Cisco vpn server enabled / VPN and no-VPN connections mix

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by warpda » Fri, 21 May 2004 00:51:09


Hi guys,

My request might seem confusing but I have a problem with one of my
unix system : this is an old telecom box that we are not allowed to
tweak, and no ssh connections are possible with it. The problem is
that when the vendor needs to access it for maintenance (via telnet or
ftp), they send the login and password crystal clear over the network,
which is not allowed anymore by our management.

We thought installing a VPN server enabled router in front of the box
to be able to secure the connections to it, but I have an issue : I do
not want to encrypt all the connections to this box, since this box
has to "talk" with other equipments on the network (specific protocols
and specific ports, no telnet-like apps involved here).

My question is then : on my router, can I restrict some ports (such as
telnet or ftp) to vpn only allowed connections, and other ports would
be routed normally (ie not encrypted)?

Thanks for your help,

- David
 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by Ivan Ostre » Fri, 21 May 2004 04:58:42

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...

Yes, when you specify "interesting traffic" for VPN, permit just telnet
port, and deny others.

--Ivan

 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by roberso » Fri, 21 May 2004 05:29:10

In article < XXXX@XXXXX.COM >,

:In article < XXXX@XXXXX.COM >,
: XXXX@XXXXX.COM says...
:> My question is then : on my router, can I restrict some ports (such as
:> telnet or ftp) to vpn only allowed connections, and other ports would
:> be routed normally (ie not encrypted)?


:Yes, when you specify "interesting traffic" for VPN, permit just telnet
:port, and deny others.

That's not supported on the PIX; I don't know if any IOS release supports
it. It is something that is allowed under the IPSec protocols, but marked
as being optional to support.

:>I do
:> not want to encrypt all the connections to this box, since this box
:> has to "talk" with other equipments on the network (specific protocols
:> and specific ports, no telnet-like apps involved here).

If you can nail down an IP address source range from the manufacturer,
then have your crypto map ACL only match on that range; anything not
going between those defined endpoints wouldn't be protected.

If you can't nail down an IP address source range from the manufacturer,
you could perhaps use the Easy VPN feature. With Easy VPN, the
remote host is normally allocated an IP address dynamically, and you
set up your ACLs so that the pool you choose is all that is allowed
telnet access to the target device. The router (or PIX if you were
using PIX) would create a dynamic SA mapping the real source IP to
the dynamic IP, and because that's the only use of that dynamic IP,
no other traffic to any other host is going to be matched by the SA
and so nothing will need protected. The Cisco VPN Client uses Easy VPN.

I would, though, not suggest using PPTP instead of Easy VPN: PPTP
does have the same behaviour with respect to dynamic IPs, but with
PPTP you cannot do a split-access ACL -- which has implications about
DNS, about ability to access files on their own local network,
ability to access WWW sites to check out documentation, and so on.
--
Preposterous!! Where would all the calculators go?!
 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by Ivan Ostre » Fri, 21 May 2004 18:24:12

In article <c8gg2m$p8a$ XXXX@XXXXX.COM >, XXXX@XXXXX.COM
cnrc.gc.ca says...

You are probably right. I red that in RFC i think, but I can't find it
anywhere on CCO. Damn, why are you always right? :-)

--Ivan.
 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by Hansang Ba » Sat, 22 May 2004 10:51:35

> In article <c8gg2m$p8a$ XXXX@XXXXX.COM >, XXXX@XXXXX.COM

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...

Annoying, isn't it?! :)


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************
 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by Ivan Ostre » Sat, 22 May 2004 23:46:54

In article < XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...

ROTFL.

--Ivan.
 
 
 

Cisco vpn server enabled / VPN and no-VPN connections mix

Post by John Renni » Sun, 23 May 2004 16:55:58

Put a router in front of the box as you originally planned, but make it a
normal router with no encryption so the rest of the network works normally.
Now set up a VPN server on the router e.g. vpdn. When your vendor needs access
to the router they can open an encrypted tunnel to it.

JR