[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] What to let through for IKE VPN?
Good day Gentlemen, I've finally managed to get SR working behind a NAT device. For troubleshooting this project, I just added a line to our router's ACL to let everything from the translated public IP of the machine I was working on through the router, but now I need to make it more general. When I got it working, I took a look at Checkpoint's site to see what to add. At http://support.checkpoint.com/gold/publisher.asp?id=88a5d6a0-a4c6-11d4-9ec9- 080020cf9075&resource=&number=0&isExternal=0 I found: ---------------------------------------------------------------------------- ------------------------------------------------------------- 2. To establish a connection between SecuRemote Client and the server: For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new protocol numbers for ISAKMP ---------------------------------------------------------------------------- ------------------------------------------------------------- I've added these three lines to our Cisco router's ACL: access-list 100 permit 50 any host my.fw.ex.ip access-list 100 permit 51 any host my.fw.ex.ip access-list 100 permit udp any host my.fw.ex.ip eq 500 But my session dies after auth. If I do a 'sh access-list 100', I can see the hits on the third line for auth, but nothing on the first two. If I add my test machine's external IP back in and allow any traffic from it, it works again. Has anybody got any idea what I'm doing wrong here? Thanks! Ian ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|