[c-nsp] checkpoint vpn client behind pix 515

Marcus Keane mkeane at microsoft.com
Wed Sep 7 21:34:19 EDT 2005 

I don't know anything about the checkpoint so I've no idea. Does it even
support NAT-T? Without more information, it's impossible to say.
I assume you've done the usual checking of xlates, conns, etc.? If that
all checks out, I'd chase your Checkpoint support.
Marcus

-----Original Message-----
From: Ivan Lopez [mailto:lopez.ia at verizon.net] 
Sent: Thursday, 8 September 2005 3:02 AM
To: Marcus Keane; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] checkpoint vpn client behind pix 515

I tried  adding port 4500 for udp just as instructed, but I get the same

results.

VPN connection establishes but once connected no traffic passes.

Any ideas?

Thanks!







Marcus Keane wrote:

>No, it's the standard IPSec NAT traversal port. Check out this RFC.
>ftp://ftp.rfc-editor.org/in-notes/rfc3947.txt
>
>Cheers,
>Marcus
>
>
>-----Original Message-----
>From: Ivan Lopez [mailto:ilopez02 at earthlink.net] 
>Sent: Tuesday, 6 September 2005 9:58 AM
>To: Marcus Keane
>Subject: Re: [c-nsp] checkpoint vpn client behind pix 515
>
>Port 4500, is this Checkpoint admin port?
>
>Thanks again,
>-Ivan
>
>
>
>
>
>
>
>Marcus Keane wrote:
>
>  
>
>>If you're doing Nat-T, you'll also need to permit udp 4500 in your
>>access-list.
>>Adding
>>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
>>xxx.xxx.xxx.US eq 4500
>>
>>should probably do it.
>>HTH.
>>Marcus
>>
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Lopez
>>Sent: Tuesday, 6 September 2005 7:57 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] checkpoint vpn client behind pix 515
>>
>>I have customer with a Checkpoint VPN-1 client connecting to it's
>>    
>>
>server
>  
>
>>in the U.K. thru my PIX firewall 6.3.
>>I set up a NAT-static private-public IP address for my customer, 
>>permitting AH, ESP as well udp 500 both inbound and outbound.   
>>Connection establishes but not able to do anything else after that,
not
>>    
>>
>
>  
>
>>able to access any applications, nothing. This is my first Checkpoint 
>>experience, any ideas anyone?  Thanks!
>>
>>
>>
>>access-list vpnacl permit ip host xxx.xxx.xxx.UK  any
>>
>>access-list outside_coming_in permit esp host xxx.xxx.xxx.UK host 
>>xxx.xxx.xxx.US
>>access-list outside_coming_in permit ah host xxx.xxx.xxx.UK host 
>>xxx.xxx.xxx.US
>>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host 
>>xxx.xxx.xxx.US eq isakmp
>>
>>isakmp nat-traversal 20
>>
>>sysopt connection permit-ipsec
>>
>>
>>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> 
>>
>>    
>>
>
>
>
>
>  
>

More information about the cisco-nsp mailing list