Cisco vpn server enabled / VPN and no-VPN connections mix

Discussion in 'Cisco' started by Elise, May 19, 2004.

  1. Elise

    Elise Guest

    Hi guys,

    My request might seem confusing but I have a problem with one of my
    unix system : this is an old telecom box that we are not allowed to
    tweak, and no ssh connections are possible with it. The problem is
    that when the vendor needs to access it for maintenance (via telnet or
    ftp), they send the login and password crystal clear over the network,
    which is not allowed anymore by our management.

    We thought installing a VPN server enabled router in front of the box
    to be able to secure the connections to it, but I have an issue : I do
    not want to encrypt all the connections to this box, since this box
    has to "talk" with other equipments on the network (specific protocols
    and specific ports, no telnet-like apps involved here).

    My question is then : on my router, can I restrict some ports (such as
    telnet or ftp) to vpn only allowed connections, and other ports would
    be routed normally (ie not encrypted)?

    Thanks for your help,

    - David
    Elise, May 19, 2004
    #1
    1. Advertising

  2. Elise

    Ivan Ostres Guest

    In article <>,
    says...
    > Hi guys,
    >
    > My request might seem confusing but I have a problem with one of my
    > unix system : this is an old telecom box that we are not allowed to
    > tweak, and no ssh connections are possible with it. The problem is
    > that when the vendor needs to access it for maintenance (via telnet or
    > ftp), they send the login and password crystal clear over the network,
    > which is not allowed anymore by our management.
    >
    > We thought installing a VPN server enabled router in front of the box
    > to be able to secure the connections to it, but I have an issue : I do
    > not want to encrypt all the connections to this box, since this box
    > has to "talk" with other equipments on the network (specific protocols
    > and specific ports, no telnet-like apps involved here).
    >
    > My question is then : on my router, can I restrict some ports (such as
    > telnet or ftp) to vpn only allowed connections, and other ports would
    > be routed normally (ie not encrypted)?
    >


    Yes, when you specify "interesting traffic" for VPN, permit just telnet
    port, and deny others.

    --Ivan
    Ivan Ostres, May 19, 2004
    #2
    1. Advertising

  3. In article <>,
    Ivan Ostres <> wrote:
    :In article <>,
    : says...
    :> My question is then : on my router, can I restrict some ports (such as
    :> telnet or ftp) to vpn only allowed connections, and other ports would
    :> be routed normally (ie not encrypted)?


    :Yes, when you specify "interesting traffic" for VPN, permit just telnet
    :port, and deny others.

    That's not supported on the PIX; I don't know if any IOS release supports
    it. It is something that is allowed under the IPSec protocols, but marked
    as being optional to support.

    :>I do
    :> not want to encrypt all the connections to this box, since this box
    :> has to "talk" with other equipments on the network (specific protocols
    :> and specific ports, no telnet-like apps involved here).

    If you can nail down an IP address source range from the manufacturer,
    then have your crypto map ACL only match on that range; anything not
    going between those defined endpoints wouldn't be protected.

    If you can't nail down an IP address source range from the manufacturer,
    you could perhaps use the Easy VPN feature. With Easy VPN, the
    remote host is normally allocated an IP address dynamically, and you
    set up your ACLs so that the pool you choose is all that is allowed
    telnet access to the target device. The router (or PIX if you were
    using PIX) would create a dynamic SA mapping the real source IP to
    the dynamic IP, and because that's the only use of that dynamic IP,
    no other traffic to any other host is going to be matched by the SA
    and so nothing will need protected. The Cisco VPN Client uses Easy VPN.

    I would, though, not suggest using PPTP instead of Easy VPN: PPTP
    does have the same behaviour with respect to dynamic IPs, but with
    PPTP you cannot do a split-access ACL -- which has implications about
    DNS, about ability to access files on their own local network,
    ability to access WWW sites to check out documentation, and so on.
    --
    Preposterous!! Where would all the calculators go?!
    Walter Roberson, May 19, 2004
    #3
  4. Elise

    Ivan Ostres Guest

    In article <c8gg2m$p8a$>, -
    cnrc.gc.ca says...
    > :Yes, when you specify "interesting traffic" for VPN, permit just telnet
    > :port, and deny others.
    >
    > That's not supported on the PIX; I don't know if any IOS release supports
    > it. It is something that is allowed under the IPSec protocols, but marked
    > as being optional to support.
    >
    >


    You are probably right. I red that in RFC i think, but I can't find it
    anywhere on CCO. Damn, why are you always right? :)

    --Ivan.
    Ivan Ostres, May 20, 2004
    #4
  5. Elise

    Hansang Bae Guest

    > In article <c8gg2m$p8a$>, -
    > cnrc.gc.ca says...


    In article <>,
    says...
    > You are probably right. I red that in RFC i think, but I can't find it
    > anywhere on CCO. Damn, why are you always right? :)


    Annoying, isn't it?! :)


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
    Hansang Bae, May 21, 2004
    #5
  6. Elise

    Ivan Ostres Guest

    In article <>,
    says...
    > > In article <c8gg2m$p8a$>, -
    > > cnrc.gc.ca says...

    >
    > In article <>,
    > says...
    > > You are probably right. I red that in RFC i think, but I can't find it
    > > anywhere on CCO. Damn, why are you always right? :)

    >
    > Annoying, isn't it?! :)
    >


    ROTFL.

    --Ivan.
    Ivan Ostres, May 21, 2004
    #6
  7. Elise

    John Rennie Guest

    Put a router in front of the box as you originally planned, but make it a
    normal router with no encryption so the rest of the network works normally.
    Now set up a VPN server on the router e.g. vpdn. When your vendor needs access
    to the router they can open an encrypted tunnel to it.

    JR


    On 19 May 2004 08:51:09 -0700, (Elise) wrote:

    >Hi guys,
    >
    >My request might seem confusing but I have a problem with one of my
    >unix system : this is an old telecom box that we are not allowed to
    >tweak, and no ssh connections are possible with it. The problem is
    >that when the vendor needs to access it for maintenance (via telnet or
    >ftp), they send the login and password crystal clear over the network,
    >which is not allowed anymore by our management.
    >
    >We thought installing a VPN server enabled router in front of the box
    >to be able to secure the connections to it, but I have an issue : I do
    >not want to encrypt all the connections to this box, since this box
    >has to "talk" with other equipments on the network (specific protocols
    >and specific ports, no telnet-like apps involved here).
    >
    >My question is then : on my router, can I restrict some ports (such as
    >telnet or ftp) to vpn only allowed connections, and other ports would
    >be routed normally (ie not encrypted)?
    >
    >Thanks for your help,
    >
    >- David
    John Rennie, May 22, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lil' Abner
    Replies:
    2
    Views:
    516
    Jan van Aalderen
    Jul 16, 2005
  2. Nick Brandson
    Replies:
    1
    Views:
    917
    Alan Strassberg
    Jul 26, 2004
  3. Faustino Dina
    Replies:
    4
    Views:
    471
  4. cdoc
    Replies:
    13
    Views:
    2,271
    Brian V
    Aug 5, 2006
  5. Alan T

    C# and SQL Server 2005 mix

    Alan T, Jul 11, 2007, in forum: MCITP
    Replies:
    1
    Views:
    717
    tntlakers
    Oct 9, 2007
Loading...

Share This Page