[FW-1] Strange FW-1 behavior with Cisco 3000 VPN concentrator

[Joe Matusiewicz <joem@FW1-NOSPAMNIST.GOV>]

Greetings,

I have someone trying to make an outbound connection to a Cisco 3000
Concentrator using the Cisco VPN client software through my 4.1 SP4
firewall.  I opened up UDP port 500 (IKE) and proto 50 (ESP) outbound.  The
tunnel to the Cisco always sets up successfully (according to their
logs)...however the user is unable to http/ping/telnet/whatever!

Tcpdump logs show UDP port 500 and ESP activity.  The firewall log shows
accepted outbound port 500 traffic but it shows drops on random high ports
coming from the remote Cisco Concentrator.  The strange thing to me is that
these high ports show that the protocol is ESP and I always thought that
ESP doesn't use ports:

30Sep2002  8:53:52 drop proto esp src 192.168.2.2 dst 10.10.10.10 service
58333 s_port 53917 len 200

To test if it was my firewall I opened up all ports from the Concentrator
inbound and the outbound connection was successful and the user was able to
do his work.  Has anybody seen this before?  A search at google, shmoo,
securepoint, cisco, and checkpoint revealed no clues.


-- Joe

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================