[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote through PIX 515 - not working.
Securemote with internal ip will work (using IKE+udp enc). But consider the following: - once the packet is decrypted it will get iit's original (internal) ip address - routing in your lan to this securemote address might send the packet elsewhere - IP NAT Pool for securemote solves this. Lars > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]]On Behalf Of Terry > Cheung > Sent: Tuesday, March 19, 2002 09:13 > To: [email protected] > Subject: Re: [FW-1] SecuRemote through PIX 515 - not working. > > > I think you case is similar and I've still not solved yet. Please refer to > my mail subject :[FW-1] SecureRemote with internal IP > > We put a sniffer between the web server and the fw-1, we found > that the web > server sent back to the fw-1 but the fw-1 did not response to the request. > And the communication lost there. > > I am still waiting for someone can solve this problem. Can anyone confirm > SecuRemote with internal IP work or it will never work? > > Regards > > Terry > > ----- Original Message ----- > From: "Miles D. Oliver" <[email protected]> > To: <[email protected]> > Sent: Tuesday, March 19, 2002 1:01 AM > Subject: [FW-1] SecuRemote through PIX 515 - not working. > > > > I've got a scenario here that should work without problems but am > > having some issues. Its probably obvious, but I cannot see it. > > > > I've got this working before in the lab to a different firewall but > > here it is acting strange. I should have taken more detailed notes > > when I got this working before. > > > > I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX > > 515 firewall running PIX OS 6.1(2). to A VPN-1 4.1 SP5 box. > > > > 1. The SR client CAN create the site and CAN get Authenticated. > > 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1 > firewall. > > 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall > after authenticating. > > 4. The SR client CAN connect to their INTERNAL host behind the VPN-1 > > firewall, if placed 'outside' the CISCO PIX firewall. (reconfigured > > using real Address, Connection appears = NORMAL) > > > > General configuration (note = NOT acutal configuration) > > > > VPN-1 firewall host is address 4.3.2.1 > > Internal interfaces of VPN-1 > > qfe0 - 192.168.10.1 > > qfe1 - 172.16.10.1 > > PIX outside interface is 1.2.3.4 > > SR client address is 10.10.10.1 > > SR client translated address is 1.2.3.5 > > > > The Cisco PIX is configured with the following access-list. > > > > static (inside,outside) 1.2.3.5 10.10.10.1 netmask 255.255.255.255 0 0 > > > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50 > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51 > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264 > > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp > > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746 > > access-group sr_in in interface outside > > > > With a sniffer on the SR side, behind the PIX we can see encapsulated > > packets passing across at UDP port 2746. > > > > The SR client can, once authenticated, ping the internal interfaces > > of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their > > configured internal client of 192.168.10.5. Place the SR client > > OUTSIDE the PIX and there is NO issue. > > > > I've even tried substituting 'any' for host configurations in PIX > > access-lists to ensure that I don't have my access-lists causing the > > issues by host. > > > > access-list sr_in permit tcp any any eq 50 > > access-list sr_in permit tcp any any eq 51 > > access-list sr_in permit tcp any any eq 264 > > access-list sr_in permit udp any any eq isakmp > > access-list sr_in permit udp any any eq 2746 > > > > In my PIX configuration I DO have 2 GLOBAL and NAT statements > > > > global (outside) 1 1.2.3.6-1.2.3.10 - NAT translation > > global (outside) 1 1.2.3.11 - PAT translation > > nat (inside) 0 access-list 101 - PPTP inbound > > nat (inside) 1 10.0.0.0 255.0.0.0 0 0 > > > > Anybody who has done this before can tell me what I've got > > misconfigured probably easily. > > > > Any and all help would certainly be appreciated. Once I do get this > > entire configuration working I will submit to Phoneboy detailed > > documentation so that it can be a refernce to others. I know this > > has been done before but I can find little documentation on the web > > for it. > > > > Thanks. > > > > Miles D. Oliver > > Senior Systems Engineer > > Cisco Systems - CCNA > > Check Point Software - CCSA/CCSE > > The = Legnem Group=20 Inc (LGI) > > 10450 Shaker Drive Suite 208 > > Columbia Maryland USA 21046 > > VOICE> > FAX> > EMAIL [email protected] > > WEB www.lgi.com > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|