Asa5510 vpn

ray86 · May 2011

Hello
i just want to know how to change vpn password we have alot of employes leave and they still have cisco vpn client on there laptops so we want to change password to prevent that
here is our topolgy.

bertieb · June 2011

This is a very helpful forum, full of helpful and knowledgable people. That said, the internet in general is full of bad, naughty people so you might want to re-edit your post ASAP and take out ALL public IP addresses, ALL references to usernames and passwords etc!

Otherwise bad things will happen.

shednik · June 2011

If you are just looking to change the group password, go under the tunnel group and change the pre shared key.

tunnel-group SafaGroup ipsec-attributes
 pre-shared-key NewPSKHere

I would also recommend that you try and change your transform sets on your crypto map to anything other then DES and MD5 those would probably be the worst combination for any tunnel. I also see you have SSH open to anyone on the internet, I would lock that down ASAP as well. I don't know if you just took over that ASA but it in opinion needs quite a bit of an overhaul.

hope this helps

Joe

ray86 · June 2011

i would like to thank both of you for the help and the security tips
i rly have no background about security otherwise i wouldnt post every thing
thanks again

ray86 · June 2011

shednik wrote: »
If you are just looking to change the group password, go under the tunnel group and change the pre shared key.
tunnel-group SafaGroup ipsec-attributes
 pre-shared-key NewPSKHere
I would also recommend that you try and change your transform sets on your crypto map to anything other then DES and MD5 those would probably be the worst combination for any tunnel. I also see you have SSH open to anyone on the internet, I would lock that down ASAP as well. I don't know if you just took over that ASA but it in opinion needs quite a bit of an overhaul.

hope this helps

Joe

what do you recommend for the transform sets combination.
i appreciate if you could explain little .
if i close SSH that will not effect shops connecting to sync there data ?
Regards

burbankmarc · June 2011

ray86 wrote: »

what do you recommend for the transform sets combination.
i appreciate if you could explain little .
if i close SSH that will not effect shops connecting to sync there data ?
Regards

AES-192, or 256 and SHA.

I don't understand the part about ssh. Care to elaborate?

bertieb · June 2011

You'll potentially do more 'harm' changing your transform sets rather than restricting your ssh access.......
i.e. You need to plan and co-ordinate the transform set changes on your ASA and the device at the other end of the VPN - from what you describe it's the store devices. If you just make the change on the ASA, you'll end up breaking the VPN tunnel.

The ssh access is for management purposes. You need to look at restricting this because having this open to everyone in the internet obviously isn't good....

I agree with Shednik, the config needs a top-down review and overhaul which will likely require several planned changes across your infrastructure. From what you describe (and no offence intended) you don't seem to have much experience of VPN/firewall configs. Take this opportunity to read up on ASA's and VPN's and do a lot of research. Like most things networking, getting things wrong here will result in a number of noticeable problems and lots of shouting from above. You'll learn an awful lot along the way which will certainly help you improve that config as well as your own skills.

shednik · June 2011

bertieb wrote: »

You'll potentially do more 'harm' changing your transform sets rather than restricting your ssh access.......
i.e. You need to plan and co-ordinate the transform set changes on your ASA and the device at the other end of the VPN - from what you describe it's the store devices. If you just make the change on the ASA, you'll end up breaking the VPN tunnel.

The ssh access is for management purposes. You need to look at restricting this because having this open to everyone in the internet obviously isn't good....

I agree with Shednik, the config needs a top-down review and overhaul which will likely require several planned changes across your infrastructure. From what you describe (and no offence intended) you don't seem to have much experience of VPN/firewall configs. Take this opportunity to read up on ASA's and VPN's and do a lot of research. Like most things networking, getting things wrong here will result in a number of noticeable problems and lots of shouting from above. You'll learn an awful lot along the way which will certainly help you improve that config as well as your own skills.

Yea, what he said

The only part I may want to add is I'd be willing to bet that the dynamic crypto map entry should be easy to change as I don't know of many VPN clients that can't support AES/SHA. As for the site to sites I would like it was said above raise concern about the current encryption and hashing algorithms used. It might take some time but overall it will be better for your company's security, and depending on what industry you're in this could make your company not fall into compliance.

As for the SSH unless you have external customers/vendors that need to SSH into the ASA for some reason I would restrict it to your internal network first. Then for best practices moving the management to an out of band network would be the next best step.

Hope this helps.

Joe

ray86 · June 2011

am planning to read up on ASA's and VPN's but am already studying for ccnp i have tshoot left now .
an IT solution company use to handle the vpn and security issues but we had some problems with them and i've been tasked to reset passwords for routers and the firewall and change the vpn pre-shatred-key

thanks alot guy's you have helped me alot

Asa5510 vpn

Comments