|
Posted by on June 13, 2006, 3:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have a network configured as follows:
Internal LAN <---> PIX-535 <----> { Internet } <-----> Customer
CheckPoint FW/1
The internal LAN is NATted to the external address of the PIX and all
internal hosts are PATted against this address (hence we have only one
external "visible" IP address defined).
We are trying to establish a CheckPoint SecureClient connection from
inside the network on the internal LAN to a customer site on the
Internet running a CheckPoint firewall. The connection type we are
doing is using the RSA keyfobs as security.
When attempting to connect using the SecureClient software. The
connection always fails with an error from the SecureClient software
"Make sure the user is properly defined on the firewall". From the logs
on the customer site we only see the initial conversation but do not
get any key exchange happening. It appears that the local firewall (ie:
the pix) is the cause of the problem. If I take the same computer and
software and plug into a home network behind a broadband router with
VPN passthru, the connection establishes successfully. From the above
network we do not block any outbound services and all outgoing
protocols work fine (eg: web, IM, telnet, ssh, ftp, etc).
During my reading of this forum and others, it would appear that VPN
traversal might be the problem, however I have enabled it (with "isakmp
enable inside" and "isakmp nat-traversal 20") but this does not solve
the problem. The PIX is runnnig 7.0(1).
I cannot see any local logs to see what is being dropped and do not
understand what more is available to get the VPN to transgres the
firewall. What special ports (if any) need to be opened to the NAT/PAT
address?
Appreciate any help
|
|
Posted by www.BradReese.Com on June 13, 2006, 4:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
How to configure an IPSec tunnel between a PIX Firewall and a
Checkpoint Firewall.
To set up the IPSec VPN tunnel, perform these steps:
Step 1: Configure the Internet Key Exchange (IKE) proposal on both
devices.
Step 2: Configure the IPSec parameters on both devices.
Step 3: Specify network ranges on both devices for passing traffic
across the proposed tunnel.
For assistance with the configuration settings, resolving an IPSec
tunnel between a PIX Firewall and Checkpoint Firewall as well as
specific debug setting information, refer to:
Configuring an IPSec Tunnel - Cisco Secure PIX Firewall to Checkpoint
4.1 Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml
Step 4: Once the tunnel has been configured, attempt to pass traffic
from a workstation on one side of the connection to a workstation on
the other side of the connection.
If you are able to ping, the tunnel is functioning properly.
If you are not able to ping, determine the state of the connection by
issuing the
show crypto isakmp sa
and
show crypto ipsec sa
http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fd881.html
commands on the PIX Firewall.
Step 5: If in the output of the show crypto isakmp sa command the state
shows anything other than QM_IDLE, phase 1 (Internet Security
Association and Key Management Protocol [ISAKMP]) has not been properly
negotiated and should be examined.
The results should resemble this example:
cisco_endpoint# show crypto isakmp sa
dst
172.18.124.157
src
172.18.124.35
state
QM_IDLE
pending
0
created
2
Issuing the show crypto ipsec sa command identifies information about
phase 2 of the connection (IPSec).
Step 6: The proper peer and local endpoint for the tunnel should be
identified.
Furthermore, if traffic has been passed across the tunnel, the counters
for both pkts encaps and pkts decaps should be incrementing.
If either value is not incrementing, a determination can usually be
made as to which side of the tunnel is having difficulty.
This is a portion of the command output:
cisco_endpoint#show crypto ipsec sa
interface: outside
Crypto map tag: rtpmap, local addr. 172.18.124.158
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 172.18.124.157
PERMIT, flags=
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
-------------------------------------
For information on tunnels between a PIX Firewall and Checkpoint New
Generation (NG) Firewall, refer to:
Configuring an IPSec Tunnel Between a Cisco Secure PIX Firewall and a
Checkpoint NG Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml
For more information in resolving the PIX Firewall passing traffic on
an established IPSec tunnel, refer to:
Troubleshooting the PIX to Pass Data Traffic on an Established IPSec
Tunnel
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
Hope this helps.
Brad Reese
BradReese.Com - Cisco Network Engineer Directory
http://www.bradreese.com/network-engineer-directory.htm
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
Fax: 775-254-3558
AIM: R2MGrant
Website: http://www.bradreese.com/contact-us.htm
|
| Similar Threads | Posted | | Checkpoint FR3 - how many SecureClient Licenses are in Use? | March 6, 2005, 7:00 pm |
| Checkpoint and Cisco 501 | August 29, 2004, 10:47 am |
| Nokia and CheckPoint or Cisco? | July 5, 2006, 8:31 am |
| SME UTM shootout - Cisco vs. Checkpoint vs. Juniper | February 12, 2007, 8:26 am |
| cisco ip softphone 1.3 over checkpoint user based vpn | November 23, 2004, 2:16 pm |
| SecureClient for OS-X and parallels NAT | September 13, 2007, 6:29 am |
| Problem with SecureClient (EA) and Vista | January 20, 2007, 6:10 pm |
| Vista and SecureClient VPN DNS issues. | August 23, 2007, 8:18 am |
| router for Check Point Secureclient VPN | March 21, 2007, 1:13 pm |
| ADSL problems with SecuRemote/SecureClient NGX R60 (Build191) | November 8, 2006, 4:16 am |
|
XML site map