Saturday, January 31, 2009
NAC Architectures Presentation
Chesapeake Netcraftsmen hosts a monthly Cisco Users Group Meeting. Last month we had a presentation on NAC Architectures and on Troubleshooting ASA. You can view the presentation slides at http://www.netcraftsmen.net/cmug
Friday, January 23, 2009
TCP and UDP Ports used for the Cisco VPN Client
The Cisco VPN client is the client side application used to encrypt traffic from an end user's computer to the company network. IPSec is used to encrypt the traffic. When using standard IPSec, IKE is used for the key negotiation and IPSec to encrypt the data. IKE uses UDP port 500 and IPSec uses IP protocol 50, assuming ESP is used.
In most situations, there is a PAT device between the VPN client and the head end VPN device. PAT works by differentiating users by the UDP or TCP port used. Since IPSec uses IP protocol 50, it is impossible for more than one user to connect to the VPN device, through the PAT. This is because the IP protocol operates at layer 3 of the OSI reference model and PAT functionality exists at layer 4. For this reason, there are three different methods of tunneling IPSec traffic. It is important to understand the ports used for the different methods to ensure that those ports are not blocked.
In most situations, there is a PAT device between the VPN client and the head end VPN device. PAT works by differentiating users by the UDP or TCP port used. Since IPSec uses IP protocol 50, it is impossible for more than one user to connect to the VPN device, through the PAT. This is because the IP protocol operates at layer 3 of the OSI reference model and PAT functionality exists at layer 4. For this reason, there are three different methods of tunneling IPSec traffic. It is important to understand the ports used for the different methods to ensure that those ports are not blocked.
- NAT Traversal - This method still uses 500/udp for IKE negotiation, but then tunnels IPSec data traffic within 4500/udp packets. This is the default method for UDP tunneling with the Cisco VPN client
- IPSec over UDP - This method still uses 500/udp for IKE negotiation, but then tunnels IPSec data traffic within a pre-defined UDP port. The default port for this traffic is 10000/udp.
- IPSec over TCP - This method tunnels both the IKE negotiation and IPSec data traffic within a pre-defined TCP port. The default port for this traffic is 10000/tcp. This is the only method that tunnels both IKE and IPSec within the same stream.
Tuesday, January 6, 2009
Cisco Mid-Atlantic User's Group Meeting - Jan 15, 16
On Jan 15 and 16, Chesapeake Netcraftsmen will be hosting the Cisco Mid-Atlantic User's Group Meeting. For more details, go to http://www.netcraftsmen.net/cmug.
Below are the speakers and topics
* Rob Chee, CCIE, Sr. Consultant at Chesapeake NetCraftsmen, will explain How to Deploy Cisco Network Access Control. Rob will show you various deployment methods you can use to get the most out of Cisco NAC. If you have been considering NAC for remote users, office users, or wireless users, you won't want to miss this informative presentation.
* Having problems with your PIX/ASA firewall? Eric Stuhl, CCIE, Sr. Consultant at Chesapeake NetCraftsmen will talk on Troubleshooting PIX/ASA Firewalls. You will learn expert techniques for diagnosing and repairing problems with your firewall.
Below are the speakers and topics
* Rob Chee, CCIE, Sr. Consultant at Chesapeake NetCraftsmen, will explain How to Deploy Cisco Network Access Control. Rob will show you various deployment methods you can use to get the most out of Cisco NAC. If you have been considering NAC for remote users, office users, or wireless users, you won't want to miss this informative presentation.
* Having problems with your PIX/ASA firewall? Eric Stuhl, CCIE, Sr. Consultant at Chesapeake NetCraftsmen will talk on Troubleshooting PIX/ASA Firewalls. You will learn expert techniques for diagnosing and repairing problems with your firewall.
Subscribe to:
Posts (Atom)