[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureRemote and Linksys router/firewall
I used the following instructions, and things worked fine for me! Thinks to double check: firm ware version of linksys router -=-=Greg Fraize Genuity Inc. Solution: How to set up Securemote behind a Firewall to connect to a remote Firewall. (47.418) Assuming the local FireWall does not do address translation (NAT), part of setup depends on whether or not the remote FireWall-1 is configured to use encapsulation for SecuRemote connections or not. General Configuration ================ In all cases, you will need to permit the following traffic through your local FireWall (Note: only use ISAKMP for FireWall-1 4.0 when ISAKMP is used for SecuRemote): ---------------------------------------------------------------------------- --------------------------- Source | Destination | Service | Action | ---------------------------------------------------------------------------- --------------------------- SecuRemote-Client | Remote-Mgmt-Server | FW1 | Accept | ---------------------------------------------------------------------------- --------------------------- SecuRemote-Client | Remote-FireWall | RDP ISAKMP | Accept | ---------------------------------------------------------------------------- -------------------------- Remote Site Uses FWZ Encapsulation ============================ If the remote site is using encapsulation for SecuRemote clients, the following additional rule needs to be added: ---------------------------------------------------------------------------- ---------------------------------- Source | Destination | Service | Action | ---------------------------------------------------------------------------- ---------------------------------- SecuRemote-Client | Remote-FireWall | FW1_Encapsulation | Accept | Remote-FireWall | SecuRemote-Client | ---------------------------------------------------------------------------- ---------------------------------- FW1_Encapsulation is pre-defined on most current FireWall-1 boxes. If it is not pre-defined on yours, then create it as service of type Other with "ip_p=94" in the Match field. Remote Site Uses ISAKMP ==================== If the remote site is using encapsulation for SecuRemote clients, the following additional rule needs to be added: ---------------------------------------------------------------------------- ---------------------- Source | Destination | Service | Action | ---------------------------------------------------------------------------- ---------------------- SecuRemote-Client | Remote-FireWall | IPSEC | Accept | Remote-FireWall | SecuRemote-Client | | ---------------------------------------------------------------------------- ----------------------- IPSEC is pre-defined on most current FireWall-1 boxes. If it is not pre-defined on yours, then create it as service of type Other with "ip_p=50" in the Match field. Remote Site Does Not Use Encapsulation. =============================== If the remote site does not use encapsulation, then you will need to permit the necessary traffic to and from the remote site by your local FireWall's rulebase. You need to make sure that none of the traffic is processed through the security servers or an intermediary proxy or you might get unreliable or unpredictable results. The following rule near the top of your rulebase should suffice: ---------------------------------------------------------------------------- ---------------- Source | Destination | Service | Action | ---------------------------------------------------------------------------- ---------------- SecuRemote-Client | Remote-Servers | Any | Accept | ---------------------------------------------------------------------------- ---------------- The "any" above can be replaced with the specific services the SecuRemote client needs to use. NOTE: If your FireWall is doing address translation for the SecuRemote client, please refer to SecuRemote behind a NAT device Problem Description How to set up Securemote behind a Firewall to connect to a remote Firewall. See the problem environment. Comment on this Solution At 09:12 AM 12/20/2001 -0500, Trievel, Thomas wrote: >I have SR users that have Linksys router/firewalls. The user can >authenticate to the CP Firewall but can not communicate to devices inside >the network. SR users without the Linksys device work ok. I have made the >changes to objects.C for NAT that is listed on PhoneBoy and made >configuration changes to the Linksys that is on the Linksys site but still >no luck. Any ideas??? > >Tom Trievel > Think Security! >Because the global village has more than its fair share of idiots! > >================================================= >To set vacation, Out Of Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|