Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Enterprise Firewall Appliances

from [Udechime, Elias [NTK]] Network Security [Permanent Link]
Subject: RE: Enterprise Firewall Appliances
Date: Fri, 7 Apr 2006 16:24:37 -0400 
Hi Dan,
 
I have experienced similar scenerio. PIX firewall VPN tunnels to Netscreen 
drops other tunnels on the PIX each time we add new VPN tunnel on the PIX. 
Whenever you add new tunnel, you must remove and add back  crypto map Map_NS 
interface outside. 
 
Solution: Disable PFS if you have it enabled.
 
Elias

________________________________

From: Daniel Martinez Moreno [mailto:dmartinezm@prodigy.net.mx]
Sent: Thu 4/6/2006 7:40 PM
To: firewalls@securityfocus.com
Subject: RE: Enterprise Firewall Appliances



Hi all, I'm trying to establish a VPN between a Netscreeen Firewall and a Cisco 
Pix, but when I have passed the phase 1, but when the phase 2 is done, another 
VPN that I have in the PIX, goes down.

 

Do you known how could it be the problem?

 

Here is a piece of the PIX configuration.

 

crypto ipsec transform-set mio esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set FW_NS esp-3des esp-sha-hmac 

crypto dynamic-map clientes 50 set transform-set mio

crypto dynamic-map outside_dyn_map 50 set transform-set mio

crypto dynamic-map outside_dyn_map 70 match address outside_cryptomap_dyn_70

crypto dynamic-map outside_dyn_map 70 set transform-set mio

crypto map mapName 65535 ipsec-isakmp dynamic clientes

crypto map mexico 20 ipsec-isakmp

crypto map mexico 20 match address outside_cryptomap_20

crypto map mexico 20 set peer X.X.X.X

crypto map mexico 20 set transform-set ESP-3DES-SHA mio

crypto map mexico 20 set security-association lifetime seconds 3600 kilobytes 
4608000

crypto map mexico 30 ipsec-isakmp

crypto map mexico 30 match address outside_cryptomap_30

crypto map mexico 30 set peer X.X.X.X

crypto map mexico 30 set transform-set mio

crypto map mexico 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map Map_NS 40 ipsec-isakmp

crypto map Map_NS 40 match address VPN_TlaneNS

crypto map Map_NS 40 set pfs group2

crypto map Map_NS 40 set peer X.X.X.X

crypto map Map_NS 40 set transform-set FW_NS

crypto map Map_NS interface outside

isakmp enable outside

isakmp key * address X.X.X.X netmask 255.255.255.255 no-xauth 

isakmp key * address X.X.X.X netmask 255.255.255.255 no-xauth 

isakmp key * address X.X.X.X netmask 255.255.255.255 no-xauth 

isakmp key * address X.X.X.X netmask 255.255.255.255 no-xauth 

isakmp key * address X.X.X.X netmask 255.255.255.255 

isakmp identity address

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 1

isakmp policy 30 lifetime 28800

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

isakmp policy 70 authentication pre-share

isakmp policy 70 encryption 3des

isakmp policy 70 hash sha

isakmp policy 70 group 2

isakmp policy 70 lifetime 28800

isakmp policy 90 authentication pre-share

isakmp policy 90 encryption 3des

isakmp policy 90 hash sha

isakmp policy 90 group 2

isakmp policy 90 lifetime 3600

 

Thanks

Ing. Daniel Martínez M.

dmartinezm@prodigy.net.mx <mailto:dmartinezm@prodigy.net.mx>
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Enterprise Firewall Appliances, Daniel Martinez Moreno
Next by Date:  New site about security conferences : www.security-briefings.com, newslist@security-briefings.com
Previous by Thread:  RE: Enterprise Firewall Appliances, Daniel Martinez Moreno
Next by Thread:  New site about security conferences : www.security-briefings.com, newslist@security-briefings.com
Indexes:  [Date] [Thread] [Top] [All Lists]