[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Help on running Cisco PIX VPN Client through Checkpoint 4.1 to Ci sco PIX firewall
Hi, The Cisco Secure VPN client v1.x runs using tunnel mode. How are your clients configured - with AH or ESP? If they are using AH then this will certainly not work through any form of NAT. This is because the header is being modified at the NAT stage, and since AH creates a hash based on the header as well as the payload, it will fail the integrity check. If you are running the clients in ESP mode then you stand a slightly better chance since it only uses the payload for hashing, BUT........ There are now issues with the IKE process. The most common setup is using pre-shared keys for the authentication method, which in the cisco vpn client relies on the source IP address to work. If you are running through NAT then the IKE process will fail since the source IP address will have changed ..... therefore .... Option 1: Run the VPN client device un-NAT'ed Option 2: Use a VPN client/endpoint setup that supports UDP/TCP encapsulation ...... You could upgrade the PIX Firewall to version 6.x and use the newer Cisco VPN client v3.1/3.5 (developed from the VPN 3000 concentrator client). This supports UDP or TCP encapsulation of the IPSEC packets to get around the above problems. Or use FW-1 with the SecureRemote clients ... You can then run the clients from behind most firewalls running NAT or PAT and connect successfully. Hope this helps ..... Russell Siverland-Bishop CCIE #4533 -----Original Message----- From: John Beal [mailto:[email protected]] Sent: 24 January 2002 23:45 To: [email protected] Subject: [FW-1] Help on running Cisco PIX VPN Client through Checkpoint 4.1 to Ci sco PIX firewall Hi All, This is the first time I've written to the mailing list for help, although I'm a daily reader and I've responded to a couple of inquiries in the past year. First the vitals: Parent Site running Cisco PIX firewall and Parent Company employees using Cisco PIX VPN Client 1.2 3DES Our site running Checkpoint 4.1 / SP4 on Nokia IP440 at IPSO 3.4.1. Now the problem: We have visiting execs from our Parent company. They are trying to get VPN authentication from statically assigned IP's inside our network, across a manual NAT that dumps them to the internet, up through the Parent site Cisco PIX firewall. The NAT takes the statically assigned IP on the inside and puts it on an IP outside of the firewall (this IP is in our static and proxy ARP tables) for ANY service. The execs enable the Cisco PIX VPN, they receive a message that they are enabled, but packets never return to the client side (upbound packets climb up to about 2000 but inbound packets remain at 0). Examining the Checkpoint firewall logs, I see the traffic over the NAT leaving, but I never see anything coming back. The Cisco firewall administrator at the Parent Site confirms that they are not blocking outbound packets to us, they can ping the outside of the NAT but they can't ping through the NAT to the exec with the Cisco PIX VPN. This Cisco PIX VPN worked for an hour and then refused to work. To test the Cisco VPN client, we placed the execs machine on the outside of the firewall and he authenticated with no problems. I've read through the Checkpoint Admin manual and can't find anything. The Checkpoint and Cisco sites mention re-configuring the Properties\Encryption for Checkpoint to Cisco VPN's, but I shouldn't have to mess with that for a NAT, should I? Any help is appreciated, otherwise we'll probably end up having a PIX firewall imposed upon us from our Parent company. Thanks, John Beal II, Network Engineer II Orcom Solutions, Inc. 1001 SW Disk Drive Bend, OR 97702NOTICE: This communication may contain proprietary or other confidential business information of Orcom Solutions, Inc. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received. In addition, you should not print, copy, retransmit, disseminate, or otherwise use the information. Thank you. __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|