[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecuRemote and Cisco Pix
Make sure that Cisco PIX IDS is not blocking UDP 500 and 2746. I just had this problem. I could authenticate to my CheckPoint with SR, but that was it. PIX IDS was seeing the SR encrypted traffic as a UDP bomb attack so my SR communications was being drooped and reset. The PIX admin set the IDS to not drop or reset the attack and SR worked correctly. Make sure you check both inbound and outbound attack parameters if the PIX is using IDS. Rich -----Original Message----- From: Alan Baker ( ISC Networks ) [mailto:[email protected]] Sent: Thursday, January 10, 2002 9:53 AM To: [email protected] Subject: Re: [FW-1] SecuRemote and Cisco Pix Thanks Don. As far as I can see I have now done what the FAQ suggests, and am one step nearer. The service I try, be it Telnet or Net Support (port 5405) is now decrypted fine, with a source address shown as the remote Pc's real address in the log: 10:06:28 authcrypt firewall >daemon src 62.254.201.181 user smith rule 0 reason Client Encryption: Authenticated by Pre-shared secret scheme: IKE methods: DES,IKE,SHA1 10:06:28 keyinst firewall >daemon src 62.254.201.181 dst firewall IKE Log: Phase 1 (aggressive) completion. DES/SHA1/Pre shared secrets Negotiation Id: fb6d7c-27afba3762f3d502 10:06:28 keyinst firewall >daemon proto ip src 62.254.201.181 dst firewall srckeyid 0xf9be5dfa dstkeyid 0x30cdfb47 rule 0 scheme: IKE methods: Combined ESP: DES + SHA1 (phase 2 completion) for host: 192.168.24.30 and for subnet: 0.0.0.0 (mask= 0.0.0.0) 10:06:29 decrypt firewall >daemon proto tcp src 192.168.24.30 dst serv16 service telnet s_port 1038 srckeyid 0xf9bd5dfa rule 5 user smith scheme: IKE methods: Combined ESP: DES + SHA1 ie 62.254.201.181 is the NAT pool address assigned, and 192.168.24.30 the Pcs real address. But there is no sign of real conenction between the remote site and the target eg no response to the telnet request. Am I missing something? Alan -----Original Message----- From: Don [mailto:[email protected]] Sent: 10 January 2002 00:01 To: [email protected] Subject: Re: [FW-1] SecuRemote and Cisco Pix > We use SecuRemote here successfully for normally dial-up users via a variety > of ISPs. But I now need to configure a PC inside a customers site, behind a > Cisco Pix using dynamic pool NAT. Dynamic pool, static, and hide mode NAT should all work. > The SecuRemote clients use IKE. Have you enabled UDP encapsulation as per the instruction on www.phoneboy.com? (Search for "Secure Client and NAT") From the looks of your log output it seems like this is not enabled. This would also explain why the topology download and authentication work but not communications. Versions of 4.1 prior to SP2 (even those that were later upgraded) may not have UDP encapsulation defined, nor the UDP Encapsulation Service defined. You need to make sure that you firewall object has :userc_IKE_NAT (true) and that the VPN UDP Encapsulation service is defined in your services list. You may also wish to force UDP encapsulation on the client side. The FAQ should answer all of your questions. Don _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|