Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecuRemote and Cisco Pix

To: [email protected]
Subject: [FW-1] SecuRemote and Cisco Pix
From: "Alan Baker ( ISC Networks )" <[email protected]>
Date: Wed, 9 Jan 2002 17:20:12 -0000
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi

We use SecuRemote here successfully for normally dial-up users via a variety
of ISPs.  But I now need to configure a PC inside a customers site, behind a
Cisco Pix using dynamic pool NAT.

I'm using FW Version 4.1 Build 341418, with SecuRemote build 4185.

The SecuRemote clients use IKE.

The pix server (which I have no control over) has had the following ports
opened:

UDP port 259 to negotiate encryption and authentication information.
UDP port 500 to negotiate encryption keys when IKE is used.
UDP port 2746 when UDP Encapsulation is used.
IP Protocol 50 bi-directionally when IKE is used.

Topology updates happen fine, and from the logs, it looks like the key
install works fine.  But whatever I do next gets dropped. viz:

8:35:12 authcrypt firewall   >daemon src 62.254.201.122 user smith rule 0
reason Client Encryption: Authenticated by Pre-shared secret scheme: IKE
methods: DES,IKE,SHA1
 8:35:12 keyinst firewall   >daemon src 62.254.201.122 dst firewall IKE Log:
Phase 1 (aggressive) completion. DES/SHA1/Pre shared secrets Negotiation Id:
dfe037e2f8d82ac7-d4f0b2e9f1ee1941
 8:35:13 keyinst firewall   >daemon proto ip src 62.254.201.122 dst firewall
srckeyid 0x4fe59ebb dstkeyid 0x8b98ddd2 rule 0 scheme: IKE methods: Combined
ESP: DES + SHA1 (phase 2 completion) for host: 192.168.24.30 and for subnet:
0.0.0.0 (mask= 0.0.0.0)
 8:35:13 drop   firewall   >qfe0 proto tcp src 192.168.24.30 dst serv16
service telnet s_port 1034 len 48 rule 41

It does not seem to matter what the service I am trying to use is.

192.168.24.30 is the ip address of the PC, and 62.254.201.122 it's
dynamically provided public address.

Can anyone assist me here please?

Alan Baker
ISC Networks




_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Control Centre.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] SecuRemote and Cisco Pix
  - From: Don <[email protected]>

Prev by Date: Re: [FW-1] NG - UNACCEPTABLE
Next by Date: Re: [FW-1] gui ng connecting to management server 4.1
Previous by thread: [FW-1] VPN problem
Next by thread: Re: [FW-1] SecuRemote and Cisco Pix
Index(es):
- Date
- Thread