Checkpoint SecuRemote access through a REDHAT 7.2 Firewall

Posted on 2003-03-13
Medium Priority
Last Modified: 2011-09-20
Hello everyone,

I am hoping that I have found the right area to pose this question/scenario. I currently have a small LAN, with a Linux Redhat 7.2 box set up as a gateway. Behind my gateway I have several pcs, with the main one running win98. The pcs behind my gateway run on ip addresses I have assigned to them (i.e. 192.168.X.X). The gateway box itself has two nics, with one being assigned via DHCP and the other being assigned an internal gateway address. Everything is working fine, EXCEPT when I try and connect to my company intranet MS Excange Server via SecuRemote (Checkpoint software). I have tried every possible config in the Linux firewall settings I can think of, and have researched the heck out of this to no avail.Apparently SecuRemote uses UDP on port 259, TCP 264/265, UDP 500. Unfortunately none of these configs work, and the only way I can get connected to the server is if I disconnect my LINUX box and hook my win98 pc directly to my modem. Surely there is a way to do this? I am using firestarter as an interface to my firewall...

Thanks for any advice, and sorry for the verbose message!

Question by:smyers2003
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

AnotherRob earned 172 total points
ID: 8133762
Have you checked phoneboy.com?

e.g. Using Secure Client through Linux ipchains/iptables: http://www.phoneboy.com/fom-serve/cache/90.html

Assisted Solution

zekker earned 164 total points
ID: 8175816
Are you running any sort of syslog?  If this is a firewall you should be.  If you are, look for denies in your syslog messages from your firewall this will contain the actual ports it is using or look on the local log file

Also, as this is a firewalll (linux) run tcpdump against the host that is trying to connect and you can see all the traffic going to the firewall from that box.  For instance, lets assume your inside computer with Secure Remote is located at You can do the following

tcpdump host and port XXX
XXX= your port number.

you can also put in the destination address also to see what that is doing.  this will enable you to see the traffic and all the sent and recieved.

I have used the secure client behind my firewall which is runnning iptables and I have had no problems. Something is blocking and this should tell you what.

- Zekker

Assisted Solution

igge earned 164 total points
ID: 8278327
regarding to Fw-1 doc the answer is something like this:

* fw1-ip is the external IP of your firewall
* client-ip is your SecuRemote Client
* linux-ip is the IP of your Linux host

# Outgoing and incoming rules allowing UDP port 500 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip 500 -p UDP -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-up 500 -p UDP -j ACCEPT
 # Outgoing and incoming rules allowing IP Protocol 50 packets
 /sbin/ipchains -A input -s fw1-ip -d linux-ip -p 50  -j ACCEPT
 /sbin/ipchains -A input -s client-ip -d fw1-ip -p 50  -j ACCEPT
 # Outgoing UDP Encapsulation packets
 /sbin/ipchains -A input -s client-ip -d fw1-ip 2746 -p UDP  -j ACCEPT
 # Forward rules to MASQ and allow connections outbound
 /sbin/ipchains -A forward -s client-ip 500 -p UDP -j MASQ
 /sbin/ipchains -A forward -s client-ip -p 50 -j MASQ
 # ipmasqadm to pick up port 500 and forward it inside
 /usr/sbin/ipmasqadm portfw -a -P udp -L linux-ip 500 -R client-ip 500
 # ipfwd to get Protocol 50 packets
 /usr/sbin/ipfwd client-ip 50 &
With iptables in Linux 2.4, the commands are (ext_if refers to external interface):

 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p 50 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 500 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 2746 -j ACCEPT
 /usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p 50 -j ACCEPT
 /usr/sbin/iptables -A forward -s linux-ip -d fw1-ip   -j ACCEPT
 /usr/sbin/iptables -t nat     -A POSTROUTING -o ext_if -j MASQUERADE

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question