Asa5510 vpn
ray86
Registered Users Posts: 8 ■□□□□□□□□□
Hello
i just want to know how to change vpn password we have alot of employes leave and they still have cisco vpn client on there laptops so we want to change password to prevent that
here is our topolgy.
i just want to know how to change vpn password we have alot of employes leave and they still have cisco vpn client on there laptops so we want to change password to prevent that
here is our topolgy.
Comments
-
bertieb Member Posts: 1,031 ■■■■■■□□□□This is a very helpful forum, full of helpful and knowledgable people. That said, the internet in general is full of bad, naughty people so you might want to re-edit your post ASAP and take out ALL public IP addresses, ALL references to usernames and passwords etc!
Otherwise bad things will happen.The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln -
shednik Member Posts: 2,005If you are just looking to change the group password, go under the tunnel group and change the pre shared key.
tunnel-group SafaGroup ipsec-attributes pre-shared-key NewPSKHere
I would also recommend that you try and change your transform sets on your crypto map to anything other then DES and MD5 those would probably be the worst combination for any tunnel. I also see you have SSH open to anyone on the internet, I would lock that down ASAP as well. I don't know if you just took over that ASA but it in opinion needs quite a bit of an overhaul.
hope this helps
Joe -
ray86 Registered Users Posts: 8 ■□□□□□□□□□i would like to thank both of you for the help and the security tips
i rly have no background about security otherwise i wouldnt post every thing
thanks again -
ray86 Registered Users Posts: 8 ■□□□□□□□□□If you are just looking to change the group password, go under the tunnel group and change the pre shared key.
tunnel-group SafaGroup ipsec-attributes pre-shared-key NewPSKHere
I would also recommend that you try and change your transform sets on your crypto map to anything other then DES and MD5 those would probably be the worst combination for any tunnel. I also see you have SSH open to anyone on the internet, I would lock that down ASAP as well. I don't know if you just took over that ASA but it in opinion needs quite a bit of an overhaul.
hope this helps
Joe
what do you recommend for the transform sets combination.
i appreciate if you could explain little .
if i close SSH that will not effect shops connecting to sync there data ?
Regards -
burbankmarc Member Posts: 460what do you recommend for the transform sets combination.
i appreciate if you could explain little .
if i close SSH that will not effect shops connecting to sync there data ?
Regards
AES-192, or 256 and SHA.
I don't understand the part about ssh. Care to elaborate? -
bertieb Member Posts: 1,031 ■■■■■■□□□□You'll potentially do more 'harm' changing your transform sets rather than restricting your ssh access.......
i.e. You need to plan and co-ordinate the transform set changes on your ASA and the device at the other end of the VPN - from what you describe it's the store devices. If you just make the change on the ASA, you'll end up breaking the VPN tunnel.
The ssh access is for management purposes. You need to look at restricting this because having this open to everyone in the internet obviously isn't good....
I agree with Shednik, the config needs a top-down review and overhaul which will likely require several planned changes across your infrastructure. From what you describe (and no offence intended) you don't seem to have much experience of VPN/firewall configs. Take this opportunity to read up on ASA's and VPN's and do a lot of research. Like most things networking, getting things wrong here will result in a number of noticeable problems and lots of shouting from above. You'll learn an awful lot along the way which will certainly help you improve that config as well as your own skills.The trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln -
shednik Member Posts: 2,005You'll potentially do more 'harm' changing your transform sets rather than restricting your ssh access.......
i.e. You need to plan and co-ordinate the transform set changes on your ASA and the device at the other end of the VPN - from what you describe it's the store devices. If you just make the change on the ASA, you'll end up breaking the VPN tunnel.
The ssh access is for management purposes. You need to look at restricting this because having this open to everyone in the internet obviously isn't good....
I agree with Shednik, the config needs a top-down review and overhaul which will likely require several planned changes across your infrastructure. From what you describe (and no offence intended) you don't seem to have much experience of VPN/firewall configs. Take this opportunity to read up on ASA's and VPN's and do a lot of research. Like most things networking, getting things wrong here will result in a number of noticeable problems and lots of shouting from above. You'll learn an awful lot along the way which will certainly help you improve that config as well as your own skills.
Yea, what he said
The only part I may want to add is I'd be willing to bet that the dynamic crypto map entry should be easy to change as I don't know of many VPN clients that can't support AES/SHA. As for the site to sites I would like it was said above raise concern about the current encryption and hashing algorithms used. It might take some time but overall it will be better for your company's security, and depending on what industry you're in this could make your company not fall into compliance.
As for the SSH unless you have external customers/vendors that need to SSH into the ASA for some reason I would restrict it to your internal network first. Then for best practices moving the management to an out of band network would be the next best step.
Hope this helps.
Joe -
ray86 Registered Users Posts: 8 ■□□□□□□□□□am planning to read up on ASA's and VPN's but am already studying for ccnp i have tshoot left now .
an IT solution company use to handle the vpn and security issues but we had some problems with them and i've been tasked to reset passwords for routers and the firewall and change the vpn pre-shatred-key
thanks alot guy's you have helped me alot