[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] SecuRemote through PIX 515 - not working.
I've got a scenario here that should work without problems but am having some issues. Its probably obvious, but I cannot see it. I've got this working before in the lab to a different firewall but here it is acting strange. I should have taken more detailed notes when I got this working before. I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX 515 firewall running PIX OS 6.1(2). to A VPN-1 4.1 SP5 box. 1. The SR client CAN create the site and CAN get Authenticated. 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1 firewall. 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall after authenticating. 4. The SR client CAN connect to their INTERNAL host behind the VPN-1 firewall, if placed 'outside' the CISCO PIX firewall. (reconfigured using real Address, Connection appears = NORMAL) General configuration (note = NOT acutal configuration) VPN-1 firewall host is address 4.3.2.1 Internal interfaces of VPN-1 qfe0 - 192.168.10.1 qfe1 - 172.16.10.1 PIX outside interface is 1.2.3.4 SR client address is 10.10.10.1 SR client translated address is 1.2.3.5 The Cisco PIX is configured with the following access-list. static (inside,outside) 1.2.3.5 10.10.10.1 netmask 255.255.255.255 0 0 access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50 access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51 access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264 access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746 access-group sr_in in interface outside With a sniffer on the SR side, behind the PIX we can see encapsulated packets passing across at UDP port 2746. The SR client can, once authenticated, ping the internal interfaces of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their configured internal client of 192.168.10.5. Place the SR client OUTSIDE the PIX and there is NO issue. I've even tried substituting 'any' for host configurations in PIX access-lists to ensure that I don't have my access-lists causing the issues by host. access-list sr_in permit tcp any any eq 50 access-list sr_in permit tcp any any eq 51 access-list sr_in permit tcp any any eq 264 access-list sr_in permit udp any any eq isakmp access-list sr_in permit udp any any eq 2746 In my PIX configuration I DO have 2 GLOBAL and NAT statements global (outside) 1 1.2.3.6-1.2.3.10 - NAT translation global (outside) 1 1.2.3.11 - PAT translation nat (inside) 0 access-list 101 - PPTP inbound nat (inside) 1 10.0.0.0 255.0.0.0 0 0 Anybody who has done this before can tell me what I've got misconfigured probably easily. Any and all help would certainly be appreciated. Once I do get this entire configuration working I will submit to Phoneboy detailed documentation so that it can be a refernce to others. I know this has been done before but I can find little documentation on the web for it. Thanks. Miles D. Oliver Senior Systems Engineer Cisco Systems - CCNA Check Point Software - CCSA/CCSE The = Legnem Group=20 Inc (LGI) 10450 Shaker Drive Suite 208 Columbia Maryland USA 21046 VOICEFAXEMAIL [email protected] WEB www.lgi.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|