would look at possible sysopt commands to force ACL
> review, but if u enable at dynamic map the firewall starts listening for IKE
> connections from anywhere. Another option is individual tunnel-groups for
> each static IP.
>
> Probably the best option is to educate your manager.
>
> Sent from handheld
>
> On Dec 13, 2010, at 3:49 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
>
> > Dear Mahmoud,
> >
> > IPSec is a suite of protocols and not a single port. I believe deny
> ISAKMP
> > (UDP Port 500) you can as well deny ESP (IP Protocol 50) or AH (IP
> Protocol
> > 51) depending on which one you use. If you deny ISAKMP alone I guess it
> > should do the job.
> >
> > Best Regards,
> > On Mon, Dec 13, 2010 at 11:35 AM, Mahmoud Nossair <
> mahmoud.nossair_at_gmail.com
> >> wrote:
> >
> >> The ISAKMP port that will allowed on the firewall is UDP 500, am I
> >> right??? But what is the IPsec port .
> >>
> >>
> >>
> >> * *
> >>
> >> *Best Regards, *
> >>
> >> * *
> >>
> >> ==============================
> >>
> >> *Mahmoud Nossair***
> >>
> >>
> >>
> >>
> >>
> >> *From:* Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >> *Sent:* Monday, December 13, 2010 11:23 AM
> >> *To:* Mahmoud Nossair
> >> *Cc:* karim jamali; Cisco certification
> >>
> >> *Subject:* Re: ASA Easy VPN access problem
> >>
> >>
> >>
> >> A DDOS attack will happen in any event, whether you have an ACL or not.
> The
> >> 'DOS" attack will target your outside IP address on the ASA and the ASA
> > will
> >> still have to process those packets ie drop them according to the ACL.
> >>
> >>
> >>
> >>
> >>
> >> CCIE # 23962 (SP)
> >>
> >> On Mon, Dec 13, 2010 at 10:14 AM, Mahmoud Nossair <
> >> mahmoud.nossair_at_gmail.com> wrote:
> >>
> >> This is my manager policy that nobody can access our site unless he have
> a
> >> registered/static IP address , I think he afraid of DOS attack.
> >>
> >>
> >> Best Regards,
> >>
> >> ==============================
> >> Mahmoud Nossair
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >>
> >> Sent: Monday, December 13, 2010 11:09 AM
> >> To: karim jamali
> >> Cc: Mahmoud Nossair; Cisco certification
> >> Subject: Re: ASA Easy VPN access problem
> >>
> >> I am just trying to understand why you want to do that ?
> >>
> >> Surely some of the remote users are going to have dynamic ip address's
> from
> >> time to time.
> >>
> >> CCIE # 23962 (SP)
> >>
> >> Sent from my iPhone 4
> >>
> >> On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com>
> wrote:
> >>
> >>> Dear Mahmoud,
> >>>
> >>> Hope you are doing fine. I am sure there is a better way of
> implementing
> >> it
> >>> but a simple approach would be to put an ACL on the outside interface
> in
> >> the
> >>> incoming direction that will only allow ISAKMP/IPSec from certain peers
> >>> (public ip addresses) and all other ISAKMP/IPSec traffic will be
> dropped.
> >>> Remember to allow any incoming traffic in the ACL if needed otherwise
> you
> >>> will fall to the "implicit deny".
> >>>
> >>> I am not sure if this is the best method, but I believe this should
> work.
> >>>
> >>> Best Regards,
> >>>
> >>> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
> >> <mahmoud.nossair_at_gmail.com
> >>>> wrote:
> >>>
> >>>> Thanks for replying me..
> >>>>
> >>>>
> >>>>
> >>>> My point is how can I allow only a certain IPs or Subnet (Public IPs)
> to
> >> be
> >>>> accepted as a remote VPN users?
> >>>>
> >>>>
> >>>>
> >>>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP
> >> address
> >>>> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
> >>>> firewall will grant you access while dropping me.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Best Regards,
> >>>>
> >>>>
> >>>>
> >>>> ==============================
> >>>>
> >>>> Mahmoud Nossair
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
> >>>> Sent: Monday, December 13, 2010 9:52 AM
> >>>> To: Mahmoud Nossair
> >>>> Cc: ccielab_at_groupstudy.com
> >>>> Subject: Re: ASA Easy VPN access problem
> >>>>
> >>>>
> >>>>
> >>>> I dont see the point. Only users who succesfully authenticate can gain
> >>>> access via the VPN. What Auth method are you using, radius, tacacs+,
> >> Local
> >>>> etc
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> CCIE # 23962 (SP)
> >>>>
> >>>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
> >>>> mahmoud.nossair_at_gmail.com>
> >>>> wrote:
> >>>>
> >>>> Dear Experts
> >>>>
> >>>>
> >>>>
> >>>> I had configured an Easy VPN access to the Cisco ASA 5520, but the
> >> problem
> >>>> is anybody from the OUTSIDE can initiate a remote VPN access.
> >>>>
> >>>> So how can restrict the access to only a HOST or IP subnet from the
> >> OUTSIDE
> >>>> interface? (i.e nobody can initiate a remote VPN access unless
> >> explicitly
> >>>> permitted through an access list or any method elese).
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Best Regards,
> >>>>
> >>>>
> >>>>
> >>>> ==============================
> >>>>
> >>>> Mahmoud Nossair
> >>>>
> >>>> CCIE network Engineer.
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/
> >
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> KJ
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net