[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote and Cisco Pix
Does the firewall have a route to 192.168.24.30? We had a issue where our firewall needed to have a route towards the Internet for the original address (the firewall routes before it NATs) --- "Alan Baker ( ISC Networks )" <[email protected]> wrote: > Thanks Don. > > As far as I can see I have now done what the FAQ > suggests, and am one step > nearer. > > The service I try, be it Telnet or Net Support (port > 5405) is now decrypted > fine, with a source address shown as the remote Pc's > real address in the > log: > > 10:06:28 authcrypt firewall >daemon src > 62.254.201.181 user smith rule 0 > reason Client Encryption: Authenticated by > Pre-shared secret scheme: IKE > methods: DES,IKE,SHA1 > 10:06:28 keyinst firewall >daemon src > 62.254.201.181 dst firewall IKE Log: > Phase 1 (aggressive) completion. DES/SHA1/Pre shared > secrets Negotiation Id: > fb6d7c-27afba3762f3d502 > 10:06:28 keyinst firewall >daemon proto ip src > 62.254.201.181 dst firewall > srckeyid 0xf9be5dfa dstkeyid 0x30cdfb47 rule 0 > scheme: IKE methods: Combined > ESP: DES + SHA1 (phase 2 completion) for host: > 192.168.24.30 and for subnet: > 0.0.0.0 (mask= 0.0.0.0) > 10:06:29 decrypt firewall >daemon proto tcp src > 192.168.24.30 dst serv16 > service telnet s_port 1038 srckeyid 0xf9bd5dfa rule > 5 user smith scheme: IKE > methods: Combined ESP: DES + SHA1 > > ie 62.254.201.181 is the NAT pool address assigned, > and 192.168.24.30 the > Pcs real address. > > But there is no sign of real conenction between the > remote site and the > target eg no response to the telnet request. > > Am I missing something? > > Alan > > > -----Original Message----- > From: Don [mailto:[email protected]] > Sent: 10 January 2002 00:01 > To: [email protected] > Subject: Re: [FW-1] SecuRemote and Cisco Pix > > > > We use SecuRemote here successfully for normally > dial-up users via a > variety > > of ISPs. But I now need to configure a PC inside > a customers site, behind > a > > Cisco Pix using dynamic pool NAT. > Dynamic pool, static, and hide mode NAT should all > work. > > > The SecuRemote clients use IKE. > Have you enabled UDP encapsulation as per the > instruction on > www.phoneboy.com? (Search for "Secure Client and > NAT") From the looks of > your log output it seems like this is not enabled. > This would also explain > why the topology download and authentication work > but not communications. > > Versions of 4.1 prior to SP2 (even those that were > later upgraded) may not > have UDP encapsulation defined, nor the UDP > Encapsulation Service defined. > > You need to make sure that you firewall object has > :userc_IKE_NAT (true) > and that the VPN UDP Encapsulation service is > defined in your services > list. > > You may also wish to force UDP encapsulation on the > client side. > > The FAQ should answer all of your questions. > > Don > > > _____________________________________________________________________ > This message has been checked for all known viruses > by Star Internet > delivered through the MessageLabs Virus Control > Centre. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|