NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through PIX 515 - not working.



I think you case is similar and I've still not solved yet. Please refer to
my mail subject :[FW-1] SecureRemote with internal IP

We put a sniffer between the web server and the fw-1, we found that the web
server sent back to the fw-1 but the fw-1 did not response to the request.
And the communication lost there.

I am still waiting for someone can solve this problem. Can anyone confirm
SecuRemote with internal IP work or it will never work?

Regards

Terry

----- Original Message -----
From: "Miles D. Oliver" <[email protected]>
To: <[email protected]>
Sent: Tuesday, March 19, 2002 1:01 AM
Subject: [FW-1] SecuRemote through PIX 515 - not working.


> I've got a scenario here that should work without problems but am
> having some issues.  Its probably obvious, but I cannot see it.
>
> I've got this working before in the lab to a different firewall but
> here it is acting strange.  I should have taken more detailed notes
> when I got this working before.
>
> I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX
> 515 firewall running  PIX OS 6.1(2). to A VPN-1 4.1 SP5 box.
>
> 1. The SR client CAN create the site and CAN get Authenticated.
> 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1
firewall.
> 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall
after authenticating.
> 4. The SR client CAN connect to their INTERNAL host behind the VPN-1
> firewall,  if placed 'outside' the CISCO PIX firewall. (reconfigured
> using real Address, Connection appears = NORMAL)
>
> General configuration   (note = NOT acutal configuration)
>
> VPN-1 firewall host is address 4.3.2.1
> Internal interfaces of VPN-1
> qfe0   -  192.168.10.1
> qfe1   -  172.16.10.1
> PIX outside interface is 1.2.3.4
> SR client address is 10.10.10.1
> SR client translated address is 1.2.3.5
>
> The Cisco PIX is configured with the following access-list.
>
> static (inside,outside) 1.2.3.5  10.10.10.1 netmask 255.255.255.255 0 0
>
> access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50
> access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51
> access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264
> access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp
> access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746
> access-group sr_in in interface outside
>
> With a sniffer on the SR side, behind the PIX we can see encapsulated
> packets passing across at UDP port 2746.
>
> The SR client can, once authenticated, ping the internal interfaces
> of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their
> configured internal client of 192.168.10.5.  Place the SR client
> OUTSIDE the PIX and there is NO issue.
>
> I've even tried substituting 'any' for host configurations in PIX
> access-lists to ensure that I don't have my access-lists causing the
> issues by host.
>
> access-list sr_in permit tcp any any eq 50
> access-list sr_in permit tcp any any eq 51
> access-list sr_in permit tcp any any eq 264
> access-list sr_in permit udp any any eq isakmp
> access-list sr_in permit udp any any eq 2746
>
> In my PIX configuration I DO have 2 GLOBAL and NAT statements
>
> global (outside) 1 1.2.3.6-1.2.3.10     - NAT translation
> global (outside) 1 1.2.3.11             - PAT translation
> nat (inside) 0 access-list 101          - PPTP inbound
> nat (inside) 1 10.0.0.0 255.0.0.0 0 0
>
> Anybody who has done this before can tell me what I've got
> misconfigured probably easily.
>
> Any and all help would certainly be appreciated.  Once I do get this
> entire configuration working I will submit to Phoneboy detailed
> documentation so that it can be a refernce to others.   I know this
> has been done before but I can find little documentation on the web
> for it.
>
> Thanks.
>
> Miles D. Oliver
> Senior Systems Engineer
> Cisco Systems - CCNA
> Check Point Software - CCSA/CCSE
> The = Legnem Group=20 Inc (LGI)
> 10450 Shaker Drive  Suite 208
> Columbia Maryland USA 21046
> VOICE> FAX> EMAIL  [email protected]
> WEB    www.lgi.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.