[c-nsp] checkpoint vpn client behind pix 515
de GRUITER, Alex
alex.degruiter at premiereglobal.com.au
Wed Sep 7 22:30:32 EDT 2005
If it is using NAT-T draft 1 I believe that you will also need to allow UDP
port 500. The encapsulation in port 4500 is new to draft-2.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Chuck
Sent: Thursday, 8 September 2005 12:20 PM
To: Marcus Keane; Ivan Lopez; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] checkpoint vpn client behind pix 515
Unless something changed recently, won't NAT break plain-vanilla IPSec using
AH? It used to. Of course if it's wrapped in UDP or TCP (NAT-T), there's
no issue. But do we know for sure the Checkpoint is using NAT-T? Are there
any hits on the AH ACL entry?
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team 1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 864-266-3978
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcus Keane
Sent: Wednesday, September 07, 2005 9:34 PM
To: Ivan Lopez; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] checkpoint vpn client behind pix 515
I don't know anything about the checkpoint so I've no idea. Does it even
support NAT-T? Without more information, it's impossible to say.
I assume you've done the usual checking of xlates, conns, etc.? If that all
checks out, I'd chase your Checkpoint support.
Marcus
-----Original Message-----
From: Ivan Lopez [mailto:lopez.ia at verizon.net]
Sent: Thursday, 8 September 2005 3:02 AM
To: Marcus Keane; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] checkpoint vpn client behind pix 515
I tried adding port 4500 for udp just as instructed, but I get the same
results.
VPN connection establishes but once connected no traffic passes.
Any ideas?
Thanks!
Marcus Keane wrote:
>No, it's the standard IPSec NAT traversal port. Check out this RFC.
>ftp://ftp.rfc-editor.org/in-notes/rfc3947.txt
>
>Cheers,
>Marcus
>
>
>-----Original Message-----
>From: Ivan Lopez [mailto:ilopez02 at earthlink.net]
>Sent: Tuesday, 6 September 2005 9:58 AM
>To: Marcus Keane
>Subject: Re: [c-nsp] checkpoint vpn client behind pix 515
>
>Port 4500, is this Checkpoint admin port?
>
>Thanks again,
>-Ivan
>
>
>
>
>
>
>
>Marcus Keane wrote:
>
>
>
>>If you're doing Nat-T, you'll also need to permit udp 4500 in your
>>access-list.
>>Adding
>>access-list outside_coming_in permit udp host xxx.xxx.xxx.UK host
>>xxx.xxx.xxx.US eq 4500
>>
>>should probably do it.
>>HTH.
>>Marcus
>>
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Lopez
>>Sent: Tuesday, 6 September 2005 7:57 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: [c-nsp] checkpoint vpn client behind pix 515
>>
>>I have customer with a Checkpoint VPN-1 client connecting to it's
>>
>>
>server
>
>
>>in the U.K. thru my PIX firewall 6.3.
>>I set up a NAT-static private-public IP address for my customer,
>>permitting AH, ESP as well udp 500 both inbound and outbound.
>>Connection establishes but not able to do anything else after that,
not
>>
>>
>
>
>
>>able to access any applications, nothing. This is my first Checkpoint
>>experience, any ideas anyone? Thanks!
>>
>>
>>
>>access-list vpnacl permit ip host xxx.xxx.xxx.UK any
>>
>>access-list outside_coming_in permit esp host xxx.xxx.xxx.UK host
>>xxx.xxx.xxx.US access-list outside_coming_in permit ah host
>>xxx.xxx.xxx.UK host xxx.xxx.xxx.US access-list outside_coming_in
>>permit udp host xxx.xxx.xxx.UK host xxx.xxx.xxx.US eq isakmp
>>
>>isakmp nat-traversal 20
>>
>>sysopt connection permit-ipsec
>>
>>
>>
>>
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list