[c-nsp] checkpoint vpn client behind pix 515
Marcus Keane
mkeane at microsoft.com
Mon Sep 5 19:48:32 EDT 2005
If you're doing Nat-T, you'll also need to permit udp 4500 in your
access-list.
Adding
access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
xxx.xxx.xxx.US eq 4500
should probably do it.
HTH.
Marcus
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Lopez
Sent: Tuesday, 6 September 2005 7:57 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] checkpoint vpn client behind pix 515
I have customer with a Checkpoint VPN-1 client connecting to it's server
in the U.K. thru my PIX firewall 6.3.
I set up a NAT-static private-public IP address for my customer,
permitting AH, ESP as well udp 500 both inbound and outbound.
Connection establishes but not able to do anything else after that, not
able to access any applications, nothing. This is my first Checkpoint
experience, any ideas anyone? Thanks!
access-list vpnacl permit ip host xxx.xxx.xxx.UK any
access-list outside_coming_in permit esp host xxx.xxx.xxx.UK host
xxx.xxx.xxx.US
access-list outside_coming_in permit ah host xxx.xxx.xxx.UK host
xxx.xxx.xxx.US
access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
xxx.xxx.xxx.US eq isakmp
isakmp nat-traversal 20
sysopt connection permit-ipsec
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list