NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SecuRemote VPN issue with Cisco 802 ISDN router



Scenario: I have 28 remote branch offices most using Netgear RT328 or Cisco
802 ISDN routers and I have a few offices with T1 connection using Farallon
Netopia.  I need to move all these users from NTmail to our Exchange
servers. 

What I have done so far:
*	SecuRemote using Hybrid-Mode IKE with UDP encapsulation to our
Firewall-1 encryption domain
*	Branch offices connect through various ISP's so SecuRemote Clients
are NAT'd
*	Exchange server at corporate is on the Internal side of Firewall-1
and NAT'd
*	Using RADIUS authentication to one of two NT servers running IAS
(users are treated as generic* in the configuration on the Firewall-1)

I have gotten SecuRemote to work successfully from offices with the Netgear
and Netopia routers with no additional configuration on these routers.  I
went to setup our 2 users in Indianapolis (behind a Cisco 802) and have hit
a wall.  

The Indianapolis users authenticate correctly - checking the Firewall-1 log
shows Phase 1 & 2 completion below: 
	IKE Log: Phase 1 completion. 3DES/SHA1/RADIUS Negotiation ID:
XXXXXXXXXXXXXXXXXXX
	scheme:  IKE methods: Combined ESP: 3DES + SHA1 (phase 2 completion)
for host:  192.168.33.3 and for subnet: 0.0.0.0(mask= 0.0.0.0)
Then when I try to connect to Exchange or ping any of the servers in the
encyption domain I get nothing - Outlook2000 says network problems
connecting to Exchange server.  

Nothing shows up in the Firewall-1 log either.  I know from branches I have
working that encrypt/decrypt requests are being logged properly when others
access Exchange. I believe nothing is being logged from Indianapolis because
the Cisco 802 is blocking the traffic. 

In researching what the issue is with the Cisco I've read some postings
about manual IPSEC between a Cisco and Firewall-1. I only want to use
SecuRemote to Firewall-1 but these posts mentioned creating access-lists
because NAT is processed before crypto on the Cisco.

Do I need to modify/create additional access-lists on the Cisco 802 to allow
the SecuRemote encryption packets to be routed properly?  The Cisco 802 has
the most basic config for ISDN with Dynamic NAT translation for the internal
private network. 

IOS config:

service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname XXXXXXXXXXXX
!
enable password XXXXXXXXXXXX
!
ip name-server XXXXXXXXXXXX
!
isdn switch-type basic-ni1
!
ip subnet-zero
ip domain-lookup
ip routing
!
interface Dialer 1
 description connected to Internet
 ip address negotiated
 ip nat outside
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 86400
 dialer string 5760308
 dialer hold-queue 10
 dialer load-threshold 10
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXXXX
 ppp chap password XXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXXXX
 ppp multilink
 no cdp enable
!
interface Ethernet 0
 no shutdown
 description connected to 192.168.33.0
 ip address 192.168.33.1 255.255.255.0
 ip nat inside
 keepalive 10
!
interface BRI 0
 no shutdown
 description connected to Internet
 no ip address
 ip nat outside
 dialer rotary-group 1
 isdn spid1 XXXXXXXXXXXX
 isdn spid2 XXXXXXXXXXXX
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 192.168.33.0 0.0.0.255
!
! Dialer Control List 1
!
no dialer-list 1
dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Dialer 1 overload
!
router rip
 version 2
 network 192.168.33.0
 passive-interface Dialer 1
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Dialer 1

This has been the longest research project of my life - I've feel like I've
been looking for VPN/SecuRemote secret decoder rings!  I thought I had
worked all the bugs out until I hit this one.  I have eight Cisco 802's that
I have to live with.  It has been a few years since I've done the Cisco IOS
access-list mambo (defecting to Cabletron and 3COM for the most part)  but
that is where I think the problem must lie since I don't seem to be getting
the SecuRemote packets past the Cisco. 

Any and all suggestions welcomed. This mailing list and phoneboy FAQ have
been the best sources of info to solve all the problems I've run into so far
thanks to all the great postings.

Leigh A. Jones
Network Engineer
Davel Communications, Inc.
10120 Windhorst Road
Tampa, FL  33619Fax



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.