NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Re: Ace Server/FW1 Question



http://www.isi.edu/in-notes/iana/assignments/protocol-numbers 

Regards,
Stephen


-----Original Message-----
From: Ronnie Rosenthal [mailto:[email protected]]
Sent: Thursday, October 12, 2000 10:41 AM
To: [email protected]; [email protected];
[email protected]
Subject: RE: [FW1] Re: Ace Server/FW1 Question




So what does protocol values 94, 50 and 51 actually mean?

Thanks, Ronnie.

>From: [email protected]
>To: [email protected], [email protected]
>Subject: RE: [FW1] Re: Ace Server/FW1 Question
>Date: Wed, 11 Oct 2000 21:27:23 -0500
>
>Am having the same problem and got this back from Checkpoint support:
>
>
>
>Here are the list of ports that need to be open...
>
>The filtering device has the following ports blocked:
>-TCP Port 256
>-UDP Port 259
>-UDP Port 500
>-Protocol 94, 50 and 51.
>Fix: 1. To download the topology, you need to open TCP port 256, whatever
>encryption scheme is used .
>* If using SecuRemote 4.1, then by default the topology will be downloaded
>on TCP port 264.
>* If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will
>first try to get the topology on port 264; if it is not successful
>after 30 seconds, it will try on port 256.
>See the Solution: <a href="primus://:36.847">Topology Download
>problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about
>this issue.
>* If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in
>FireWall-1, that accepts connections from SecuRemote users to the 
>SecuRemote
>server on port 256.
>2. To establish a connection between SecuRemote Client and the server:
>If using the FWZ encryption scheme, open UDP port 259 for the
>Authentication.
>
>NOTE: If not using encapsulation, create rules to allow the actual traffic.
>If using encapsulation, just add one rule allowing traffic on protocol
>94 (0x5e) which is the new IP protocol number.
>For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and
>allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new
>protocol numbers for ISAKMP.
>NOTE: If the Firewall in the middle is FireWall-1 then you just need
>to allow IPSEC.
>
>Haven't had a chance to try this stuff yet.  If you do and get it working
>let me know please.  I'm going to try again late this week or early next
>week.
>
>Kevin Martin
>[email protected] <mailto:[email protected]>
>
>
>
>
>-----Original Message-----
>From: Victor Barrientos [mailto:[email protected]]
>Sent: Wednesday, October 04, 2000 7:18 PM
>To: [email protected]
>Subject: [FW1] Re: Ace Server/FW1 Question
>
>
>
>Hi steve,
>
>Check the following:
>
>
>Check the encryption/authentication methods on firewall and server.
>
>Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be
>sure that Sent Node Secret check box is blank.
>
>When defining the FW as clients on the server, make sure that the primary
>node address is the IP address that the hostname of the FW resolves to. You
>can do this by typing in 'hostname' on the firewall console and then 
>pinging
>the answer you get back.
>
>Define the secondary nodes of the firewall.
>
>Check that the user is defined properly in the security policy.
>
>Check NAT rules. If any NAT is being done, make sure there is a rule at the
>top of the policy that allows the FW's and SecurID server to talk
>untranslated.
>
>After copy the 'sdconf.rec' file into /var/ace directory, delete
>/var/ace/securid and bounce FireWall-1 (fwstop; fwstart).
>
>After the first successful communication between Firewall and ACE server, a
>file called 'securid' will get created under '/var/ace' directory.
>
>
>Hope this help you.
>
>Victor Barrientos
>Tivoli certified Consultant
>RSA Security Certified RSA ACE/Server Engineer
>* Office: +54 11 4819 3903
>* Fax:    +54 11 4811 7103
>* Office eMail:   [email protected] 
><mailto:[email protected]>
>
>* Alternative eMail:  [email protected] <mailto:[email protected]>
>* Unifon Web Site:   http://www.unifon.com.ar <http://www.unifon.com.ar>
>
>
>----- Original Message -----
>From: Steve Peters < [email protected]
><mailto:[email protected]> >
>To: 'Victor Barrientos' < [email protected] <mailto:[email protected]> 
> >
>Sent: Tuesday, October 03, 2000 5:22 PM
>Subject: Ace Server/FW1 Question
>
> > Hi I've read the posts on the newsgroup about ACE Server and FW1 and was
> > hoping you could help. I have a question. I have created a user and
>allowed
> > secureID as the auth method, I also have put the sdconf.rec file in
>/var/ace
> > directory. But when I telnet to 259 and enter the username it prompts me
> > with the PASSCODE: prompt but when I enter the information I get the
> > following message "Unable to activate SecurID authentication" and in the
>fw
> > log I see a reject with the following in the Info section " reason 
>SecurID
> > communication problem.
> > Any ideas?  Anything would help,
> >
> > Thanks
> > Steve Peters
> > marchFIRST
>
><< KevinMartin(E-mail).vcf >>

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.