NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Help on running Cisco PIX VPN Client through Checkpoint 4.1 to Ci sco PIX firewall


  • To: [email protected]
  • Subject: Re: [FW-1] Help on running Cisco PIX VPN Client through Checkpoint 4.1 to Ci sco PIX firewall
  • From: Russell Siverland-Bishop <[email protected]>
  • Date: Sat, 26 Jan 2002 14:28:44 +0000
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,

The Cisco Secure VPN client v1.x runs using tunnel
mode.  How are your clients configured - with AH or
ESP?  If they are using AH then this will certainly
not work through any form of NAT.  This is because the
header is being modified at the NAT stage, and since
AH creates a hash based on the header as well as the
payload, it will fail the integrity check.  If you are
running the clients in ESP mode then you stand a
slightly better chance since it only uses the payload
for hashing, BUT........

There are now issues with the IKE process.  The most
common setup is using pre-shared keys for the
authentication method, which in the cisco vpn client
relies on the source IP address to work.  If you are
running through NAT then the IKE process will fail
since the source IP address will have changed .....
therefore ....

Option 1: Run the VPN client device un-NAT'ed
Option 2: Use a VPN client/endpoint setup that
supports UDP/TCP encapsulation ......

You could upgrade the PIX Firewall to version 6.x and
use the newer Cisco VPN client v3.1/3.5 (developed
from the VPN 3000 concentrator client). This supports
UDP or TCP encapsulation of the IPSEC packets to get
around the above problems.  Or use FW-1 with the
SecureRemote clients ...

You can then run the clients from behind most
firewalls running NAT or PAT and connect successfully.

Hope this helps .....

Russell Siverland-Bishop
CCIE #4533

-----Original Message-----
From: John Beal [mailto:[email protected]]
Sent: 24 January 2002 23:45
To: [email protected]
Subject: [FW-1] Help on running Cisco PIX VPN Client
through Checkpoint 4.1 to Ci sco PIX firewall


Hi All,
   This is the first time I've written to the mailing
list for help, although I'm a daily reader and I've
responded to a couple of inquiries in the past year.
   First the vitals:
   Parent Site running Cisco PIX firewall and Parent
Company employees using Cisco PIX VPN Client 1.2 3DES
Our site running Checkpoint 4.1 / SP4 on Nokia IP440
at IPSO 3.4.1.
   Now the problem:
   We have visiting execs from our Parent company.
They are trying to get VPN authentication from
statically assigned IP's inside our network, across a
manual NAT that dumps them to the internet, up through
the Parent site Cisco PIX firewall.  The NAT takes the
statically assigned IP on the inside and puts it on an
IP outside of the firewall (this IP is in our static
and proxy ARP tables) for ANY service.
   The execs enable the Cisco PIX VPN, they receive a
message that they are enabled, but packets never
return to the client side (upbound packets climb up to
about 2000 but inbound packets remain at 0).
Examining the Checkpoint firewall logs, I see the
traffic over the NAT leaving, but I never see anything
coming back.  The Cisco firewall administrator at the
Parent Site confirms that they are not blocking
outbound packets to us, they can ping the outside of
the NAT but they can't ping through the NAT to the
exec with the Cisco PIX VPN.  This Cisco PIX VPN
worked for an hour and then refused to work.  To test
the Cisco VPN client, we placed the execs machine on
the outside of the firewall and he authenticated with
no problems.
   I've read through the Checkpoint Admin manual and
can't find anything.  The Checkpoint and Cisco sites
mention re-configuring the Properties\Encryption for
Checkpoint to Cisco VPN's, but I shouldn't have to
mess with that for a NAT, should I?  Any help is
appreciated, otherwise we'll probably end up having a
PIX firewall imposed upon us from our Parent company.
Thanks,
John Beal II, Network Engineer II
Orcom Solutions, Inc.
1001 SW Disk Drive
Bend, OR 97702NOTICE:  This communication may contain proprietary or
other confidential business information of Orcom
Solutions, Inc.  If you are not the intended recipient
or believe that you may have received this
communication in error, please reply to the sender
indicating that fact and delete the copy you received.
 In addition, you should not print, copy, retransmit,
disseminate, or otherwise use the information.  Thank
you.


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.