NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Re: Ace Server/FW1 Question



See http://www.wittys.com/files/all-ip-numners.txt .  At the bottom of
that document, I list all  of the IP protocol numbers.  For example, TCP
is IP protocol number 6, etc., etc.

IP Protocol 94 is IP in IP encapsulation (used by FWZ, I believe)
IP Protocol 50 is SIPP-ESP    SIPP Encap Security Payload (IPSec)
IP Protocol 51 is SIPP-AH     SIPP Authentication Header (IPsec)

Hope this helps!

Jason


Ronnie Rosenthal wrote:
> 
> So what does protocol values 94, 50 and 51 actually mean?
> 
> Thanks, Ronnie.
> 
> >From: [email protected]
> >To: [email protected], [email protected]
> >Subject: RE: [FW1] Re: Ace Server/FW1 Question
> >Date: Wed, 11 Oct 2000 21:27:23 -0500
> >
> >Am having the same problem and got this back from Checkpoint support:
> >
> >
> >
> >Here are the list of ports that need to be open...
> >
> >The filtering device has the following ports blocked:
> >-TCP Port 256
> >-UDP Port 259
> >-UDP Port 500
> >-Protocol 94, 50 and 51.
> >Fix: 1. To download the topology, you need to open TCP port 256, whatever
> >encryption scheme is used .
> >* If using SecuRemote 4.1, then by default the topology will be downloaded
> >on TCP port 264.
> >* If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will
> >first try to get the topology on port 264; if it is not successful
> >after 30 seconds, it will try on port 256.
> >See the Solution: <a href="primus://:36.847">Topology Download
> >problems with SecuRemote 4.1/FireWall-1 4.1</a> to learn more about
> >this issue.
> >* If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in
> >FireWall-1, that accepts connections from SecuRemote users to the
> >SecuRemote
> >server on port 256.
> >2. To establish a connection between SecuRemote Client and the server:
> >If using the FWZ encryption scheme, open UDP port 259 for the
> >Authentication.
> >
> >NOTE: If not using encapsulation, create rules to allow the actual traffic.
> >If using encapsulation, just add one rule allowing traffic on protocol
> >94 (0x5e) which is the new IP protocol number.
> >For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and
> >allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new
> >protocol numbers for ISAKMP.
> >NOTE: If the Firewall in the middle is FireWall-1 then you just need
> >to allow IPSEC.
> >
> >Haven't had a chance to try this stuff yet.  If you do and get it working
> >let me know please.  I'm going to try again late this week or early next
> >week.
> >
> >Kevin Martin
> >[email protected] <mailto:[email protected]>
> >
> >
> >
> >
> >-----Original Message-----
> >From: Victor Barrientos [mailto:[email protected]]
> >Sent: Wednesday, October 04, 2000 7:18 PM
> >To: [email protected]
> >Subject: [FW1] Re: Ace Server/FW1 Question
> >
> >
> >
> >Hi steve,
> >
> >Check the following:
> >
> >
> >Check the encryption/authentication methods on firewall and server.
> >
> >Define the FW boxes as 'Communicaton Server' on the ACE Server machine. Be
> >sure that Sent Node Secret check box is blank.
> >
> >When defining the FW as clients on the server, make sure that the primary
> >node address is the IP address that the hostname of the FW resolves to. You
> >can do this by typing in 'hostname' on the firewall console and then
> >pinging
> >the answer you get back.
> >
> >Define the secondary nodes of the firewall.
> >
> >Check that the user is defined properly in the security policy.
> >
> >Check NAT rules. If any NAT is being done, make sure there is a rule at the
> >top of the policy that allows the FW's and SecurID server to talk
> >untranslated.
> >
> >After copy the 'sdconf.rec' file into /var/ace directory, delete
> >/var/ace/securid and bounce FireWall-1 (fwstop; fwstart).
> >
> >After the first successful communication between Firewall and ACE server, a
> >file called 'securid' will get created under '/var/ace' directory.
> >
> >
> >Hope this help you.
> >
> >Victor Barrientos
> >Tivoli certified Consultant
> >RSA Security Certified RSA ACE/Server Engineer
> >* Office: +54 11 4819 3903
> >* Fax:    +54 11 4811 7103
> >* Office eMail:   [email protected]
> ><mailto:[email protected]>
> >
> >* Alternative eMail:  [email protected] <mailto:[email protected]>
> >* Unifon Web Site:   http://www.unifon.com.ar <http://www.unifon.com.ar>
> >
> >
> >----- Original Message -----
> >From: Steve Peters < [email protected]
> ><mailto:[email protected]> >
> >To: 'Victor Barrientos' < [email protected] <mailto:[email protected]>
> > >
> >Sent: Tuesday, October 03, 2000 5:22 PM
> >Subject: Ace Server/FW1 Question
> >
> > > Hi I've read the posts on the newsgroup about ACE Server and FW1 and was
> > > hoping you could help. I have a question. I have created a user and
> >allowed
> > > secureID as the auth method, I also have put the sdconf.rec file in
> >/var/ace
> > > directory. But when I telnet to 259 and enter the username it prompts me
> > > with the PASSCODE: prompt but when I enter the information I get the
> > > following message "Unable to activate SecurID authentication" and in the
> >fw
> > > log I see a reject with the following in the Info section " reason
> >SecurID
> > > communication problem.
> > > Any ideas?  Anything would help,
> > >
> > > Thanks
> > > Steve Peters
> > > marchFIRST
> >
> ><< KevinMartin(E-mail).vcf >>
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.