Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SV: Cisco VPN Client Behind Firewall

from [Jan Nielsen] Network Security [Permanent Link]
Subject: SV: Cisco VPN Client Behind Firewall
Date: Tue, 20 Dec 2005 19:40:01 +0100 
Well, that really depends on a few things, I don't know
sidewinder,symantec,netscreen vpn specifics.....but, I know this :

If a manufaturer follows the IPSec "standard" it will require Port 500 UDP
(ike) outgoing, Protocol 50/51 (esp/ah) and many firewalls will have
problems with this if you are using port translation (many-to-one NAT), that
is pretty much always an issue with legacy ipsec implementations, nowadays
ppl use udp and tcp encapsulation of the encrypted data on some specific
ports, Cisco vpn3000 uses udp 500 and 10000 per default, but can be
configured for many other ports. Checkpoint uses a bunch of ports for
different things, as listed here :
http://www.fw-1.de/aerasec/ng/ports-ng.html

Also newer standards like NAT Traversal attempt to implement encapsulation
standards (RFCs 3947 and 3948), NAT-T uses udp 4500.

Many times it is my experience that VPN's cause problems mainly when devices
are behind nat and doing legacy ipsec tunneling, other than that I have
pretty much only had problems with interoperability between vendors and
stupid typos in configs.

Regards,
Jan

We recently rolled out a remote access tool that requires the Cisco VPN

Client.


It is working all over the world with no issues.....except for some

personnel we have on vendor/customer sites which are behind another
companies
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Cisco VPN Client Behind Firewall, Meidinger Chris
Next by Date:  Re: Firewall DMZs, Bill Stout
Previous by Thread:  Cisco VPN Client Behind Firewall, Richard St John
Next by Thread:  Re: Cisco VPN Client Behind Firewall, Volker Tanger
Indexes:  [Date] [Thread] [Top] [All Lists]