[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] UDP forwarding
If I'm correct, the Cisco VPN client is the Safenet/Soft-PK VPN client rebranded, or so I'm told. NetScreen, among other vendors, also uses this product, rebranded. It sounds like your troubled machine (the one with the VPN client installed) is a laptop or some other manner of system that is changing physical locations. The SafeNet client decides whether to start doing VPN encryption, along with its 'I'm on the outside' assumption, based on the IP address of the box you're trying to talk to. Obviously you don't need to be talking to the FW if you're sitting on the inside of the net, but SafeNet doesn't know that unless you tell it. Think of it this way: "From Outside" packet flow: Client (VPN encrypted) --> FW external (encryption, translation, yadda yadda) --> FW Internal --> Internal Host "From Inside" desired packet flow: Client (unencrypted) --> Internal Host. Note the FW is not involved. "From Inside" not-so-desired packet flow: Client (VPN encrypted) --> FW internal --> woops, probably no policy for handling this on the firewall, packet gets munched... To my knowledge there is no perfect solution to this, due to the way the SafeNet client works. You *can* tell the client to only do its thing when talking over a specific adapter (like the PPP adapter for dialup), and the rule will stick. But if you're using LAN-borne connectivity on both inside and outside locations, the only solution is to disable the client and/or its rules when inside the firewall, and to re-enable it when you're outside. Now, I may have totally misunderstood your topology, forgive me if I have, but if not, hope this helps. :) -----Original Message----- From: Paraic [mailto:[email protected]] Sent: Tuesday, February 12, 2002 6:30 AM To: [email protected] Subject: [FW-1] UDP forwarding Hi, I'm new to the list so here's another query. I am using a Cisco VPN client (for a Cisco 5000 concentrator) which tunnels over the net to a client's intranet. This works perfectly when used as a dialup or when using a valid IP outside the FW (FW-1 4.1 sp2, NT) but once it's installed behind the FW, it fails to return the packets from the intranet net. I have set up NAT fo rthe machine with the VPN client behind the FW and set an ANY ANY ALL rule both ways on both the NATt'ed IP and the internal IP when testing the client and it seems to be allowing the packets (UDP) through, but it never arrives at the VPN client. The client can connect to the remote Cisco box and authenticate, but cannot contact any machines inside their intranet (no ICMP or TCP/UDP services). I have resorted to a program called HHProxy which proxies UDP and TCP packets and which put it on a multihomed gateway machine outside the FW and connected via NIC to the internal also as a stop gap solution but this is not a long term solution. I have ACL's on our Cisco router to help with securing the box, but it is still a security risk. Any one had experience with this Cisco VPN client and how to get it to work with FW-1? Cheers, Paraic ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|