[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through PIX 515 - not working.
I think you case is similar and I've still not solved yet. Please refer to my mail subject :[FW-1] SecureRemote with internal IP We put a sniffer between the web server and the fw-1, we found that the web server sent back to the fw-1 but the fw-1 did not response to the request. And the communication lost there. I am still waiting for someone can solve this problem. Can anyone confirm SecuRemote with internal IP work or it will never work? Regards Terry ----- Original Message ----- From: "Miles D. Oliver" <[email protected]> To: <[email protected]> Sent: Tuesday, March 19, 2002 1:01 AM Subject: [FW-1] SecuRemote through PIX 515 - not working. > I've got a scenario here that should work without problems but am > having some issues. Its probably obvious, but I cannot see it. > > I've got this working before in the lab to a different firewall but > here it is acting strange. I should have taken more detailed notes > when I got this working before. > > I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX > 515 firewall running PIX OS 6.1(2). to A VPN-1 4.1 SP5 box. > > 1. The SR client CAN create the site and CAN get Authenticated. > 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1 firewall. > 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall after authenticating. > 4. The SR client CAN connect to their INTERNAL host behind the VPN-1 > firewall, if placed 'outside' the CISCO PIX firewall. (reconfigured > using real Address, Connection appears = NORMAL) > > General configuration (note = NOT acutal configuration) > > VPN-1 firewall host is address 4.3.2.1 > Internal interfaces of VPN-1 > qfe0 - 192.168.10.1 > qfe1 - 172.16.10.1 > PIX outside interface is 1.2.3.4 > SR client address is 10.10.10.1 > SR client translated address is 1.2.3.5 > > The Cisco PIX is configured with the following access-list. > > static (inside,outside) 1.2.3.5 10.10.10.1 netmask 255.255.255.255 0 0 > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50 > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51 > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264 > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746 > access-group sr_in in interface outside > > With a sniffer on the SR side, behind the PIX we can see encapsulated > packets passing across at UDP port 2746. > > The SR client can, once authenticated, ping the internal interfaces > of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their > configured internal client of 192.168.10.5. Place the SR client > OUTSIDE the PIX and there is NO issue. > > I've even tried substituting 'any' for host configurations in PIX > access-lists to ensure that I don't have my access-lists causing the > issues by host. > > access-list sr_in permit tcp any any eq 50 > access-list sr_in permit tcp any any eq 51 > access-list sr_in permit tcp any any eq 264 > access-list sr_in permit udp any any eq isakmp > access-list sr_in permit udp any any eq 2746 > > In my PIX configuration I DO have 2 GLOBAL and NAT statements > > global (outside) 1 1.2.3.6-1.2.3.10 - NAT translation > global (outside) 1 1.2.3.11 - PAT translation > nat (inside) 0 access-list 101 - PPTP inbound > nat (inside) 1 10.0.0.0 255.0.0.0 0 0 > > Anybody who has done this before can tell me what I've got > misconfigured probably easily. > > Any and all help would certainly be appreciated. Once I do get this > entire configuration working I will submit to Phoneboy detailed > documentation so that it can be a refernce to others. I know this > has been done before but I can find little documentation on the web > for it. > > Thanks. > > Miles D. Oliver > Senior Systems Engineer > Cisco Systems - CCNA > Check Point Software - CCSA/CCSE > The = Legnem Group=20 Inc (LGI) > 10450 Shaker Drive Suite 208 > Columbia Maryland USA 21046 > VOICE> FAX> EMAIL [email protected] > WEB www.lgi.com > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|