[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cisco VPN client through NAT CheckPoint FW
Hi, If the destination site was using the Cisco VPN Concentrator (previously Altiga), you could use the Cisco Universal VPN Client 3.0X. This combination supports IPSEC over UDP, which gives it a source address and this supports NAT. It is proprietary to Cisco but who cares, it works. This would support your clients behind the FW-1 using NAT. We use it for DSL users who get temporary IP's or there is NAT going on and it works great. The client works with all Microsoft desktop OS's but does not work with PIX until release 6.0 but then for PIX you can always use PPTP from now. The client license is free if you buy a VPN concentrator and this will be the unified client for all vpns from cisco once PIX 6.0 ships (next few weeks). Other than that, IPSEC can't be NAT'ed because you have no source address. Any others got ideas ? Inti. -----Original Message----- From: Spigelman, David [mailto:[email protected]] Sent: 16 May 2001 18:58 To: 'Franklin Hoek' Cc: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW How?! I don't understand how it WOULD work! -- DS -----Original Message----- From: Franklin Hoek [mailto:[email protected]] Sent: Tuesday, May 15, 2001 6:32 AM To: '[email protected]'; Chris Arnold Cc: [email protected] Subject: RE: [FW1] Cisco VPN client through NAT CheckPoint FW The new Patch: 4.1. Sp3 makes it possible for the first time... -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: dinsdag 20 maart 2001 11:47 To: Chris Arnold Cc: [email protected] Subject: Re: [FW1] Cisco VPN client through NAT CheckPoint FW I don't think you can VPN (IPSEC) through NAT becuase of encapsulated source address issues, mainly encrypted in the packet is the original source address which can't be changed to the NAT address. Symon ------------------- > > Hello, all. Odd problem with VPN-1 v4.1 SP2 on a Nokia IP650 running IPSO > 3.3. > > I have an internal user who needs to connect to a remote ASP through a Cisco > VPNZ (???) client which doesn't have much in the way of configuration > options. I'm not seeing any drops in my logs but proper communication is not > established. We are doing hide behind NAT on our end and her client has a > IPSEC through NAT box checked as we use RFC1918 addresses internally (also > fails without this option box checked). > > All is well if I connect her directly into the switch in front of my FW and > give her a public address. I see the same problem if I connect her directly > via cross-over cable into a port on the Nokia. All other traffic from her > machine is fine. > > I've included some sniffed traffic between an external interface of my FW > and their network. > > If anyone has seen this or has any insight into what the problem may be I'd > be very appreciative. > > Chris > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 1 arrived at 10:41:16.93 > ETHER: Packet size = 352 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 338 bytes > IP: Identification = 33852 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff93 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 318 > UDP: Checksum = 1F70 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 2 arrived at 10:41:17.23 > ETHER: Packet size = 290 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: . .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 276 bytes > IP: Identification = 54029 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba00 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 256 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 3 arrived at 10:41:17.25 > ETHER: Packet size = 94 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 80 bytes > IP: Identification = 34108 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ff95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 60 > UDP: Checksum = 5618 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 4 arrived at 10:41:17.73 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34364 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fd95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 5 arrived at 10:41:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54032 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = baa9 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 6 arrived at 10:41:25.76 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34620 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fc95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 7 arrived at 10:41:47.83 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54063 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba8a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 8 arrived at 10:42:17.84 > ETHER: Packet size = 118 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 104 bytes > IP: Identification = 54095 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba6a > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 84 > UDP: Checksum = 0000 (no checksum) > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 9 arrived at 10:42:25.97 > ETHER: Packet size = 350 bytes > ETHER: Destination = 0:2:16:b0:e6:0, > ETHER: Source = 0:a0:8e:e:ea:30, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 336 bytes > IP: Identification = 34876 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 126 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = fb95 > IP: Source address = my.ip.address, fw.domain.com > IP: Destination address = remote.ip.address, remote.ip.address > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 672 > UDP: Destination port = 500 > UDP: Length = 316 > UDP: Checksum = 78E1 > UDP: > > ETHER: ----- Ether Header ----- > ETHER: > ETHER: Packet 10 arrived at 10:42:47.82 > ETHER: Packet size = 126 bytes > ETHER: Destination = 0:a0:8e:e:ea:30, > ETHER: Source = 0:2:16:b0:e6:0, > ETHER: Ethertype = 0800 (IP) > ETHER: > IP: ----- IP Header ----- > IP: > IP: Version = 4 > IP: Header length = 20 bytes > IP: Type of service = 0x00 > IP: xxx. .... = 0 (precedence) > IP: ...0 .... = normal delay > IP: .... 0... = normal throughput > IP: .... .0.. = normal reliability > IP: Total length = 112 bytes > IP: Identification = 54126 > IP: Flags = 0x0 > IP: .0.. .... = may fragment > IP: ..0. .... = last fragment > IP: Fragment offset = 0 bytes > IP: Time to live = 117 seconds/hops > IP: Protocol = 17 (UDP) > IP: Header checksum = ba43 > IP: Source address = remote.ip.address, remote.ip.address > IP: Destination address = my.ip.address, fw.domain.com > IP: No options > IP: > UDP: ----- UDP Header ----- > UDP: > UDP: Source port = 500 > UDP: Destination port = 672 > UDP: Length = 92 > UDP: Checksum = 0000 (no checksum) > UDP: > > > ====================================================================== ========== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ====================================================================== ========== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|