[c-nsp] checkpoint vpn client behind pix 515

Rodney Dunn rodunn at cisco.com
Wed Sep 7 22:29:00 EDT 2005


I don't claim to know anything about this but...

I just connected my wife to her employer through a Linksys
NAT box at home and the client is a Checkpoint and it works.
I had the same question about NAT-T and just decided to
"try it and see". It worked through the NAT box.

There was one application that doesn't work and I looked
at the client logs and when I start the application it
registers as dropping the packets due to Rule 25 whatever
that means.

Check the checkpoint troubleshooting logs and ping and
see if you see anything there.


On Wed, Sep 07, 2005 at 09:20:04PM -0500, Church, Chuck wrote:
> Unless something changed recently, won't NAT break plain-vanilla IPSec
> using AH?  It used to.  Of course if it's wrapped in UDP or TCP (NAT-T),
> there's no issue.  But do we know for sure the Checkpoint is using
> NAT-T?  Are there any hits on the AH ACL entry?
> 
> 
> Chuck Church
> Lead Design Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services - Design & Implementation Team
> 1210 N. Parker Rd.
> Greenville, SC 29609
> Home office: 864-335-9473
> Cell: 864-266-3978
> cchurch at netcogov.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcus Keane
> Sent: Wednesday, September 07, 2005 9:34 PM
> To: Ivan Lopez; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] checkpoint vpn client behind pix 515
> 
> I don't know anything about the checkpoint so I've no idea. Does it even
> support NAT-T? Without more information, it's impossible to say.
> I assume you've done the usual checking of xlates, conns, etc.? If that
> all checks out, I'd chase your Checkpoint support.
> Marcus
> 
> -----Original Message-----
> From: Ivan Lopez [mailto:lopez.ia at verizon.net] 
> Sent: Thursday, 8 September 2005 3:02 AM
> To: Marcus Keane; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] checkpoint vpn client behind pix 515
> 
> I tried  adding port 4500 for udp just as instructed, but I get the same
> 
> results.
> 
> VPN connection establishes but once connected no traffic passes.
> 
> Any ideas?
> 
> Thanks!
> 
> 
> 
> 
> 
> 
> 
> Marcus Keane wrote:
> 
> >No, it's the standard IPSec NAT traversal port. Check out this RFC.
> >ftp://ftp.rfc-editor.org/in-notes/rfc3947.txt
> >
> >Cheers,
> >Marcus
> >
> >
> >-----Original Message-----
> >From: Ivan Lopez [mailto:ilopez02 at earthlink.net] 
> >Sent: Tuesday, 6 September 2005 9:58 AM
> >To: Marcus Keane
> >Subject: Re: [c-nsp] checkpoint vpn client behind pix 515
> >
> >Port 4500, is this Checkpoint admin port?
> >
> >Thanks again,
> >-Ivan
> >
> >
> >
> >
> >
> >
> >
> >Marcus Keane wrote:
> >
> >  
> >
> >>If you're doing Nat-T, you'll also need to permit udp 4500 in your
> >>access-list.
> >>Adding
> >>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
> >>xxx.xxx.xxx.US eq 4500
> >>
> >>should probably do it.
> >>HTH.
> >>Marcus
> >>
> >>-----Original Message-----
> >>From: cisco-nsp-bounces at puck.nether.net
> >>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Lopez
> >>Sent: Tuesday, 6 September 2005 7:57 AM
> >>To: cisco-nsp at puck.nether.net
> >>Subject: [c-nsp] checkpoint vpn client behind pix 515
> >>
> >>I have customer with a Checkpoint VPN-1 client connecting to it's
> >>    
> >>
> >server
> >  
> >
> >>in the U.K. thru my PIX firewall 6.3.
> >>I set up a NAT-static private-public IP address for my customer, 
> >>permitting AH, ESP as well udp 500 both inbound and outbound.   
> >>Connection establishes but not able to do anything else after that,
> not
> >>    
> >>
> >
> >  
> >
> >>able to access any applications, nothing. This is my first Checkpoint 
> >>experience, any ideas anyone?  Thanks!
> >>
> >>
> >>
> >>access-list vpnacl permit ip host xxx.xxx.xxx.UK  any
> >>
> >>access-list outside_coming_in permit esp host xxx.xxx.xxx.UK host 
> >>xxx.xxx.xxx.US
> >>access-list outside_coming_in permit ah host xxx.xxx.xxx.UK host 
> >>xxx.xxx.xxx.US
> >>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host 
> >>xxx.xxx.xxx.US eq isakmp
> >>
> >>isakmp nat-traversal 20
> >>
> >>sysopt connection permit-ipsec
> >>
> >>
> >>
> >>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >> 
> >>
> >>    
> >>
> >
> >
> >
> >
> >  
> >
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list