[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Cisco VPN client through NAT CheckPoint FW
Hello, all. Odd problem with VPN-1 v4.1 SP2 on a Nokia IP650 running IPSO 3.3. I have an internal user who needs to connect to a remote ASP through a Cisco VPNZ (???) client which doesn't have much in the way of configuration options. I'm not seeing any drops in my logs but proper communication is not established. We are doing hide behind NAT on our end and her client has a IPSEC through NAT box checked as we use RFC1918 addresses internally (also fails without this option box checked). All is well if I connect her directly into the switch in front of my FW and give her a public address. I see the same problem if I connect her directly via cross-over cable into a port on the Nokia. All other traffic from her machine is fine. I've included some sniffed traffic between an external interface of my FW and their network. If anyone has seen this or has any insight into what the problem may be I'd be very appreciative. Chris ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 10:41:16.93 ETHER: Packet size = 352 bytes ETHER: Destination = 0:2:16:b0:e6:0, ETHER: Source = 0:a0:8e:e:ea:30, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: . .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 338 bytes IP: Identification = 33852 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 126 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ff93 IP: Source address = my.ip.address, fw.domain.com IP: Destination address = remote.ip.address, remote.ip.address IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 672 UDP: Destination port = 500 UDP: Length = 318 UDP: Checksum = 1F70 UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 2 arrived at 10:41:17.23 ETHER: Packet size = 290 bytes ETHER: Destination = 0:a0:8e:e:ea:30, ETHER: Source = 0:2:16:b0:e6:0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: . .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 276 bytes IP: Identification = 54029 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ba00 IP: Source address = remote.ip.address, remote.ip.address IP: Destination address = my.ip.address, fw.domain.com IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 500 UDP: Destination port = 672 UDP: Length = 256 UDP: Checksum = 0000 (no checksum) UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 3 arrived at 10:41:17.25 ETHER: Packet size = 94 bytes ETHER: Destination = 0:2:16:b0:e6:0, ETHER: Source = 0:a0:8e:e:ea:30, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 80 bytes IP: Identification = 34108 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 126 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ff95 IP: Source address = my.ip.address, fw.domain.com IP: Destination address = remote.ip.address, remote.ip.address IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 672 UDP: Destination port = 500 UDP: Length = 60 UDP: Checksum = 5618 UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 4 arrived at 10:41:17.73 ETHER: Packet size = 350 bytes ETHER: Destination = 0:2:16:b0:e6:0, ETHER: Source = 0:a0:8e:e:ea:30, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 336 bytes IP: Identification = 34364 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 126 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = fd95 IP: Source address = my.ip.address, fw.domain.com IP: Destination address = remote.ip.address, remote.ip.address IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 672 UDP: Destination port = 500 UDP: Length = 316 UDP: Checksum = 78E1 UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 5 arrived at 10:41:17.84 ETHER: Packet size = 118 bytes ETHER: Destination = 0:a0:8e:e:ea:30, ETHER: Source = 0:2:16:b0:e6:0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 104 bytes IP: Identification = 54032 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = baa9 IP: Source address = remote.ip.address, remote.ip.address IP: Destination address = my.ip.address, fw.domain.com IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 500 UDP: Destination port = 672 UDP: Length = 84 UDP: Checksum = 0000 (no checksum) UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 6 arrived at 10:41:25.76 ETHER: Packet size = 350 bytes ETHER: Destination = 0:2:16:b0:e6:0, ETHER: Source = 0:a0:8e:e:ea:30, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 336 bytes IP: Identification = 34620 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 126 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = fc95 IP: Source address = my.ip.address, fw.domain.com IP: Destination address = remote.ip.address, remote.ip.address IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 672 UDP: Destination port = 500 UDP: Length = 316 UDP: Checksum = 78E1 UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 7 arrived at 10:41:47.83 ETHER: Packet size = 118 bytes ETHER: Destination = 0:a0:8e:e:ea:30, ETHER: Source = 0:2:16:b0:e6:0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 104 bytes IP: Identification = 54063 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ba8a IP: Source address = remote.ip.address, remote.ip.address IP: Destination address = my.ip.address, fw.domain.com IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 500 UDP: Destination port = 672 UDP: Length = 84 UDP: Checksum = 0000 (no checksum) UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 8 arrived at 10:42:17.84 ETHER: Packet size = 118 bytes ETHER: Destination = 0:a0:8e:e:ea:30, ETHER: Source = 0:2:16:b0:e6:0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 104 bytes IP: Identification = 54095 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ba6a IP: Source address = remote.ip.address, remote.ip.address IP: Destination address = my.ip.address, fw.domain.com IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 500 UDP: Destination port = 672 UDP: Length = 84 UDP: Checksum = 0000 (no checksum) UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 9 arrived at 10:42:25.97 ETHER: Packet size = 350 bytes ETHER: Destination = 0:2:16:b0:e6:0, ETHER: Source = 0:a0:8e:e:ea:30, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 336 bytes IP: Identification = 34876 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 126 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = fb95 IP: Source address = my.ip.address, fw.domain.com IP: Destination address = remote.ip.address, remote.ip.address IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 672 UDP: Destination port = 500 UDP: Length = 316 UDP: Checksum = 78E1 UDP: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 10 arrived at 10:42:47.82 ETHER: Packet size = 126 bytes ETHER: Destination = 0:a0:8e:e:ea:30, ETHER: Source = 0:2:16:b0:e6:0, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 112 bytes IP: Identification = 54126 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 117 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = ba43 IP: Source address = remote.ip.address, remote.ip.address IP: Destination address = my.ip.address, fw.domain.com IP: No options IP: UDP: ----- UDP Header ----- UDP: UDP: Source port = 500 UDP: Destination port = 672 UDP: Length = 92 UDP: Checksum = 0000 (no checksum) UDP: ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|