tunnel-group SafaGroup ipsec-attributes pre-shared-key NewPSKHere
shednik wrote: » If you are just looking to change the group password, go under the tunnel group and change the pre shared key.tunnel-group SafaGroup ipsec-attributes pre-shared-key NewPSKHere I would also recommend that you try and change your transform sets on your crypto map to anything other then DES and MD5 those would probably be the worst combination for any tunnel. I also see you have SSH open to anyone on the internet, I would lock that down ASAP as well. I don't know if you just took over that ASA but it in opinion needs quite a bit of an overhaul. hope this helps Joe
ray86 wrote: » what do you recommend for the transform sets combination. i appreciate if you could explain little . if i close SSH that will not effect shops connecting to sync there data ? Regards
bertieb wrote: » You'll potentially do more 'harm' changing your transform sets rather than restricting your ssh access....... i.e. You need to plan and co-ordinate the transform set changes on your ASA and the device at the other end of the VPN - from what you describe it's the store devices. If you just make the change on the ASA, you'll end up breaking the VPN tunnel. The ssh access is for management purposes. You need to look at restricting this because having this open to everyone in the internet obviously isn't good.... I agree with Shednik, the config needs a top-down review and overhaul which will likely require several planned changes across your infrastructure. From what you describe (and no offence intended) you don't seem to have much experience of VPN/firewall configs. Take this opportunity to read up on ASA's and VPN's and do a lot of research. Like most things networking, getting things wrong here will result in a number of noticeable problems and lots of shouting from above. You'll learn an awful lot along the way which will certainly help you improve that config as well as your own skills.
