[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Cisco VPN Device and FW-1
There are a few different flavors of 'Cisco VPN solution' out there and while they all have commonalities, they also have differences. If you have a situation on your hands that isn't working, your first item to attack is finding out exactly what you're talking to on the other side: not only what Cisco hardware platform, but what version of IOS software (or whatever 'firmware' applies) the other side is running on that Cisco. For example, talking to a Cisco router isn't quite the same as talking to a PIX. And then the PIX questions can vary based on version. Neither one of the two is the same as talking to a Cisco 3000 VPN Concentrator, and then it also depends on what version of the concentrator software they're running. Blah blah blah. With all that said, I've set up FW-1 to talk to a few different Cisco devices. What I usually run into comes in one of the following flavors: (a) The Cisco is just plain more picky (and specific) than the Checkpoint when it comes to encryption settings and such. This is a pain for the Checkpoint 4.1 user because there's a bunch of stuff that you can't control *or* see through the GUI, particularly with regard to the details of using Perfect Forward Secrecy. In my book, it's a good thing that the Cisco is more specific but if you're the Checkpoint guy, you're essentially dependent upon the Cisco guy and his debug traces to tell you what the frick it doesn't like about you. :( (b) Cisco VPN admins often don't understand much more about VPNs than, well, VPN admins for any other firewall. Nine times out of ten they figure out how to get a specific something to work, and BAM, there's the config. The trouble with this approach on a Cisco device using a command-line interface is that certain parameters are global in scope, while others are 'local' (i.e., unique to a given VPN need). Very often when the Cisco novice goes looking for info on how to get X to work, they find their answer in configuration examples that have him shifting top-level config around. So you come along 6 months later and... the global settings that made that VPN work keep yours from working at all. To fix it, not only do you have to figure out *your* VPN with them, someone has to figure out *their* VPN with some other guy, and how to tweak it into a VPN-unique config that sits alongside yours rather than overriding it. A common issue is to have your fw-to-fw VPN conflict with settings for their fw-to-dialin-user VPN that assigns IP addresses dynamically. Either way, you're dependent upon the guy on the Cisco side. Incidentally, I don't think this is a 'flaw' in the Cisco setup-- it's simply administered (usually) in a more advanced fashion than a friendly GUI, and that means its administrative complexity is up by something like an order of magnitude. So these things just happen and you have to figure them out. (3) Sometimes you get issues on the Cisco end due to the device being loaded up too much. Obviously this is only going to be germane if you're talking about lower-end Cisco devices or devices that are specifically stuffed to the gills doing too much work for the platform. Also, this should only show up after the VPN is actually up (and then you figure out that performance bites). But it's something to be aware of nevertheless. Again, this isn't a Cisco issue so much as a question of pilot error. I would never climb into a glider and expect it to haul the capacity of a 747 on the simple grounds that both devices fly. But business constraints have a way of pushing expensive (Cisco!) devices into situations where maximum tolerances have been exceeded. For your situation, I'd (1) find out what you're talking to, hardware and software-wise, and (2) start digging into what their config is-- if they're willing, have them email it to you, stripped of passwords and other security-critical data. You can then dig up whatever you need between Google and the Cisco website, which actually has some good example scenarios for talking to FW-1 from particular Cisco boxes. Oh yeah-- one other thing. If it's a Cisco 3000 VPN Concentrator running software version 3.1 (maybe 3.x), be warned that in its GUI the term "IPSec" is used in some instances to refer specifically to Phase 2 negotiation parameters, and in other instances it actually refers to Phase 1 parameters or Phases 1 and 2 combined. Obviously, no amount of technical troubleshooting was going to dig that up-- I just got lucky and found an inconsistency in the Concentrator's online help to tell me that what I was reading might not really mean what it said. Good luck... -----Original Message----- From: Hernandez, Moses [mailto:[email protected]] Sent: Tuesday, June 11, 2002 10:26 AM To: [email protected] Subject: [FW-1] Cisco VPN Device and FW-1 Is anyone having any issues interconnecting a Cisco VPN solution (maybe a cisco 5000?) and Checkpoint FW-1 (Version 4.1)? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|