[c-nsp] checkpoint vpn client behind pix 515

Ivan Walker cisco-nsp at itpro.co.nz
Mon Sep 5 22:08:34 EDT 2005


Hopefully you have it working but if now here are a few thoughts/ideas.

I didn't think that the PIX could be set to passthrough ipsec traffic 
AND terminate ipsec traffic at the same time.  I think if you have

sysopt connection permit-ipsec

then ipsec may not be passed through by instead the PIX will want to process this traffic.  (I am sure someone will advise if this is not correct).

I have attached a config for a PIX that currently allows VPN passthrough.

Ivan

Marcus Keane wrote:

>If you're doing Nat-T, you'll also need to permit udp 4500 in your
>access-list.
>Adding
>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
>xxx.xxx.xxx.US eq 4500
>
>should probably do it.
>HTH.
>Marcus
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Lopez
>Sent: Tuesday, 6 September 2005 7:57 AM
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] checkpoint vpn client behind pix 515
>
>I have customer with a Checkpoint VPN-1 client connecting to it's server
>
>in the U.K. thru my PIX firewall 6.3.
>I set up a NAT-static private-public IP address for my customer, 
>permitting AH, ESP as well udp 500 both inbound and outbound.   
>Connection establishes but not able to do anything else after that, not 
>able to access any applications, nothing. This is my first Checkpoint 
>experience, any ideas anyone?  Thanks!
>
>
>
>access-list vpnacl permit ip host xxx.xxx.xxx.UK  any
>
>access-list outside_coming_in permit esp host xxx.xxx.xxx.UK host 
>xxx.xxx.xxx.US
>access-list outside_coming_in permit ah host xxx.xxx.xxx.UK host 
>xxx.xxx.xxx.US
>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host 
>xxx.xxx.xxx.US eq isakmp
>
>isakmp nat-traversal 20
>
>sysopt connection permit-ipsec
>
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pixvpnpassthrough.txt
Url: https://puck.nether.net/pipermail/cisco-nsp/attachments/20050905/14a1d540/pixvpnpassthrough.txt


More information about the cisco-nsp mailing list