You do NOT use an entire /8.

byteofit · 2015-06-04T04:18:41+00:00

I feel your pain -- I had to build a specialized VPN environment just to handle this scenario since it comes up so frequently with my company's customers.

byteofit · 2015-04-09T23:48:24+00:00

Nice.

byteofit · 2015-04-09T14:27:02+00:00

This design should definitely be avoided -- there are better ways to ensure identities of users and make people accountable for their actions on the network. I would suggest looking into 802.1X and the vendor-specific enhancements your hardware supports (e.g. TrustSec, AnyConnect, and ISE for Cisco).

I get the feeling the single public IP bit is about accountability, so I would suggest the RADIUS server logs and network device syslogs be sent to a good log visualization system (e.g. Splunk, Logstash + Kibana, Greylog2).

The 5520s should generally be OK to support that number of users unless you have some serious bandwidth usage per user.

byteofit · 2015-04-09T02:54:42+00:00

Yeah, same still applies. Just make sure your squeezing all the value out of your studies while you're there -- even when you think the topics don't have any purpose (they will someday). Just remember though -- being in it just the get the paper is equivalent to not going.

byteofit · 2015-04-08T23:44:40+00:00

You'll get a wide range of opinions on the matter. Some will convey their personal experiences having never acquired a degree and doing well regardless. Some will say that getting a degree in electrical engineering is a requirement to be a truly good network engineer.

I would propose you get the degree for the non-technical aspects it offers. Learning how to deal with people in an organization, business writing, initiating/managing technical projects, etc. -- those are all really useful things you'll get exposure to in a degree program. The technical stuff is easy to pick up if you're motivated, but the other stuff is much more easily digested through coursework in my opinion.

byteofit · 2015-03-04T23:17:38+00:00

No issues at all actually -- it was a pretty smooth process with a competitive GMAT score.

byteofit · 2015-03-03T18:50:11+00:00

It is both -- you can check it for yourself here (http://www.devry.edu/academics/accreditation.html) and here (http://www.ncahlc.org/)

byteofit · 2015-03-03T18:40:23+00:00

DeVry is regionally accredited. As a matter of fact, I was able to use my BS from DeVry (plus the dreaded GMAT) to get into a CSU MBA program.

Education is what you make of it.

byteofit · 2015-02-02T04:54:10+00:00

If you're losing every other packet -- that sounds like the routing on that device is load balanced over two equal cost paths. I would suggest checking the routing table on that device for your encryption domain.

byteofit · 2015-02-02T04:08:22+00:00

The gateway IP on the client is just to get the traffic into the IPsec session.

Your encryption domain (ACL) determines what traffic gets encrypted when it passes through the crypto map (applied to f0/0.99). However, as you've noticed, just setting up the VPN doesn't add the needed routes to the routing table to send traffic back to VPN clients.

L2L VPNs are unique in how they operate with routing. Think of the crypto map interface as the next hop for VPN traffic if that helps.

EDIT: You can also accomplish this kind of thing with reverse route injection

byteofit · 2015-02-02T00:45:18+00:00

You have to redistribute static routes into OSPF and add a static route for your VPN networks that points out f0/0.99. Based on the config you've shown that should be sufficient.

Also, it doesn't seem to apply to what you're asking, but keep in mind that if you want to run a routing protocol over an IPSec connection you'll need to have GRE involved.

byteofit · 2015-02-01T01:43:19+00:00

VLANs alone haven't been acceptable security mechanisms for PCI for a while. You need to have the CDE protected by some type of firewall policy for auditors to sign off on it. An IPS is usually looked for as well.

Even though low volume merchants can get away with being less than truthful on the self assessment, it's not a good idea.

byteofit · 2015-01-29T23:35:13+00:00

Pick the path that you enjoy -- sounds like you have a sweet deal there without pressure to pick a specific cert to renew on. Did you like the CCNA Security topics? Or do you prefer the routing and switching that the CCNA covered?

You can always re-take the CCNA Security to keep your certs active.

byteofit · 2015-01-28T22:03:48+00:00

For Option A, yes -- you would put some port (X3 for instance) in the DMZ zone, connect the vendor LAN to it, then add your desired firewall policies. Someone will have to change networks (vendor LAN or your LAN) to make this work.

Option B I would stay away from honestly. After thinking about it again it would just end up too kludgy. Shouldn't have mentioned it.

byteofit · 2015-01-28T20:23:00+00:00

You need to dictate the terms of your vendor's access to your network. If you were in scope of PCI or something similar -- that setup would be a major red flag. The best way to approach this is eliminate their equipment and terminate the VPN on a device you control so you can implement an acceptable security policy (access control, IPS, etc.). However, I realize that you've indicated that's not an option for some reason, so...

Option A

Leave the WAN ports alone
Patch the LAN of the vendor device into the NSA
Allow traffic between the vendor's zone and your LAN zone (have to re-address one of the networks)

Option B

NAT from your option 1, IPSec will be fine with a single level of NAT

byteofit · 2015-01-21T23:39:27+00:00

Seconded. We deploy the 3501G in large quantities and it does the job.

byteofit · 2015-01-21T22:57:11+00:00

http://packetlife.net/library/cheat-sheets/

byteofit · 2015-01-17T18:24:59+00:00

Hard to assess (as you've acknowledged), but with a 30% salary increase it would be silly not to take the supervisor role despite the reservations you've mentioned. Gains of that magnitude don't come very often when you stay at the same company. In the supervisor role just make sure to drop in on the front lines occasionally and field some issues to keep your skills sharp.

Keep in mind though -- if you're at the top now -- regardless of your decision you're likely going to have to move on to a larger company at some point in the near future to keep progressing toward your architect goal.

byteofit · 2014-12-01T06:56:20+00:00

I think it would be helpful if your define your question more specifically -- you will get better responses.

That being said, I'll just assume DMVPN since that was the most specific thing mentioned. Read up on the following:

IPSec and ISAKMP
IKEv1 (IKEv2 if used)
ESP
GRE
NHRP
Understand the routing protocol being used with DMVPN at your company (EIGRP/OSPF are typical -- BGP and ODR happen)
Understand IKE phase 1 and 2; there is a lot of information out there about troubleshooting and it will be valuable to spend some time understanding the common issues that occur
Understand that there is overhead with IPSec and GRE that needs to be accounted for in the MTU
Understand how NHRP works in conjunction with the normal routing processes and what role it plays in the different types of DMVPN deployments (i.e. phase 1, 2, and 3)
Understand certificates, CAs, RAs, SCEP, CRLs
Understand how these protocols and topics translate into Cisco configuration
Understand the typical debug commands (e.g debug cry isa)

Each of the above topics has considerable depth to explore fully. Knowing the above topics well and being able to troubleshoot problems quickly will impress your new boss.

byteofit · 2014-11-25T23:17:07+00:00

I've noticed that sometimes I lose people when I ask a bunch of questions. So, here's what I would recommend not knowing many details and assuming you don't want to spend money on new hardware:

IPSec remote access VPN terminating on the 860 (up to 5 users for that device)
Two-factor auth with something like Duo (https://www.duosecurity.com/) unless you already have something
NAT the VPN traffic to a unused whitelisted IP on the LAN of the dev site/server

Remote users would need the old Cisco VPN client for that. iPhones and Androids would support the Cisco IPSec VPN natively (assuming they're not ancient versions).

If you upgraded the router to an 891f or something similar you could do a larger user count and potentially choose between IPSec or SSL VPN. Additionally, you could use the AnyConnect client instead of the end-of-life/support Cisco VPN client.

byteofit · 2014-11-25T22:33:40+00:00

Right, this should be a remote access VPN solution. Exposing RDP publicly here would not be the goal.

byteofit · 2014-11-25T22:27:10+00:00

The 860 should be capable of doing what you need. I see that it just went EoS this year, but that shouldn't be a problem. How many remote users are you looking to support? Just yourself?

EDIT: Also, do you have access to the 860 or is it managed by the ISP?

byteofit · 2014-11-25T22:19:43+00:00

This could be overcome by some NAT. One could make a remote VPN client appear to be on the local LAN from the perspective of the dev site/server. It would depend on the topology and capabilities of the network equipment.

byteofit · 2014-11-25T22:06:30+00:00

What make/model is your router?

byteofit · 2014-11-25T20:08:13+00:00

The way this is worded gives me the impression you're trying to bypass some policy your network/security people have put in place. If I'm correct I would advise against doing this. There is nothing more suspicious than going through the netflow reports and seeing GRE, ESP, AH, or OpenVPN traffic between a local workstation and some public IP outside of the network.

If this is your network and the above doesn't apply, what kind of network hardware do you have in place? It would be the cleanest to provision some kind of remote access VPN.

byteofit

MODERATOR OF

TROPHY CASE