[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Re: Ace Server/FW1 Question
http://www.isi.edu/in-notes/iana/assignments/protocol-numbers Regards, Stephen -----Original Message----- From: Ronnie Rosenthal [mailto:[email protected]] Sent: Thursday, October 12, 2000 10:41 AM To: [email protected]; [email protected]; [email protected] Subject: RE: [FW1] Re: Ace Server/FW1 Question So what does protocol values 94, 50 and 51 actually mean? Thanks, Ronnie. >From: [email protected] >To: [email protected], [email protected] >Subject: RE: [FW1] Re: Ace Server/FW1 Question >Date: Wed, 11 Oct 2000 21:27:23 -0500 > >Am having the same problem and got this back from Checkpoint support: > > > >Here are the list of ports that need to be open... > >The filtering device has the following ports blocked: >-TCP Port 256 >-UDP Port 259 >-UDP Port 500 >-Protocol 94, 50 and 51. >Fix: 1. To download the topology, you need to open TCP port 256, whatever >encryption scheme is used . >* If using SecuRemote 4.1, then by default the topology will be downloaded >on TCP port 264. >* If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will >first try to get the topology on port 264; if it is not successful >after 30 seconds, it will try on port 256. >See the Solution: <a href="primus://:36.847">Topology Download >problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about >this issue. >* If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in >FireWall-1, that accepts connections from SecuRemote users to the >SecuRemote >server on port 256. >2. To establish a connection between SecuRemote Client and the server: >If using the FWZ encryption scheme, open UDP port 259 for the >Authentication. > >NOTE: If not using encapsulation, create rules to allow the actual traffic. >If using encapsulation, just add one rule allowing traffic on protocol >94 (0x5e) which is the new IP protocol number. >For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and >allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new >protocol numbers for ISAKMP. >NOTE: If the Firewall in the middle is FireWall-1 then you just need >to allow IPSEC. > >Haven't had a chance to try this stuff yet. If you do and get it working >let me know please. I'm going to try again late this week or early next >week. > >Kevin Martin >[email protected] <mailto:[email protected]> > > > > >-----Original Message----- >From: Victor Barrientos [mailto:[email protected]] >Sent: Wednesday, October 04, 2000 7:18 PM >To: [email protected] >Subject: [FW1] Re: Ace Server/FW1 Question > > > >Hi steve, > >Check the following: > > >Check the encryption/authentication methods on firewall and server. > >Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be >sure that Sent Node Secret check box is blank. > >When defining the FW as clients on the server, make sure that the primary >node address is the IP address that the hostname of the FW resolves to. You >can do this by typing in 'hostname' on the firewall console and then >pinging >the answer you get back. > >Define the secondary nodes of the firewall. > >Check that the user is defined properly in the security policy. > >Check NAT rules. If any NAT is being done, make sure there is a rule at the >top of the policy that allows the FW's and SecurID server to talk >untranslated. > >After copy the 'sdconf.rec' file into /var/ace directory, delete >/var/ace/securid and bounce FireWall-1 (fwstop; fwstart). > >After the first successful communication between Firewall and ACE server, a >file called 'securid' will get created under '/var/ace' directory. > > >Hope this help you. > >Victor Barrientos >Tivoli certified Consultant >RSA Security Certified RSA ACE/Server Engineer >* Office: +54 11 4819 3903 >* Fax: +54 11 4811 7103 >* Office eMail: [email protected] ><mailto:[email protected]> > >* Alternative eMail: [email protected] <mailto:[email protected]> >* Unifon Web Site: http://www.unifon.com.ar <http://www.unifon.com.ar> > > >----- Original Message ----- >From: Steve Peters < [email protected] ><mailto:[email protected]> > >To: 'Victor Barrientos' < [email protected] <mailto:[email protected]> > > >Sent: Tuesday, October 03, 2000 5:22 PM >Subject: Ace Server/FW1 Question > > > Hi I've read the posts on the newsgroup about ACE Server and FW1 and was > > hoping you could help. I have a question. I have created a user and >allowed > > secureID as the auth method, I also have put the sdconf.rec file in >/var/ace > > directory. But when I telnet to 259 and enter the username it prompts me > > with the PASSCODE: prompt but when I enter the information I get the > > following message "Unable to activate SecurID authentication" and in the >fw > > log I see a reject with the following in the Info section " reason >SecurID > > communication problem. > > Any ideas? Anything would help, > > > > Thanks > > Steve Peters > > marchFIRST > ><< KevinMartin(E-mail).vcf >> _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|