Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PCI compliant

      So I was told the RV220 using the quick VPN was PCI compliant but that is not true as it opens port 443. Can anyone tell me if the ISA550 will work using Cisco's other VPN client software. If not can someone suggest an affordable solution for a small business. I have one user that needs to coneect remotely.             

17 REPLIES

Re: PCI compliant

Gary,
The ISA500 not only supports the AnyConnect SSL VPN client but also supports that standard IPSec VPN client. See pages 2 & 3 of this document for support information.

http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/vpn/Configuring_VPN_with_Cisco_ISA500_Series_Security_Appliances.pdf


Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

PCI compliant

Shawn

But does the Anyconnect also use port 443? That is why we can't pass the PCI compliance test for credit card processing. The small business solutions recommended the RV220 saying it was PCI compliant but after we failed the scan and I called support he told me they had made a mistake. I'm new to all this.

Re: PCI compliant

AnyConnect is SSL VPN so yes it uses 443. However the standard IPSec VPN client referenced in that link uses standard IPSec VPN ports so no 443 on that.
All that said, I'm surprised that the SSL VPN is giving you issues with compliance. I'm wondering if the issue is SSL VPN or that you're using the default cert for encryption. You might consider contacting the auditor for further clarification. Having the ability to use AnyConnect is a very attractive proposition since you can also use it on Smart devices with ease. You might just need a publically signed cert on you VPN endpoint so it isn't throwing up the invalid cert warning. Just something else to consider.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Shawn

An IT I am not. Are you someone that I could pay to explain the different VPN's and certificates. I can tell you right now when I open the Quick client I get a warning "server's certificate doesn't exist on your local computer. Do you want to quit this connection" I also know I am using the Dv220 with all the default settings for everything. the only thing I have done was add the remote user. Maybe if I could update the certificates the DV220 might pass the PCI scan.

This is the main cause of the PCI scan failure. TLS Protocol Session Renegotiation Security Vulnerability. Could this be related to the certificate you are referring to? Like I said, I would be happy to hire your help.

Gary

Re: PCI compliant

Gary,
If IT is not something you're comfortable dealing with and would prefer to have some professional assistance, please send me a private message with your contact information. We'll get you setup with an account with our company and connect you up with one of our engineers that's even more capable than I am. They'll most likely want to look over the audit results and if they can't accomplish what you want with what you have, we can get you setup with what you'll need as well. ;-)

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Shawn

I did send you my phone and email in a private message but also here is something I found. the ControlScan company gave me a tool to check the certificate and although the cisco shows my trusted certificate if you scan it using the tool it comes back as it sees the cisco non-trusted certificate.

Re: PCI compliant

Gary,

I received your email and responded accordingly.  I figured that might be the case and ultimately might be the cause of the failed scan.  We'll get you fixed up.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Shawn

So just so I'm sure I understand. You or someone you know will be willing to call me and work with me on this issue? If yes, wow, amazing. Who will I pay for this service and how? If I'm incorrect please advise how I should proceed. Cisco small business support was unable to help me.

Gary

Re: PCI compliant

Gary,

The short answer is 'yes'.  I mentioned the details in the private message response I sent you.  Once he contacts you, he'll get everything setup so we can get you fixed up.  As a side note, this isn't some other company or random person I'm sending you to.  I don't make it a point to try to establish business relationships through this forum.  I generally try to help out as much as I can and point others in the right direction to address their own challenges.  Since you stated IT is not your strength or focus and wanted professional assistance is why I'm going in a different direction with you.  I work with all the people that will be involved going forward.  If you get a moment, click on my name and read my bio.  That will help give you a better idea of who I am.  My company is roughly 30+ personnel doing roughly 95% of our work remotely to clients across the country.  There won't be any issues or surprises. 

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Wonderful. Just a note. I did not receive any private note from you. What a relief it will be to have a professional take this burden off my shoulders. I have over 20 hours in this and it's a job I do for free and for fun.

Re: PCI compliant

That's odd that you didn't receive the private message.  Did you select your own name and then select the Private Messages tab?  It shows that it was sent.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Shawn

Can you give me an idea of when I might be contacted? I have been dealing with this for weeks and now I'm down to the last few days to return the DV220 for a full refund if it needs to be returned. I emailed your guy but didn't get a reply today.

Re: PCI compliant

Gary,
You will hear from someone Monday. I'm not sure if it will be morning or afternoon, but definitely on Monday.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

Good Morning

So I was successful at installing an Trusted SSL Certificate in to the router. Using a tool from Control Scan it now sees my trusted certificate and when I try and access my router remotely I no longet get the IE warning and certificate error. I had control scan run a scan this morning and sadly it still fails for the exact same reason, the TLS renogiation. My guess is if I were to close port 443 all would be well. Since this problem only started with the DV220W I'm now convinced it must be the issue and would probably be in my best interest just to send it back. I have to send it back by tomorrow to get full credit. Unless you believe me to be missing something else, that will be my plan. Thanks for all the help.

Gary

Re: PCI compliant

I'd say you're probably on the right track. When Gavin contacts you, if you don't mind, forward him that scan report so we can review it and ensue we're coming up with a solution that addresses the challenge.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: PCI compliant

I had the same with problem with Trustwave for pci compliance. I was using a SA540 and after many suport calls, updates,etc. I had to disable ssl access to the router. Once I disables ssl access to the router the scan passed. I was having the same tls issue. disabling ssl was the only way I could get it to work.

New Member

Re: PCI compliant

Hey Barry

Unfortunately the reason we bought this was because we needed the VPN Cliant remote access and it was supposed to be PCI compliant. Updating today to the ISA 550 with my fingers crossed. If this one doesn't work I'll lprobably lose my job so it won't matter. Cisco told me the DV220 was PCI compliant but it appears that was a mistake.

821
Views
0
Helpful
17
Replies
CreatePlease to create content