Thought I would share an experience with everyone...
All laptops on the network have the Cisco VPN client installed, as most take their laptops on the road or home when they leave at night.
One thing I've noticed when performing vulnerability assessments of the network with various tools, such as IS Scanner, STAT scanner, etc... is this:
If the client I am on has the VPN client installed and the machine I'm targeting has the VPN client installed, I cannot communicate to perform the scan.
ICMP traffic between the 2 devices will not work. This caused me quite a headache until I realized that the only common ground between all the clients I was trying to scan was the fact all were laptops.
All laptops also have personal firewalls for use when on the road. I thought this was the problem and removed the firewalls and still no success.
Finally I thought about the VPN client. So, on the source and the target device I stopped the "Cisco Systems, Inc. VPN Service" and VIOLA, I can scan all systems. Appears that if the source and target machines are running the service, they won't communicate via ICMP.
The VPN client has a built-in personal firewall, which can be turned on all the time, even when the VPN client is not connected.
Open up the client, go under Options and see if "Stateful Firewall (Always On)" is checked. If it is, then as you've seen, as long as the VPN service is running, external connections to the PC will be dropped (this includes pings).
If you uncheck this option (which is the default), then the stateful firewall will only be running when the VPN Client has a connection to your VPN concentrator and your private network. This helps protect your internal network by the fact that while a VPN is established, your PC won't accept any outside connections.
The Cisco Service does cause some compatibility issues and we've had to put it in manual mode and create a vbs file that launches the service and the GUI at the same time. When the VPN is shutdonw so is the service. However, Cisco VPN Client also has a full-time firewall. You can disable this by changing the vpnclient.ini file to StatefullFirewall=0. This might alleviate your problems rather than stopping the Cisco service which is needed to run the VPN. Just a thought. We've done both.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...