2 Replies Latest reply on Feb 14, 2011 3:13 PM by Kary Tankink

    HIPS Ver 7 Firewall Using CAGs

    clisanti

      Basically I've set up 4 CAG's,  2 Trusted one for corporate LAN, one for corperate wireless and 2 Untrusted one LAN and one Wireless.  My Trusted CAGs allow all TCP / UDP in both directions.

      The Untrusted CAGs allow all outbound TCP UDP connections and block all inbound connections.  We use Cisco VPN and I can establish a connection.  I also get to all expected internal network resources.  The problem is the VPN connection drops with the 412 error in a matter of a 5 to 8 minutes.  This is the client firewall log entry when the system loses connection:

       

      Event:   Traffic
      IP Address/User: Public Facing IP

      Description:  Cisco Systems VPN Client (cvpnd.exe)
      Path:   C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
      Message:  Blocked Outgoing UDP -  Source 192.168.1.47 :  (1305)  Destination Public Facing IP:  (4500)

       

      I've tried a couple of different things and not resolved it,  I have no other specific firewall rules outside the CAGs, do I need one there for the Cisco VPN, or do I need a Cisco VPN rule inside  my Trusted CAG's?

       

       

      Message was edited by: clisanti on 2/10/11 5:07:37 AM CST
        • 1. Re: HIPS Ver 7 Firewall Using CAGs
          clisanti

          Ok So I read deeper into the posts and spent some time testing things out over the weekend.   Moving the VPN rules outside of the CAG has made the difference.  I am moving on to testing the functionality of the CAGs themselves to see if there behavior is correct.  Also not too far off I am installing an Agent Handler in the DMZ specially to manage the sale force mobile devices that are always connecting through different hotspots.

          • 2. Re: HIPS Ver 7 Firewall Using CAGs
            Kary Tankink

            In my experience, firewall rules to allow VPN traffic should be toward the top of the policy above any other CAGs (especially if you have Connection Isolation enabled in the CAG).  This is to ensure that VPN traffic is always allowed on all network adapters at all times.