firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: VPN and XP Firewall GPO settings (Chris Hughes)
2. Pix 520 tunnels (Halchishak, John)
3. Re: firewall-wizards Digest, Vol 38, Issue 11 (Paul Hutchings)
4. Re: Pix 520 tunnels (Farrukh Haroon)
5. Re: Pix 520 tunnels (Paul Melson)
----------------------------------------------------------------------
Message: 1
Date: Tue, 23 Jun 2009 06:54:13 -0400
From: "Chris Hughes" <chughes@l8c.com>
Subject: Re: [fw-wiz] VPN and XP Firewall GPO settings
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <85D7476F7BB04789B8AFF6768BD591B0@Acer>
Content-Type: text/plain; charset="us-ascii"
I'm with Victor disable split tunneling. I used to have connectivity issues
using Juniper network connect vpn with no split-tunneling. Very poor
implementation. Certain drivers used by the clients was causing repeated
connection resets and disaster seemed imminent during rollout. Juniper was
not forthcoming on this issue. Only after compiling a list of all the
drivers/apps that cause this was I able to settle down the problem. If you
are interested I can share my list of apps/processes.
We don't use xp firewalling. Instead we use the ISS IDS client on all
machines. Nice product, lots of control/forensics.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090623/a188bb35/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 23 Jun 2009 09:08:48 -0700
From: "Halchishak, John" <jhalchishak@ciber.com>
Subject: [fw-wiz] Pix 520 tunnels
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<B4B3243C3166D542AE4F794A25B248C801091A4A@cbrex.ciber-az.com>
Content-Type: text/plain; charset="us-ascii"
We have two pix (actually three, one failover) 520s that I'm trying to
setup multiple tunnels. The two office locations have a tunnel up
between them with 2 peer address on the main end and a single on the
other. We have need to establish other tunnels at various times to
clients. I can't seem to get a second tunnel up without adding it to the
existing named tunnel config as a third peer and even then it tends to
flap our tunnel between the offices. Is there some way to accomplish
this scenario without causing our tunnel problems?
John Halchishak
14746 N. 78th Way
Scottsdale, AZ 85260
480-624-4927
480-621-2252 wc
623-505-8905 pc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090623/c6b2fac5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1217 bytes
Desc: image001.gif
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090623/c6b2fac5/attachment-0001.gif>
------------------------------
Message: 3
Date: Tue, 23 Jun 2009 17:54:16 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 38, Issue 11
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <7FCA12B9-1664-48A2-BA7D-438AC42ABB58@spamcop.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
I have split tunnelling disabled, but being frank my low level
knowledge of TCP/IP isn't sufficient to know if it's sufficient
mitigation for lack of a software firewall.
Frustratingly, the Juniper Host Checker comes with a firewall but you
need admin rights simply to enable/disable that component.
Cheers,
Paul
On 22 Jun 2009, at 20:42, rjdriscoll@comcast.net wrote:
> Are you allowing split tunneling? I have worked at companies that
> have disabled split tunneling, which in effect turned off routing
> except
> through the VPN server. We then would check for things like current
> AV def's and patch compliance.
>
>
> ----- Original Message -----
> From: firewall-wizards-request@listserv.icsalabs.com
> To: firewall-wizards@listserv.icsalabs.com
> Sent: Monday, June 22, 2009 9:00:03 AM GMT -08:00 US/Canada Pacific
> Subject: firewall-wizards Digest, Vol 38, Issue 11
>
> Send firewall-wizards mailing list submissions to
> firewall-wizards@listserv.icsalabs.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://listserv.icsalabs.com/mailman/listinfo/firewall-
> wizards
> or, via email, send a message with subject or body 'help' to
> firewall-wizards-request@listserv.icsalabs.com
>
> You can reach the person managing the list at
> firewall-wizards-owner@listserv.icsalabs.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewall-wizards digest..."
>
>
> Today's Topics:
>
> 1. VPN and XP Firewall GPO settings (Paul Hutchings)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Jun 2009 18:30:49 +0100
> From: Paul Hutchings <paul@spamcop.net>
> Subject: [fw-wiz] VPN and XP Firewall GPO settings
> To: Firewall Wizards Security Mailing List
> <firewall-wizards@listserv.icsalabs.com>
> Message-ID: <DF4421BD-AB92-4055-A5D4-370E73D13981@spamcop.net>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> Folks hoping for a little input here:
>
> We have a Juniper SSL VPN that has Network Connect functionality. We
> have our Group Policies configured so that when onsite XP firewall is
> disabled, when offsite XP firewall is enabled.
>
> It seems what's happening when people use the Network Connect
> functionality of the VPN is that XP is detecting that it has
> connectivity to the LAN and the domain controllers/DNS boxes and is
> switching from the "Standard Profile" to the "Domain Profile" and
> dropping the firewall, which is of course unacceptable (I accept it's
> behaving by design so it's not really a criticism of Microsoft).
>
> What do people do to work around this kind of issue? I guess a group
> policy for laptops that enables the firewall even when on the domain
> is one option, and I've opened a case with JTAC in case I'm missing
> something on the SA config.
>
> Thanks.
>
>
> ------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> End of firewall-wizards Digest, Vol 38, Issue 11
> ************************************************
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 4
Date: Wed, 24 Jun 2009 09:24:34 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Pix 520 tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<eff3217d0906232324u642f13cav693bf05d796edab7@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Hello John
You need to make sure that the dynamic crypto map entry is higher than the
static crypto map(s).
Please have a look at the below link:
Regards
Farrukh
On Tue, Jun 23, 2009 at 7:08 PM, Halchishak, John <jhalchishak@ciber.com>wrote:
> We have two pix (actually three, one failover) 520s that I?m trying to
> setup multiple tunnels. The two office locations have a tunnel up between
> them with 2 peer address on the main end and a single on the other. We have
> need to establish other tunnels at various times to clients. I can?t seem to
> get a second tunnel up without adding it to the existing named tunnel config
> as a third peer and even then it tends to flap our tunnel between the
> offices. Is there some way to accomplish this scenario without causing our
> tunnel problems?
>
>
>
>
>
> *John Halchishak*
>
> *14746 N. 78th Way*
>
> *Scottsdale, AZ 85260*
>
> *480-624-4927*
>
> *480-621-2252 wc*
>
> *623-505-8905 pc*
>
> * *
>
> [image: CIBER - "An Ethic of Excellence"]
>
>
>
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090624/519aab77/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1217 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090624/519aab77/attachment-0001.gif>
------------------------------
Message: 5
Date: Wed, 24 Jun 2009 07:47:36 -0400
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] Pix 520 tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<40ecb01f0906240447n1d4a05c8te52e33c810f621c6@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
On Tue, Jun 23, 2009 at 12:08 PM, Halchishak, John<jhalchishak@ciber.com> wrote:
> We have two pix (actually three, one failover) 520s that I?m trying to setup
> multiple tunnels. The two office locations have a tunnel up between them
> with 2 peer address on the main end and a single on the other. We have need
> to establish other tunnels at various times to clients. I can?t seem to get
> a second tunnel up without adding it to the existing named tunnel config as
> a third peer and even then it tends to flap our tunnel between the offices.
> Is there some way to accomplish this scenario without causing our tunnel
> problems?
Yes. I'm betting that the problem is in the way you have the
crypto-map match access-lists configured. Seeing the config would be
helpful to diagnosing the issue.
You may also have a problem with the actual version of PIX OS you're
running. Also, at this point, since the 520's are so old that their
replacement model (525) has been end-of-life for 2 years, replacing
them is pretty much imminent. And since the ASA's have all new VPN
code (based on the VPN3K), mesh and hub & spoke VPN tunnels work a lot
better.
PaulM
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 38, Issue 13
************************************************
No comments:
Post a Comment