Firewall rules for a IPSec Tunnel mode connection

Similar Messages

• Firewall necessary for Point to Point internet connections?

  Firewall necessary for Point to Point internet connections? We have multiple point to point t1 connections to our sites and was wondering if a firewall should be in place to filter traffic. We are also implenting a microwave t1 from a service provider and was wondering if firewalls would be needed for just this or the wired as well. According to the microwave company no firewalls are needed. Do i really want to leave security in the hands of the ISP?

  Matt,
  If you are buying private line T1 service from a carrier that connects 2 of your sites you would not use a firewall. Your traffic is never mixed with any other traffic. If your data is very sensitive, or if you have to comply with Payment Card Industry standards then you might want to encrypt your data, but a firewall would still not be necessary.
  If you have a T1 connecting you to the Internet for Web browsing etc then you very much do need a firewall.
  Please rate helpful posts.
  Dave

• IPSec tunnel mode vs self-encapsulation ESP

  Hello
  I need to develop some server application which should communicate with thousands of independent external clients through IPSec in tunnel mode.
  Configuration of IPSec must be done dynamically from application.
  There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client.
  Is there any way to activate IPSec in tunnel mode without tunnel configuration?
  In Solaris documents I see that there is possibility to activate self-encapsulation ESP mode.
  Is this mode is the same as IPSec in tunnel mode?
  If answer is yes, then is it possible to activate this mode system-wide, but not per-socket?
  Thanks.

  Additionally to some proprietary data connections we need to provide FTP server for clients over these IPSec connections.
  Standard Solaris ftp server will be used.
  Will IPSec with ESP in transport mode over NAT give us such possibility?
  As far as I know FTP encapsulates IP addresses during it's work, so we think that only ESP tunnelling can provide normal working of FTP over NAT.
  Is it possible to configure such kind of tunnel in Solaris as described in my first mail?
  "There is a requirement to have the same source/destination IP address in the inner and in outer IP headers, tunnel must start and ends within the server and within each client."
  Thanks

• Firewall rule for Novell Client

  My company recently purchased McAfee Desktop Firewall and I'm trying to
  configure the rules prior to deployment but I'm having trouble getting
  the Novell Client to cooperate. I've tried having the firewall "learn"
  the client, addresses, ports, protocols, etc. but have had no luck.
  My company is running a mix of Win2k/XP computers as well as Win95/98
  computers so any assistance in creating a firewall rule to allow the
  clients to log in is greatly apprecaited.
  Thanks!
  Ash

  Excellent, thanks!!
  > For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
  > which are NCP over IP and SLP.
  >
  >
  > --
  > Edison Ortiz
  > Novell Product Support Forum SysOp
  > (No Email Support, Thanks !)

• Considerations for an IPSEC tunnel through another IPSEC tunnel

  Hi,
  I am trying to ipmlement a IPSEC "tunnel through a tunnel" as follows:
  ASA-1 ( inside network 10.10.10.0 /24 - outside network 1.1.1.1/30) to ASA-2 (outside network 1.1.1.2/30 - inside network 20.20.20.0/24)
  This tunnel is fully functional.
  Created a DMZ interface (2.2.2.1/30) on ASA-1
  Created a DMZ interface (2.2.2.2/30) on ASA-2
  Attached ASA-A outside interface to ASA-1 DMZ interface - inside network 30.30.30.0/24
  Attached ASA-B outside interface to ASA-2 DMX interface - inside network 40.40.40.0/24
  Created an ACL on ASA-1 and ASA-2 DMZ interfaces allowing ESP,IKE traffic
  2nd tunnel not working!
  Questions
  Should I add the DMZ /30's to the crypto map of ASA-1 and ASA-2 (I did, and it did still not work)
  Should there be a route statement for the /30's on ASA-1 and ASA-2, or should the default GW be sufficient?
  Any and all help will be appreciated!
  Dave

  post config for review

• Firewall Rules for CVP

  Hi
  Anyone has any firewall rules and ports to open between CVP and other network elements such as CM,GK,SIP PROXY, GW, ICM etc.
  Many Thanks

  Where is your firewall actually located? Surely not between CVP and CUCM?
  I imagine it's between the gateway(s) at the branch office(s) and the CVP and SIP Proxy in the headquarters. Correct?
  Regards,
  Geoff

• Rules for importing AND preview mode

  At this moment I shoot a mix of JPEG and RAW files.
  I have defined two "standard" Develops settings: one for the JPEGs and other for RAWs.
  The preview mode only show thumbnails so I can't see what are JPEGs and what are RAWs (the extension is not shown!). I need to apply different Develop settings for JPEGs and RAWs. I need to open a Windows Explorer Window to see what are JPEGs and what are RAWs, then select JPEGs, select the develop setting and Import. Again select RAWs and Import... This makes the import process a bit slow and tedious.
  It could be desirable two new features:
  1. The preview mode need to show the name + extension of the files beeing imported
  2. Rules to define what Develop settings to apply to different kind of files (JPEG & RAW).
  This way, I can import JPEGs and RAW in oly one step, with the correct develop settings applied.
  Thanks.

  Thanks Alexander:
  Of course I could do that. I could do some pre-import task and some post-import task ... or more that one import process. But I think is better do do all the import work at the beginnig and in only one step.
  Another point is that, when you apply a new develop setting to one or more files, LR renders the previews again. So If I import and then apply a develop setting, I'm doing an "extra" rendering (Am I wrong?). I could disable the rendering at import time, and then activate the rendering after the import, but this seems to be a slower process and, also, another extra step.
  Regards.

• Firewall rules for JCo ?

  Hi,
  Can you tell me the necessary filewall rules JCo needs for communication with R/3 ?
  Thanks
  Michael

  Hello Michael,
  if you connect directly to an application Server the only Port you have to open is 32 + System Number. If you connect via load Balancing you also have to open the Message Server Port. I think it is 33 + System Number. You can find this ports when you use Ethereal on your development Computer and run the JCo Program.
  Regards
  Gregor

• Firewall Rules for Printing and Scanning through Windows Firewall

  Hello,
  I am having trouble determining the Ports, Programs, and Services required for printing and scanning with my AIO.
  I am using Windows Firewall in Windows 7, and am only allowing certain rules in and out.
  I know the firewall is the problem, for when I disable it, everything works fine.
  Which rules are required for printing and scanning through the firewall?

  4th Bump,
  Is there anyone who can help me with this?
  As I said before, other printer manufacturers such as Lexmark and Brother provide this exact information.
  Why doesn't hp have a document for this? Does everyone just disable their firewall or open every port?

• ASA5500: TCP state bypass for traffic, coming from IPsec tunnel

  Hello!
  We have problems on central firewall with restricting traffic coming from remote office from IPsec. (The network sheme is attached)
  All branch offices are connected to central asa though IPsec.
  The main aim is to rule access from branch offices only on the central firewall, NOT on each IPsec tunnel
  According to the sheme:
  172.16.1.0/24 is on of the branch office LANs
  10.1.1.0/24 and 10.2.2.0/24 are central office LAN
  The crypto ACL looks like  permit ip 172.16.1.0/24 10.0.0.0/8
  The aim is to
  restrict access from 172.16.1.0/24 to 10.1.1.0/24
  When packets are generated from host 10.1.1.10 to 172.16.1.0/24 all is ok -  they are dropped by acl2
  When packets are generated from 172.16.1.0/24 to 10.1.1.10 they are not dropped by any ACL - the reason is stateful firewall - traffic bypasses all access lists on a back path
  I thought that TCP State Bypass feature can solve this problem and disable stateful firewall inspection for traffic coming from 172.16.1.0/24 to 10.1.1.0/24, but it didn't help.
  The central asa 5500 is configured according to cisco doc http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.html
  access-list tcp_bypass_acl extended permit tcp 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
  class-map tcp_bypass_map
  description "TCP traffic that bypasses stateful firewall"
  match access-list tcp_bypass_acl
  policy-map tcp_bypass_policy
  class tcp_bypass_map
  set connection advanced-options tcp-state-bypass
  service-policy tcp_bypass_policy interface outside
  service-policy tcp_bypass_policy interface inside
  Does anyone know, how to make TCP State Bypass works properly?

  I understand the pain of creating diffrent crypto for diffrent tunnels but i never come across better solution. However TCP state bypass is not going to help in regards to restrict access. TCP state bypass is a way to for FW to act like router which does not do statefull and I dont think that fits in your scenario.
  You can still control access on center site by using vpn-filters.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
  Thanks
  Ajay

• IPSec Tunnel (reform) examples

  Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
  Thanks.

  This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
  A simple single-node remote access case would look like the following.
  Assume:
  C == client's external-network IP address
  S == server's external-network IP address
  c == client's internal IP address
  s == server's internal-network IP address
  On the server side:
  Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
  ifconfig ip.tun0 plumb s c tsrc S tdst C
  Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
  # When the "tunnel" keyword is present, inner-addresses are the selectors.
  {tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
  Then bring the tunnel up:
  ifconfig ip.tun0 up
  I assume you have IKE properly configured between S and C.
  On the client side, it's pretty much the same but with local/remote or src/dst reversed:
  ifconfig ip.tun0 plumb c s tsrc C tdst S
  then feed this into ipsecconf(1M):
  { tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
  and finally:
  ifconfig ip.tun0 up.
  The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
  Hope this helps,
  Dan
  Edited by: danmcd on Sep 18, 2007 2:27 PM

• How to measure a Ipsec tunnel speed ?any tool or windows command?

  we have connected our two branches using  Ipsec tunnel?connection speed is 2Mbps.and we are accessing a server from the 2Mbps enabled plant.After upgrading to 5Mbps also very slow.other end of the tunnel is 5Mbps.
  is  there any default speed for tunnel?site to site tunnel?

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Generally, there's no logical bandwidth cap on an IPSec tunnel.  The tunnel might have a low default bandwidth setting, but that doesn't actually limit tunnel performance.
  That said, there's much that can impact an IPSec tunnel's performance.
  First, encryption can be very processor usage intensive, so performance will depend much on the supporting hardware.
  Second, encryption consumes additional bandwidth, for its overhead, which can be a fairly large percentage for small packets.
  Third, an IPSec tunnel can often lead to packet fragmentation, which consumes both additional bandwidth and CPU performance.
  There are many performance measurement tools, some free, that you might use.  Personally, on Windows hosts, I often use PCATTCP.  It's a very simple tool; I find the UDP bandwidth generator often good for testing end-to-end bandwidth capacity.  For example, I might set it to send 10 Mbps to the far side to confirm 5 Mbps gets there.

• How can I activate the transfer rules for the ODS updating a data target.

  We are on BW 3.5 and I'm loading data into the 0FIGL_O10 ODS  and then uploading the data into the cube 0FIGL_C10. The data loads just fine to the ODS but when I try to <u><b>'update the data target'</b></u> I get a date & time stamp' error on the info-package transfer rules.
  I then Replicate the datasource 80FIGL_O01.
  I must then <u><b>'activate' the transfer rules</b></u>.
  However I cannot get the transfer rules for 80FIGL_O10 in CHANGE MODE to activate them.
  How can I activate the transfer rules for the ODS updating a data target.
  The error text is as follows:
  DataSource 80FIGL_O10 has to be replicated (time stamp, see long text)
  Message no. R3016
  Diagnosis
  DataSource 80FIGL_O10 does not have the same status as the source system in the Business Information Warehouse.
  The time stamp in the source system is 02/15/2007 10:42:33.
  The time stamp in the BW system is 11/07/2006 13:11:54.
  System response
  The load process has been terminated.
  <b>Procedure
  Copy the DataSource again and then activate the transfer rules that belong to it. You have to activate the transfer rules in every case, even if they are still active after the DataSource has been copied.</b>
  Thanks for your assistance.
  Denny

  Hi Dennis,
         Try, using Business Content to activate your data source
         hope this will help you
  How activate business content?
  http://help.sap.com/saphelp_nw04/helpdata/en/80/1a66d5e07211d2acb80000e829fbfe/frameset.htm

• Where do I set up rules for conflict resolution when syncing iTunes with Outlook?

  I just got an iPhone 5 and I'm coming from a Blackberry.  I've been syncing Outlook Calendar and Contacts to a portable device for over 10 years, even back in the day of the pocket pc and more recently the Blackberry.  My iPhone 5 syncs great and seemlessly with Outlook using iTunes.  I've had no issues as of yet.  The problem for me is, it just seems "too" easy.  I didn't see anywhere where I could set rules for conflict resolutions.  For example, if your pc says one thing but your iPhone says another, who wins and supercedes the other?  What if by accident your iPhone loses all of its data, then iTunes syncs with your pc - will it delete all the Outlook data on your pc because it thinks it's syncing with updated data from your iPhone?  (in my case data I've had for over 10 years) 
  With the Blackberry software it asked you to set up rules for conflict resolution when first connecting the phone (including an option to ask you first).  In my case, I chose to have it ask me whenever it discovered a conflict.  So whenever I synced, it specifically alerted me exactly how many items are being synced, and then if there were any conflicts, it'd stop and then ask me which device I want to supercede the other.  This gave me a lot of piece of mind.  Now after getting my iPhone and using iTunes to sync, it's been great so far but I have to say that I don't have as much piece of mind.  Does anyone have any feedback on how to set up conflict resolution with iTunes and Outlook or does it not exist at all?  Again, what would happen if there was a conflict between the two devices? 

  Yes! Thankyou for that. I had of course put the context.xml file in the web-inf directory.
  I followed your example to the letter and it still wouldn't work. Or rather, I followed to the letter expect for the difference between "WEB" and "META".
  Once I worked that out, it started working like a dream.
  Note to anyone else who has a similar problem, make sure you REALLY look at the answer given. Make sure you REALLY do have all the files in the suggested places. It will save you time.
  Thanks again.

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123