Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote and Cisco Pix

To: [email protected]
Subject: Re: [FW-1] SecuRemote and Cisco Pix
From: Larry <[email protected]>
Date: Thu, 10 Jan 2002 07:57:34 -0800
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Does the firewall have a route to 192.168.24.30? We
had a issue where our firewall needed to have a route
towards the Internet for the original address (the
firewall routes before it NATs)

--- "Alan Baker ( ISC Networks )"
<[email protected]> wrote:
> Thanks Don.
>
> As far as I can see I have now done what the FAQ
> suggests, and am one step
> nearer.
>
> The service I try, be it Telnet or Net Support (port
> 5405) is now decrypted
> fine, with a source address shown as the remote Pc's
> real address in the
> log:
>
> 10:06:28 authcrypt firewall   >daemon src
> 62.254.201.181 user smith rule 0
> reason Client Encryption: Authenticated by
> Pre-shared secret scheme: IKE
> methods: DES,IKE,SHA1
> 10:06:28 keyinst firewall   >daemon src
> 62.254.201.181 dst firewall IKE Log:
> Phase 1 (aggressive) completion. DES/SHA1/Pre shared
> secrets Negotiation Id:
> fb6d7c-27afba3762f3d502
> 10:06:28 keyinst firewall   >daemon proto ip src
> 62.254.201.181 dst firewall
> srckeyid 0xf9be5dfa dstkeyid 0x30cdfb47 rule 0
> scheme: IKE methods: Combined
> ESP: DES + SHA1 (phase 2 completion) for host:
> 192.168.24.30 and for subnet:
> 0.0.0.0 (mask= 0.0.0.0)
> 10:06:29 decrypt firewall   >daemon proto tcp src
> 192.168.24.30 dst serv16
> service telnet s_port 1038 srckeyid 0xf9bd5dfa rule
> 5 user smith scheme: IKE
> methods: Combined ESP: DES + SHA1
>
> ie 62.254.201.181 is the NAT pool address assigned,
> and 192.168.24.30 the
> Pcs real address.
>
> But there is no sign of real conenction between the
> remote site and the
> target eg no response to the telnet request.
>
> Am I missing something?
>
> Alan
>
>
> -----Original Message-----
> From: Don [mailto:[email protected]]
> Sent: 10 January 2002 00:01
> To: [email protected]
> Subject: Re: [FW-1] SecuRemote and Cisco Pix
>
>
> > We use SecuRemote here successfully for normally
> dial-up users via a
> variety
> > of ISPs.  But I now need to configure a PC inside
> a customers site, behind
> a
> > Cisco Pix using dynamic pool NAT.
> Dynamic pool, static, and hide mode NAT should all
> work.
>
> > The SecuRemote clients use IKE.
> Have you enabled UDP encapsulation as per the
> instruction on
> www.phoneboy.com? (Search for "Secure Client and
> NAT") From the looks of
> your log output it seems like this is not enabled.
> This would also explain
> why the topology download and authentication work
> but not communications.
>
> Versions of 4.1 prior to SP2 (even those that were
> later upgraded) may not
> have UDP encapsulation defined, nor the UDP
> Encapsulation Service defined.
>
> You need to make sure that you firewall object has
> :userc_IKE_NAT (true)
> and that the VPN UDP Encapsulation service is
> defined in your services
> list.
>
> You may also wish to force UDP encapsulation on the
> client side.
>
> The FAQ should answer all of your questions.
>
> Don
>
>
>
_____________________________________________________________________
> This message has been checked for all known viruses
> by Star Internet
> delivered through the MessageLabs Virus Control
> Centre.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] SecuRemote and Cisco Pix
  - From: Don <[email protected]>

References:
- Re: [FW-1] SecuRemote and Cisco Pix
  - From: "Alan Baker ( ISC Networks )" <[email protected]>

Prev by Date: Re: [FW-1] Hardening
Next by Date: Re: [FW-1] SecuRemote and Cisco Pix
Previous by thread: Re: [FW-1] SecuRemote and Cisco Pix
Next by thread: Re: [FW-1] SecuRemote and Cisco Pix
Index(es):
- Date
- Thread