NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: [FW1] What ports do I need for Secure Remote.



Title: FW: [FW1] What ports do I need for Secure Remote.

Basic Requirements for SecuRemote Communications with the Remote FW
The following services must be permitted bidirectionally through the any firewalls and routers between the client and the LAN.

*       UDP 500 (IPSEC Internet Key Exchange)
*       TCP 264 (Check Point SecuRemote Topology Requests)
*       IP Protocol 50 (IPSEC Encapsulating Security Payload Protocol)
*       SecuRemote Client: SecuRemote version 4157 or higher with 3DES encryption obtained from FW1
How Does SecuRemote Client Work?

Checkpoint's SecuRemote client provides "encrypted" access between a Win9x or NT machine and a firewall. The implementation of SecuRemote within LAN uses the ISAKMP encryption scheme to exchange keys and support authentication and Triple Data Encryption Standard 3DES, (168 bit encryption), for packet encryption.

Checkpoint;s SecuRemote client uses UDP port 500 to authenticate user name and password and TCP ports 264 with fallback to port 256 for site topology download (encrypted site addresses) and IP protocol 50 for passing encrypted data. All communications to FW are initiated by the SecuRemote client, nothing is initiated by the firewall.

What is the Process?
1.      The SecuRemote client is already installed on the user's PC.
2.      User attempts access to the Corporate LAN
a.      Authentication takes place over UDP 500
- Successful authentication means that UDP 500 communication is successful
b.      Data is transmitted via encrypted tunnel on IP protocol 50
- Failure to receive data means failure to communicate using IP protocol 50

Troubleshooting SecuRemote communication failures

The two areas where most of the problems exist are:
1.      Correctly passing IP protocol 50 from the user's workstation to Corporate LAN
2.      Correctly configuring the Network Address Translation (NAT)
Ideally, a test workstations can be used to aid in the isolation of the problem. The basic approach should be first to establish a router and firewall communications over IP protocol 50 using a fixed IP address. Once the communications of IP protocol 50 are resolved then, if necessary, adjust NAT configuration to provide either Static NAT with a one to one translation or Pooled NAT configured to provide each client with a unique IP address.

Network Examples:

The following are examples of how these ports can be opened in a Cisco router:

Port:   Examples:
UDP 500 access-list 101 permit udp any any eq 500access-list 102 permit udp any any eq 500
TCP 264         access-list 101 permit tcp any any eq 264
IP Protocol 50  access-list 101 permit 50 any anyaccess-list 102 permit 50 any any
In the examples, access-group "101" will filter traffic out to the Internet. The line below would therefore be applied to the router interface that manages the traffic out to the Internet.

*       Example: ip access-group 101 out
In the examples, access group "102" will filter traffic in from the Internet. The line below would therefore be applied to the router interface that manages the traffic in from the Internet.

*       Example: ip access-group 102 in
Firewall Examples:

The following are examples of how the needed SecuRemote ports can be opened in a Check Point firewall:

From the GUI manager on the firewall (fwpolicy) create the following (3) Service objects, if they are not already created:

1.      Click Manage > Services... > New... > Other...
Name: ESP
Comment: IPSEC Encapsulating Security Payload Protocol
Color:
Match: ip_p = 0x32
2.      Click Manage > Services... > New... > TCP...
Name: FW1_topo
Comment: Check Point VPN-1 SecuRemote Topology Requests
Color:
Port: 264
3.      Click Manage > Services... > New... > UDP...
Name: IKE
Comment: IPSEC Internet Key Exchange Protocol
Color:
Port: 500
Next, create the firewall ruleset:
Source: Intranet
Destination:    RemoteFW
Service:        ESPIKEFW1_topo
Action: Accept
Track:  Long
Install On:     Gateway
Time:   Any
Comments:       Allow SecuRemote VPN traffic to Remote Network
Example of passing SecuRemote through a Gauntlet Firewall:

You can pass UDP traffic with Gauntlet using the packet filtering/fw-1 type rules of ipfs. On Gauntlet, you need to edit your netperm-table via gauntlet-admin or GUI. Setup the packet filtering rule with something like this...

authenIP: permit -proto UDP -if {$internal-interface} -sourceaddr ip.add.re.ss:net.m.a.sk -srcport 500 -destaddr ip.add.re.ss:net.m.a.sk -destport 500

authenIP: permit -proto TCP -if {$internal-interface} -sourceaddr ip.add.re.ss:net.m.a.sk -srcport 256 -destaddr ip.add.re.ss:net.m.a.sk -destport 256

This tells Gauntlet to pass both UDP 500 and TCP 256 via packet filtering. Make sure you do `ipfs -r all` to tell IP Filtering Screen to reread its configs. (btw... check the syntax on the ipfs rule.)


How do I configure NAT (Network Address Translation) and SecuRemote?

  The NAT gateway must pass UDP port 500 and IPSEC traffic (IP Protocol 50) to the Remote LAN bidirectionally.

When using a SecuRemote client and NAT there are three options:

1. Hidden NAT-many to one translation
If using Hidden NAT, only one user at a time can use SecuRemote. This should work fine for users that use a device that performs NAT for their home-office network (e.g. users with cable modems or those with UNIX or Windows machines performing NAT).

Note: This can work for many users if one workstation is configured to be the SecuRemote Client and it the gateway address for all other users that want to access the Gibson LAN.

2. Pooled NAT-many to many translation done by Cisco PIX firewalls and other similar devices
Pooled NAT will work fine so long as each client is given a unique IP address and provided your NAT gateway passes UDP port 500 and IPSEC traffic (IP Protocol 50) to Gibson bidirectionally.

3. Static NAT-one to one translation
Static NAT will work provided your NAT gateway passes UDP port 500 and IPSEC traffic (IP Protocol 50) to the Gibson bidirectionally.

-----Original Message-----
From: Roger Clark [mailto:[email protected]]
Sent: Tuesday, May 15, 2001 7:01 PM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] What ports do I need for Secure Remote.



I'm want to use Secure Remote 4.1 on a 2000 workstation to connect to a check point firewall VPN through a router. What TPC and UDP ports will I need to open on the router?

Roger Clark
[email protected]


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.