Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote through PIX 515 - not working.

To: [email protected]
Subject: Re: [FW-1] SecuRemote through PIX 515 - not working.
From: Lars Troen <[email protected]>
Date: Tue, 19 Mar 2002 12:12:24 +0100
Importance: Normal
In-reply-to: <001901c1cf1d$d5b38dc0$7b33010a@c2052>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Securemote with internal ip will work (using IKE+udp enc). But consider the
following:
- once the packet is decrypted it will get iit's original (internal) ip
address
- routing in your lan to this securemote address might send the packet
elsewhere
- IP NAT Pool for securemote solves this.

Lars

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]On Behalf Of Terry
> Cheung
> Sent: Tuesday, March 19, 2002 09:13
> To: [email protected]
> Subject: Re: [FW-1] SecuRemote through PIX 515 - not working.
>
>
> I think you case is similar and I've still not solved yet. Please refer to
> my mail subject :[FW-1] SecureRemote with internal IP
>
> We put a sniffer between the web server and the fw-1, we found
> that the web
> server sent back to the fw-1 but the fw-1 did not response to the request.
> And the communication lost there.
>
> I am still waiting for someone can solve this problem. Can anyone confirm
> SecuRemote with internal IP work or it will never work?
>
> Regards
>
> Terry
>
> ----- Original Message -----
> From: "Miles D. Oliver" <[email protected]>
> To: <[email protected]>
> Sent: Tuesday, March 19, 2002 1:01 AM
> Subject: [FW-1] SecuRemote through PIX 515 - not working.
>
>
> > I've got a scenario here that should work without problems but am
> > having some issues.  Its probably obvious, but I cannot see it.
> >
> > I've got this working before in the lab to a different firewall but
> > here it is acting strange.  I should have taken more detailed notes
> > when I got this working before.
> >
> > I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX
> > 515 firewall running  PIX OS 6.1(2). to A VPN-1 4.1 SP5 box.
> >
> > 1. The SR client CAN create the site and CAN get Authenticated.
> > 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1
> firewall.
> > 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall
> after authenticating.
> > 4. The SR client CAN connect to their INTERNAL host behind the VPN-1
> > firewall,  if placed 'outside' the CISCO PIX firewall. (reconfigured
> > using real Address, Connection appears = NORMAL)
> >
> > General configuration   (note = NOT acutal configuration)
> >
> > VPN-1 firewall host is address 4.3.2.1
> > Internal interfaces of VPN-1
> > qfe0   -  192.168.10.1
> > qfe1   -  172.16.10.1
> > PIX outside interface is 1.2.3.4
> > SR client address is 10.10.10.1
> > SR client translated address is 1.2.3.5
> >
> > The Cisco PIX is configured with the following access-list.
> >
> > static (inside,outside) 1.2.3.5  10.10.10.1 netmask 255.255.255.255 0 0
> >
> > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50
> > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51
> > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264
> > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp
> > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746
> > access-group sr_in in interface outside
> >
> > With a sniffer on the SR side, behind the PIX we can see encapsulated
> > packets passing across at UDP port 2746.
> >
> > The SR client can, once authenticated, ping the internal interfaces
> > of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their
> > configured internal client of 192.168.10.5.  Place the SR client
> > OUTSIDE the PIX and there is NO issue.
> >
> > I've even tried substituting 'any' for host configurations in PIX
> > access-lists to ensure that I don't have my access-lists causing the
> > issues by host.
> >
> > access-list sr_in permit tcp any any eq 50
> > access-list sr_in permit tcp any any eq 51
> > access-list sr_in permit tcp any any eq 264
> > access-list sr_in permit udp any any eq isakmp
> > access-list sr_in permit udp any any eq 2746
> >
> > In my PIX configuration I DO have 2 GLOBAL and NAT statements
> >
> > global (outside) 1 1.2.3.6-1.2.3.10     - NAT translation
> > global (outside) 1 1.2.3.11             - PAT translation
> > nat (inside) 0 access-list 101          - PPTP inbound
> > nat (inside) 1 10.0.0.0 255.0.0.0 0 0
> >
> > Anybody who has done this before can tell me what I've got
> > misconfigured probably easily.
> >
> > Any and all help would certainly be appreciated.  Once I do get this
> > entire configuration working I will submit to Phoneboy detailed
> > documentation so that it can be a refernce to others.   I know this
> > has been done before but I can find little documentation on the web
> > for it.
> >
> > Thanks.
> >
> > Miles D. Oliver
> > Senior Systems Engineer
> > Cisco Systems - CCNA
> > Check Point Software - CCSA/CCSE
> > The = Legnem Group=20 Inc (LGI)
> > 10450 Shaker Drive  Suite 208
> > Columbia Maryland USA 21046
> > VOICE> > FAX> > EMAIL  [email protected]
> > WEB    www.lgi.com
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] SecuRemote through PIX 515 - not working.
  - From: Terry Cheung <[email protected]>

References:
- Re: [FW-1] SecuRemote through PIX 515 - not working.
  - From: Terry Cheung <[email protected]>

Prev by Date: Re: [FW-1] SecuRemote through PIX 515 - not working.
Next by Date: [FW-1] Nimda Rule In NG
Previous by thread: Re: [FW-1] SecuRemote through PIX 515 - not working.
Next by thread: Re: [FW-1] SecuRemote through PIX 515 - not working.
Index(es):
- Date
- Thread