Re: [FW-1] SecuRemote through PIX 515 - not working.

[Terry Cheung <terry-c@FW1-NOSPAMBCS.ORG.UK>]

I've done all, using IKE +udp enc, ip pool. Still not working. We found
that the traffic was gone through the fw-1 to the web server and sent from
the web server back to fw-1. But the fw-1 was not response to the request.
We used sniffer to capture the traffic and confirmed that the IP address on
the packet was same as the ip pool translated.

Terry

At 12:12 PM 2002/3/19 +0100, you wrote:
> Securemote with internal ip will work (using IKE+udp enc). But consider the
> following:
> - once the packet is decrypted it will get iit's original (internal) ip
> address
> - routing in your lan to this securemote address might send the packet
> elsewhere
> - IP NAT Pool for securemote solves this.
>
> Lars
>
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com]On Behalf Of Terry
> > Cheung
> > Sent: Tuesday, March 19, 2002 09:13
> > To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > Subject: Re: [FW-1] SecuRemote through PIX 515 - not working.
> >
> >
> > I think you case is similar and I've still not solved yet. Please refer to
> > my mail subject :[FW-1] SecureRemote with internal IP
> >
> > We put a sniffer between the web server and the fw-1, we found
> > that the web
> > server sent back to the fw-1 but the fw-1 did not response to the request.
> > And the communication lost there.
> >
> > I am still waiting for someone can solve this problem. Can anyone confirm
> > SecuRemote with internal IP work or it will never work?
> >
> > Regards
> >
> > Terry
> >
> > ----- Original Message -----
> > From: "Miles D. Oliver" <moliver@LINUX.LGI.COM>
> > To: <FW-1-MAILINGLIST@beethoven.us.checkpoint.com>
> > Sent: Tuesday, March 19, 2002 1:01 AM
> > Subject: [FW-1] SecuRemote through PIX 515 - not working.
> >
> >
> > > I've got a scenario here that should work without problems but am
> > > having some issues.  Its probably obvious, but I cannot see it.
> > >
> > > I've got this working before in the lab to a different firewall but
> > > here it is acting strange.  I should have taken more detailed notes
> > > when I got this working before.
> > >
> > > I've got a Win2000 box running SecuRemote 4199 BEHIND - a Cisco PIX
> > > 515 firewall running  PIX OS 6.1(2). to A VPN-1 4.1 SP5 box.
> > >
> > > 1. The SR client CAN create the site and CAN get Authenticated.
> > > 2. The SR client CANNOT connect to an INTERNAL host BEHIND the VPN-1
> > firewall.
> > > 3. The SR client CAN ping the INSIDE interfaces of the VPN-1 firewall
> > after authenticating.
> > > 4. The SR client CAN connect to their INTERNAL host behind the VPN-1
> > > firewall,  if placed 'outside' the CISCO PIX firewall. (reconfigured
> > > using real Address, Connection appears = NORMAL)
> > >
> > > General configuration   (note = NOT acutal configuration)
> > >
> > > VPN-1 firewall host is address 4.3.2.1
> > > Internal interfaces of VPN-1
> > > qfe0   -  192.168.10.1
> > > qfe1   -  172.16.10.1
> > > PIX outside interface is 1.2.3.4
> > > SR client address is 10.10.10.1
> > > SR client translated address is 1.2.3.5
> > >
> > > The Cisco PIX is configured with the following access-list.
> > >
> > > static (inside,outside) 1.2.3.5  10.10.10.1 netmask 255.255.255.255 0 0
> > >
> > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 50
> > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 51
> > > access-list sr_in permit tcp host 1.2.3.5 host 4.3.2.1 eq 264
> > > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq isakmp
> > > access-list sr_in permit udp host 1.2.3.5 host 4.3.2.1 eq 2746
> > > access-group sr_in in interface outside
> > >
> > > With a sniffer on the SR side, behind the PIX we can see encapsulated
> > > packets passing across at UDP port 2746.
> > >
> > > The SR client can, once authenticated, ping the internal interfaces
> > > of the firewal (172.16.10.1, 192.168.10.1) but cannot get to their
> > > configured internal client of 192.168.10.5.  Place the SR client
> > > OUTSIDE the PIX and there is NO issue.
> > >
> > > I've even tried substituting 'any' for host configurations in PIX
> > > access-lists to ensure that I don't have my access-lists causing the
> > > issues by host.
> > >
> > > access-list sr_in permit tcp any any eq 50
> > > access-list sr_in permit tcp any any eq 51
> > > access-list sr_in permit tcp any any eq 264
> > > access-list sr_in permit udp any any eq isakmp
> > > access-list sr_in permit udp any any eq 2746
> > >
> > > In my PIX configuration I DO have 2 GLOBAL and NAT statements
> > >
> > > global (outside) 1 1.2.3.6-1.2.3.10     - NAT translation
> > > global (outside) 1 1.2.3.11             - PAT translation
> > > nat (inside) 0 access-list 101          - PPTP inbound
> > > nat (inside) 1 10.0.0.0 255.0.0.0 0 0
> > >
> > > Anybody who has done this before can tell me what I've got
> > > misconfigured probably easily.
> > >
> > > Any and all help would certainly be appreciated.  Once I do get this
> > > entire configuration working I will submit to Phoneboy detailed
> > > documentation so that it can be a refernce to others.   I know this
> > > has been done before but I can find little documentation on the web
> > > for it.
> > >
> > > Thanks.
> > >
> > > Miles D. Oliver
> > > Senior Systems Engineer
> > > Cisco Systems - CCNA
> > > Check Point Software - CCSA/CCSE
> > > The = Legnem Group=20 Inc (LGI)
> > > 10450 Shaker Drive  Suite 208
> > > Columbia Maryland USA 21046
> > > VOICE> > FAX> > EMAIL  miles.oliver@lgi.com
> > > WEB    www.lgi.com
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to LISTSERV@lists.us.checkpoint.com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner@ts.checkpoint.com
> > > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to LISTSERV@lists.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner@ts.checkpoint.com
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================