Search results for query: *

Thanks for the link. This seems to be the exact same syntax as a source nat. I dont think I see the difference. I have provided the CIsco example below (modified to to contain all hosts for simplicity). access-list NET1 permit ip 10.1.2.1 209.165.201.1 status (inside, outside) 209.165.202.128...

I need to perform a Destination Nat from only 1 source. For example, when coming from 192.168.2.1 going to 172.16.54.1, I would like the destination natted to 10.51.1.5. I know how to perform a destination nat for ALL sources but cannot seem to make this work from only 1 or limited sources...

Will the default gateway be changing? If not, you should be OK. If you have to change the gateway and outside IP, you will have to either access the firewall from a different interface or use console access. www.NetLeets.com IT Security news and information In plain English

Have you tried creating a capture to see if the packets are reaching? I presume nothing in the logs www.NetLeets.com IT Security news and information In plain English

The Checkpoint is supernetting. This is classic Checkpoint behavior. Whenever multiple encryption domains are used, and the VPN only works to the CP but not from it, it is supernetting. There are several ways they can address the issue on their side including changing the negotiation to per host...

I believe in 7.x (definitely in 8.x)FQDN based VPN tunnels are supported. That in conjunction with Dynamic DNS will solve your issue and will allow the vpn to be initiated on either side. www.NetLeets.com IT Security news and information In plain English

What about the destination address? Does he have a local route on his pc for the network he is trying to RDP to? Is split tunneling being used? If so, does everything work when split tunneling is turned off? If split tunneling is not used, I would consider ipsec debuggig to see if his requests...

If ISAKMP shows QM_Idle, I doubt there will be an IPSEC SA. Have you tried clearing the ISAKMP SA? After clearing the tunnel on both sides, turn on debugging (debug crypto isakmp 5). Paste a scrubbed version of the debug output in this forum. If would be best if the tunnel were initiated on the...

ASA uses the same command structure it is just more UTM centric. And PDM (the Pix webinterface) has been replaced with ASDM, which can be used as a client or web management utility. It is way more robust than PDM. www.NetLeets.com IT Security news and information In plain English

you can use private Ip using the ALias command. That was designed specifically for public webservers that need to be accessed internally. www.NetLeets.com IT Security news and information In plain English

Try turning on VPN debugging (debug crypto ipsec 255). I do not see your VPn termination command: "isakmp enable outside" This specifies what interface can terminate tunnels. I do see the crypto map interface designation however. Not sure if this link is any help to you...

When the interface disappears, are you able to reach the device (either via console or another mgt interface)? If so, I would setup a capture on the external interface to see if you are getting arp responses from the router. My quess is it is not responding to arp after a while. Also check your...

When the interface goes down, is there an arp entry for the default gateway? www.NetLeets.com IT Security news and information In plain English

The alias command was created for that purpose. I an not infront of an ASA right now but the syntax is something like: alias (inside) <public_ip> <private_ip> www.NetLeets.com IT Security news and information In plain English

The bad news: Your brand new Cisco VPN client CD does not contain a VPN client. The Good news: you get 12 free songs for your iPod Check out the whole story: http://netleets.com/2008/10/ciscovpn.htm www.NetLeets.com IT Security news and information In plain English

I am glad everything is working out for you. www.NetLeets.com IT Security news and information In plain English

This is performed with Application Layer Gateways. 1. Defining a class-map – This defines the “match” conditions. In other words, this specifies what traffic will be flagged for this security policy. 2. Create a Policy-map – set conditions, send to IPS, set priority, etc. In other words...

Aggressive mode is an option, though I am not a big fan. Also taking precautions on the server, such as increasing the session timeouts, retries, etc. It all depends on how fickle the application is. Thats why higher priority protocols don't work well with VPN. Imagine talking to someone on a...

I figured out what was wrong. The event ID indicates that the sequence number for the latest heartbeat did not match the previous heartbeat. So it assumed that it lost all packets between the missing sequence numbers. www.NetLeets.com IT Security news and information In plain English

It is not advisable by Cisco to use the same interface as sync and failover. As soon as you have issues, they will ask you to change it back. www.NetLeets.com IT Security news and information In plain English