Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
-
IOS Version 7.0 is released
snootalope, You can get around that MSS exceeded error by creating a tcp map that allows MSS exceeded packets to be passed through instead of dropped at the interface. just make sure to apply the class map to a group policy.- Gungnir77
- Post #16
- Forum: Security, hacker detection & forensics
-
IOS Version 7.0 is released
It is a bug, and it wll be fixed in future releases. The decision to go to standard access lists makes sense, but the problem with the upgrade not converting extended to standard was un intended. But for now, the best I can do is get the word out.- Gungnir77
- Post #15
- Forum: Security, hacker detection & forensics
-
IOS Version 7.0 is released
Ixleplix sorry to hear TAC didn't get back to you, I work on Cisco TAC's advanced security team (One of them anyhow). one thing that happens when you upgrade to 7.0 is that your split tunnel acl's don't get carried over correctly. In PIX 6.3 you can use extended acl's , but in 7.0, only...- Gungnir77
- Post #11
- Forum: Security, hacker detection & forensics
-
Site to site VPN only one side can initiate
Odds are , the access list for interesting traffic on your crypto map isn't set up correctly on the side that can't pass the traffic. Check to make sure both side agree on what exactly the interesting traffic should be. Gungnir77 CCNP, Cisco TAC Security Team- Gungnir77
- Post #4
- Forum: Security, hacker detection & forensics
-
VPN inconsistancy
You need to implement NAT-Traversal on both sides of the tunnel. This will allow IPSec over UDP, which is necessary for VPNs from behind NATed or PATed addresses. Gungnir77 CCNP, Cisco TAC security team- Gungnir77
- Post #2
- Forum: Security, hacker detection & forensics
-
InterVlan Routing
It does, but you need to make sure the physical interface is assigned to a VLAN that is not the same as the native vlan the the switch on the other side uses. By default the traffic leaves the interface untagged, even if the logical interfaces are assigned to a specific vlan. The idea is to...- Gungnir77
- Post #2
- Forum: Security, hacker detection & forensics
-
VPN Client Issue
Nat-traversal is needed when they are making a VPN connection from inside a firewall (or router) that is tanslating their address to the outside. Your firewall sees their connection request as coming from their public address, not their inside address. nat-t allows IPSec over UDP allowing for...- Gungnir77
- Post #5
- Forum: Security, hacker detection & forensics
-
Nat inside VPN Tunnel with Pix
Also be aware that if you need to implement a VPN tunnel using a NATed address you need to configure NAT-Traversal, (UDP over IPSec) to get traffic to work Gungnir77 CCNP, Advanced Security team at Cisco TAC- Gungnir77
- Post #4
- Forum: Security, hacker detection & forensics
