Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 to PIX VPN

To: "'Amin Tora'" <[email protected]>, [email protected]
Subject: RE: [FW1] FW-1 to PIX VPN
From: Dan Mengel <[email protected]>
Date: Tue, 9 Jan 2001 08:57:59 -0500
Sender: [email protected]

A lot of folks have asked about this scenario over the last several months.
We finally got it to work in production under the following conditions and
are attempting to reproduce it in our lab.  Start with the white papers
available from Check Point and Cisco.  Hope this helps.

Cisco PIX: PIX 515, OS ver 5.2
Check Point: Nokia 330, IPSO 3.2.1, VPN-1 v4.1 SP1
Encryption:  DES, MD5, Pre-shared secrets, Aggressive mode, supports subnets
Set the PIX so that it knows the Check Point encryption domain is ALL
subnets on all segments of the Check Point firewall.  Set the Check Point so
that it knows the Cisco encryption domain is only the specific hosts/subnets
you need included on the PIX side.  (Result:  Too big of an encryption
domain on one side, but just right on the other.)
NAT occurs before encyption.  Use manual NAT rules at the top of the
rulebase to ensure traffic between the two encryption domains is NOT being
NATed in any fashion.
Don't just test using ping - use other protocols (FTP, command-line SMTP,
etc.).

Daniel R. Mengel, MCSE, CCSE
Lead Technologist - Data Security
Info Systems, Inc. - www.infosysinc.com
Baltimore/Washington - Dover - Philadelphia - Wilmington



-----Original Message-----
From: Amin Tora [mailto:[email protected]]
Sent: Saturday, January 06, 2001 9:59 PM
To: [email protected]
Subject: RE: [FW1] FW-1 to PIX VPN




... make sure you double check:

-encryption algorithm (des,3des,etc..)
-whether you're using (md5,sha-1,etc..)
-encasulation (ESP or AH headers...)
-time and time zone on systems...

 :)


Amin Tora
ePlus Technology
http://www.eplus.com

-----Original Message-----
From: Jon Vandiveer [mailto:[email protected]]
Sent: Saturday, January 06, 2001 6:40 PM
To: [email protected]
Subject: [FW1] FW-1 to PIX VPN



Did you get it working ?


From: Net Secure [mailto:[email protected]]
Sent: Friday, 5 January 2001 11:27 a.m.
To: [email protected]
Subject: [FW1] FW-1 to PIX VPN


Does anyone know of an issue creating a VPN from FW-1 to PIX.

The PIX is version 5.23 the firewall is a Nokia 440 fw 4.0 sp4 ipso 3.2.1.

I have followed the documentation from Check Point and get the following
errors:

If the VPN is attempted from the FW-1 side; no proposal chosen.
>From the PIX; fails on the 2nd stage of key negotiation.

Thanks,

- -Greg




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] CP2000 on Win2k / SP3 / local.arp
Next by Date: RE: [FW1] possible port scan?
Previous by thread: RE: [FW1] FW-1 to PIX VPN
Next by thread: [FW1] Strange Log Entry
Index(es):
- Date
- Thread