Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Re: Ace Server/FW1 Question

To: [email protected], [email protected], [email protected]
Subject: RE: [FW1] Re: Ace Server/FW1 Question
From: "Ronnie Rosenthal" <[email protected]>
Date: Thu, 12 Oct 2000 14:41:09 IST
Sender: [email protected]

So what does protocol values 94, 50 and 51 actually mean?

Thanks, Ronnie.

From: [email protected]
To: [email protected], [email protected]
Subject: RE: [FW1] Re: Ace Server/FW1 Question
Date: Wed, 11 Oct 2000 21:27:23 -0500
Am having the same problem and got this back from Checkpoint support:

Here are the list of ports that need to be open...

The filtering device has the following ports blocked: -TCP Port 256 -UDP Port 259 -UDP Port 500 -Protocol 94, 50 and 51. Fix: 1. To download the topology, you need to open TCP port 256, whatever encryption scheme is used . * If using SecuRemote 4.1, then by default the topology will be downloaded on TCP port 264. * If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will first try to get the topology on port 264; if it is not successful after 30 seconds, it will try on port 256. See the Solution: <a href="primus://:36.847">Topology Download problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about this issue. * If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in FireWall-1, that accepts connections from SecuRemote users to the SecuRemote server on port 256. 2. To establish a connection between SecuRemote Client and the server: If using the FWZ encryption scheme, open UDP port 259 for the Authentication.
NOTE: If not using encapsulation, create rules to allow the actual traffic.
If using encapsulation, just add one rule allowing traffic on protocol
94 (0x5e) which is the new IP protocol number.
For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and
allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new
protocol numbers for ISAKMP.
NOTE: If the Firewall in the middle is FireWall-1 then you just need
to allow IPSEC.
Haven't had a chance to try this stuff yet.  If you do and get it working
let me know please.  I'm going to try again late this week or early next
week.
Kevin Martin
[email protected] <mailto:[email protected]>
-----Original Message-----
From: Victor Barrientos [mailto:[email protected]]
Sent: Wednesday, October 04, 2000 7:18 PM
To: [email protected]
Subject: [FW1] Re: Ace Server/FW1 Question
Hi steve,

Check the following:

Check the encryption/authentication methods on firewall and server.
Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be
sure that Sent Node Secret check box is blank.
When defining the FW as clients on the server, make sure that the primary node address is the IP address that the hostname of the FW resolves to. You can do this by typing in 'hostname' on the firewall console and then pinging the answer you get back.

Define the secondary nodes of the firewall.

Check that the user is defined properly in the security policy.
Check NAT rules. If any NAT is being done, make sure there is a rule at the
top of the policy that allows the FW's and SecurID server to talk
untranslated.
After copy the 'sdconf.rec' file into /var/ace directory, delete
/var/ace/securid and bounce FireWall-1 (fwstop; fwstart).
After the first successful communication between Firewall and ACE server, a
file called 'securid' will get created under '/var/ace' directory.
Hope this help you.

Victor Barrientos Tivoli certified Consultant RSA Security Certified RSA ACE/Server Engineer * Office: +54 11 4819 3903 * Fax: +54 11 4811 7103 * Office eMail: [email protected] <mailto:[email protected]>
* Alternative eMail:  [email protected] <mailto:[email protected]>
* Unifon Web Site:   http://www.unifon.com.ar <http://www.unifon.com.ar>
----- Original Message ----- From: Steve Peters < [email protected] <mailto:[email protected]> > To: 'Victor Barrientos' < [email protected] <mailto:[email protected]> > Sent: Tuesday, October 03, 2000 5:22 PM Subject: Ace Server/FW1 Question

> Hi I've read the posts on the newsgroup about ACE Server and FW1 and was > hoping you could help. I have a question. I have created a user and allowed > secureID as the auth method, I also have put the sdconf.rec file in /var/ace > directory. But when I telnet to 259 and enter the username it prompts me > with the PASSCODE: prompt but when I enter the information I get the > following message "Unable to activate SecurID authentication" and in the fw > log I see a reject with the following in the Info section " reason SecurID > communication problem. > Any ideas? Anything would help, > > Thanks > Steve Peters > marchFIRST

<< KevinMartin(E-mail).vcf >>


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at http://profiles.msn.com.

================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Re: Ace Server/FW1 Question
  - From: Jason Witty <[email protected]>

Prev by Date: RE: [FW1] Stealth rule and LDAP question
Next by Date: RE: [FW1] US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://W WW.2600.CO M)<=
Previous by thread: Re: RE: [FW1] Re: Ace Server/FW1 Question
Next by thread: Re: [FW1] Re: Ace Server/FW1 Question
Index(es):
- Date
- Thread