If you want that type of control you should use an Asa as a
termination point for the VPN. You can specify to allow nem in a group
policy. As well, users shoul never have the pass key available to
them. You should be creating a deployment installation file that
already contains the config
Sent from my iPod
On Oct 23, 2009, at 8:03 PM, Paul Stewart <[email protected]> wrote:
If I define a split tunnel acl on my router, the ASA only seems to
honor the "remote" side when it builds the SA. The IOS inserts the
SA into the SADB. Regardless of what you do, it seems to insert the
inside interface of the ASA. So in theory I could set up a easy vpn
with intention on it being used in client mode, or on a pc. A user
could pick up an ASA and configure it to connect in "network
extension mode". In which case, I have unauthorized SA's being
added to my router unless I'm missing something (which I probably
am). It just seems that you could restrict EZ VPN on the router to
client or nem. It also seems that there would be some way to define
what are permitted remote networks from the perspective of the IOS
based EZ VPN Server. Like I said, I am probably missing something.
On Thu, Oct 22, 2009 at 11:30 PM, Tyson Scott <[email protected]>
wrote:
Your split tunnel list should be able to define what networks you
will allow in.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto: [email protected]
Join our free online support and peer group communities:
http://www.IPexpert.com/communities
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
On Demand and Audio Certification Training Tools for the Cisco CCIE
R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice
Lab and CCIE Storage Lab Certifications.
From: [email protected]
[mailto:[email protected]] On Behalf Of Paul
Stewart
Sent: Thursday, October 22, 2009 10:07 PM
To: [email protected]
Subject: [OSL | CCIE_Security] EZ VPN on IOS
I have been messing around with EZ VPN and various configurations.
With the EZ VPN client in NEM, it inserts the SA's into my router as
expected. My question is is there a way on the router acting as a
EZ VPN Server to restrict what SA's can be inserted by an EZ VPN
client in network extension mode? Just thinking there must be a way
to prevent NEM from the server, or restrict the SA's that can be
automatically created on the server by the client. I think there is
a group-policy for this on the ASA (like nem disable), but I am
overlooking something similar on the router platform. If anyone
knows how this is done, let me know. If not, I'll post back when I
figure it out.
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
