I’m new in Comodo community and I’m the user of Comodo firewall. So far, I’ve found it quite useful and secured. However, I have a problem. Now, I need to install a Cisco VPN Client 5.0.01.06 (or whatever version it is), it’s a VPN client which allow me to connect to my workstation, anywhere, as long as I have my notebook with me and access it from somewhere far away from the PC.
May I know how can I set the firewall to allow such connection from coming in on the PC with Comodo Firewall on? (The PC will be left running 24 hours, thus I don’t want to do without a firewall to protect it).
Unless I’ve mistaken the scenario, the Cisco VPN Client is used to connect to a concentrator/ASA/PIX. Not other workstations without the necessary software.
Tip:
Check the logs for blocked/dropped inbound connection from your laptop. Verify the IP address and add a rule that allows the ports used in VPN connections.
Thanks for the reply, yes it is connected to ASA, sorry for not stating it clear enough in the first place. But isn’t it also blocking me from accessing my workstation if the Comodo on my workstation is active and blocked the ASA from allowing me to access my workstation remotely?
I’ll try your methods later when I reach home, does it apply to the scenario I stated above?
If you allow the VPN client to pass your firewall, it will set up a VPN tunnel to the ASA. But you need to initiate the VPN connection from the client to successfully establish a VPN tunnel.
Cisco VPN Client uses UDP 500 for outbound IKE (Internet Key Exchange) negotiation and UDP 4500/TCP10000 for transparent tunneling. Verify that you have these rules in place and that you allow them to pass the firewall, and you should be able to connect to the ASA without any problems.
Once the VPN tunnel is successfully established, you should have full access to your workstation.
All allowed connections should be specified by a single host address if possible. If you only use your VPN Client to connect to the ASA at the office, try to specify that destination address only.
IKE is used in the 1st stage when establishing a VPN connection. This makes it a bit impractical to trim down to only a few destinations if you use it frequently to connect to other sites. Same goes for UDP 4500 and TCP 10000. These ports are used to establish the transparent tunneling protocol. This allows encrypted traffic to pass on the inside of the VPN tunnel, while mundane traffic (WWW etc.) flows on the outside.
Same rule of thumb apply to any other connection you make in this way. If you can be as specific as possible, you’ll have much better control of the behavior of your firewall. Just don’t go overboard and bog yourself down into fine tuning every connection made by your computer
I have problem connecting from my home PC to the ASA server in the office, my PC hung when they are negotiating with the server, just FYI, both my PC at home and PC in the office are installed with Firewall, do I only have to setup my office PC firewall rules if I give CISCO VPN Client full access to the server from my home PC firewall?
You have to configure both firewalls. The one at home and the one in the office. Have you looked at the logs on you home computer? Any dropped/blocked connections?
My home computer is configured just nice as it would allow me to VPN in to my office workstation. However, if I ever set my CFP on my workstation in office, and was not configuring properly until now, it won’t allow me to connect from ASA to my workstation, even though I was connection to my company VPN.
I think the CFP in my office workstation has to be configured properly, which I’m not sure how yet. But as long as I made that CFP in office workstation to “Allow All” then it wouldn’t give me any problem at all, insecure though.
OK, I think my CFP is configured in such a way that it blocks IP In/Out by default, which I never touched it before and I just knew it? Does this affect my CFP in office?
How can I secure the VPN connection from home PC to ASA and then to my office PC while not allowing other IP In/Out? Hmm… imagine if the IP is assigned by DHCP dynamically.
Not directly. CFP is configured to drop all inbound connection by default. Look for the Deny All inbound Any-Any rule in the global configuration. If you want to allow inbound traffic (eg. inbound Remote Desktop Connections - TCP3389) you need to add this rule above the default deny rule. As for outbound traffic, it builds its allow-list based upon your actions on the pop-ups. If you allow the VPN client full access, it should connect to the ASA and establish the tunnel just fine. Just remember that you have to establish the tunnel from the client side. The client can’t be triggered from the ASA unfortunately. If you’re unsure that the CFP is stopping your attempt to build a VPN tunnel, disable it. Initiate and establish the tunnel and restart CFP. Or simply make these rules above the Default Deny rule stating:
- Allow outbound UDP 500 From My Computer to My ASA
And if you use transparent tunneling (Split-tunneling): - Allow outbound UDP 4500 From My Computer to My ASA - Allow outbound TCP 10000 from My Computer to My ASA
These 3 rules are essential to make the Cisco VPN client initiate and establish it’s tunneling protocol. And if you need to troubleshoot, look through your logs for events blocking/dropping on these ports/IP addresses. That goes for both CFP and ASA.
The VPN profile on the ASA will provide you with a DHCP assigned IP address. These addresses are considered “safe”, but remember to use NAT traversal on these. Or 0 NAT (NoNAT) if you will. Otherwise the VPN addresses won’t be able to see the inside LAN and vice versa.
When you use Cisco VPN, the VPN tunnel is encrypted and is considered secured. No need to implement further measures. To securely allow your home computer and your office computer access to one another, use hostnames. As you know DHCP addresses are assigned randomly, but hostnames are unique.
And lastly. If you use CFP on your office computer, remember to add a rule allowing inbound TCP 3389 from the VPN IP range. Same goes for your home computer. Add an inbound rule to allow the same port, but from your office computer host IP address to heighten security a bit. Also add the Remote Desktop Connection application to your list of safe programs to allow it Internet access.
Here’s a quick 3-step check list:
Verify that your computer initiating the VPN tunnel has an allow statement in the CFP.
Initiate and establish the VPN tunnel. Make sure you have an active VPN tunnel.
Verify that CFP have an allow statement for RDC and try to connect.
Should any of these 3 steps fail, check your logs. The log should contain a block or drop entry to help you troubleshoot the problem.
Thanks for the detailed reply. I will go and try them out later. I think I miss out the part where we need to bring them before the Blocked IP In/Out rules. I’ve just moved all the related rules before Blocked IP In/Out rules. Will try out tonight when I reach home to see whether I can VPN IN with the CFP ON.
Thanks and sorry for keep on bugging you for solution