NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.

Should work; Lars is correct to note that you must allow IP Protocol 50 (preferrably bi-directionally); on the PIX, this is "permit esp <src> <src_mask> <dst> <dst_mask>".  I played with this before, as it stretched my understanding of how ESP is implemented in Check Point.  As it turns out (same in most other vendor implementations as well), AH is implemented within ESP, meaning that the packet only has to get copied once (more efficient).  A side effect (benefit/detriment, depending on your perspective), is that the outermost IP header is not authenticated, meaning that ESP can traverse NAT without issues for site-to-site VPNs.  I didn't pay super-close attention at the time to main vs. aggressive mode; I predict that agressive mode for IKE will also increase your likelihood of success, as this will bypass the identity-verfication step of IKE.
 
HTH
 
Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for Your Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure.  If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited.  If you think you have received this email message in error, please email the sender at dhitchcock (at) breakwatersecurity (dot) com

 
 
 
 
-----Original Message-----
From: Lars Troen [mailto:[email protected]]
Sent: Monday, May 27, 2002 1:24 AM
To: [email protected]
Subject: Re: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.

I don't think you can do this. Site-to-site vpn's don't support udp encapsulation.So it's not tcp port 50 you need to open, but ip protocol 50. If the nat device supports natting of this protocol then maybe, so you could give it a try and check the logs of the pix too.
 
Lars
-----Original Message-----
From: Ole Jakobsen [mailto:[email protected]]
Sent: Friday, May 24, 2002 15:30
To: [email protected]
Subject: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.


Hi all,

Again. Sorry about the first mail. It wasn't suppost to be sent unfinished so here I go again.

I have a small problem I need some new eyes on.

My setup:

Users [192.168.60.x] ---- FW/NAT ---- [172.16.x.y] Partner FW/NAT ---- ISP/Internet ---- HQ FW/VPN GW
                            |                           |                                      |
                         Nokia IP71                  Cisco PIX                          Nokia IP440 (MGMT)


My goal is to do site-to-site VPN between the two Nokia box's.

I have done a "fw putkey" on both enforcement points. The management station can se the IP71 and gives it the status "untrusted" in the System status windows.
Both run FW-1 4.1.

The setup has work in our test lab but there we didn't have a firewall/NAT device in between.

The PIX is doing STATIC NAT to my IP71. In the PIX port TCP 50 TCP 264 UDP/TCP 500 UDP 2746 in opened both ways. What I'm I missing?

Please help :o)


Best Regards,

Ole Jakobsen


  
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.