[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Re: Ace Server/FW1 Question
See http://www.wittys.com/files/all-ip-numners.txt . At the bottom of that document, I list all of the IP protocol numbers. For example, TCP is IP protocol number 6, etc., etc. IP Protocol 94 is IP in IP encapsulation (used by FWZ, I believe) IP Protocol 50 is SIPP-ESP SIPP Encap Security Payload (IPSec) IP Protocol 51 is SIPP-AH SIPP Authentication Header (IPsec) Hope this helps! Jason Ronnie Rosenthal wrote: > > So what does protocol values 94, 50 and 51 actually mean? > > Thanks, Ronnie. > > >From: [email protected] > >To: [email protected], [email protected] > >Subject: RE: [FW1] Re: Ace Server/FW1 Question > >Date: Wed, 11 Oct 2000 21:27:23 -0500 > > > >Am having the same problem and got this back from Checkpoint support: > > > > > > > >Here are the list of ports that need to be open... > > > >The filtering device has the following ports blocked: > >-TCP Port 256 > >-UDP Port 259 > >-UDP Port 500 > >-Protocol 94, 50 and 51. > >Fix: 1. To download the topology, you need to open TCP port 256, whatever > >encryption scheme is used . > >* If using SecuRemote 4.1, then by default the topology will be downloaded > >on TCP port 264. > >* If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will > >first try to get the topology on port 264; if it is not successful > >after 30 seconds, it will try on port 256. > >See the Solution: <a href="primus://:36.847">Topology Download > >problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about > >this issue. > >* If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in > >FireWall-1, that accepts connections from SecuRemote users to the > >SecuRemote > >server on port 256. > >2. To establish a connection between SecuRemote Client and the server: > >If using the FWZ encryption scheme, open UDP port 259 for the > >Authentication. > > > >NOTE: If not using encapsulation, create rules to allow the actual traffic. > >If using encapsulation, just add one rule allowing traffic on protocol > >94 (0x5e) which is the new IP protocol number. > >For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and > >allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new > >protocol numbers for ISAKMP. > >NOTE: If the Firewall in the middle is FireWall-1 then you just need > >to allow IPSEC. > > > >Haven't had a chance to try this stuff yet. If you do and get it working > >let me know please. I'm going to try again late this week or early next > >week. > > > >Kevin Martin > >[email protected] <mailto:[email protected]> > > > > > > > > > >-----Original Message----- > >From: Victor Barrientos [mailto:[email protected]] > >Sent: Wednesday, October 04, 2000 7:18 PM > >To: [email protected] > >Subject: [FW1] Re: Ace Server/FW1 Question > > > > > > > >Hi steve, > > > >Check the following: > > > > > >Check the encryption/authentication methods on firewall and server. > > > >Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be > >sure that Sent Node Secret check box is blank. > > > >When defining the FW as clients on the server, make sure that the primary > >node address is the IP address that the hostname of the FW resolves to. You > >can do this by typing in 'hostname' on the firewall console and then > >pinging > >the answer you get back. > > > >Define the secondary nodes of the firewall. > > > >Check that the user is defined properly in the security policy. > > > >Check NAT rules. If any NAT is being done, make sure there is a rule at the > >top of the policy that allows the FW's and SecurID server to talk > >untranslated. > > > >After copy the 'sdconf.rec' file into /var/ace directory, delete > >/var/ace/securid and bounce FireWall-1 (fwstop; fwstart). > > > >After the first successful communication between Firewall and ACE server, a > >file called 'securid' will get created under '/var/ace' directory. > > > > > >Hope this help you. > > > >Victor Barrientos > >Tivoli certified Consultant > >RSA Security Certified RSA ACE/Server Engineer > >* Office: +54 11 4819 3903 > >* Fax: +54 11 4811 7103 > >* Office eMail: [email protected] > ><mailto:[email protected]> > > > >* Alternative eMail: [email protected] <mailto:[email protected]> > >* Unifon Web Site: http://www.unifon.com.ar <http://www.unifon.com.ar> > > > > > >----- Original Message ----- > >From: Steve Peters < [email protected] > ><mailto:[email protected]> > > >To: 'Victor Barrientos' < [email protected] <mailto:[email protected]> > > > > >Sent: Tuesday, October 03, 2000 5:22 PM > >Subject: Ace Server/FW1 Question > > > > > Hi I've read the posts on the newsgroup about ACE Server and FW1 and was > > > hoping you could help. I have a question. I have created a user and > >allowed > > > secureID as the auth method, I also have put the sdconf.rec file in > >/var/ace > > > directory. But when I telnet to 259 and enter the username it prompts me > > > with the PASSCODE: prompt but when I enter the information I get the > > > following message "Unable to activate SecurID authentication" and in the > >fw > > > log I see a reject with the following in the Info section " reason > >SecurID > > > communication problem. > > > Any ideas? Anything would help, > > > > > > Thanks > > > Steve Peters > > > marchFIRST > > > ><< KevinMartin(E-mail).vcf >> > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|