?
Solved

Client inside our pix firewall connecting to a checkpoint firewall problems

Posted on 2003-03-20
5
Medium Priority
?
576 Views
Last Modified: 2013-11-16
I have a user in our Cisco Pix 515 firewall.  It's a Windows 2000 professional environment.  He is connecting to another office that uses a checkpoint nokia 440.  The client that the user on my side is using to connect is checkpoint vpn securemote version 53328.  It will ask for authentication but after authentication it seems that my firewall drops it because of security settings.  I have opened up gre and esp protocol for their server to come in and connect to a global ip address that was assigned to the user.  Does anyone have any suggestions?
0
Comment
Question by:jaya31
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8178042
Need more information on the client configuration. GRE and ESP don't generally work together. GRE goes with Microsoft PPTP, tcp port 1723. ESP works with ISAKMP UDP 500, so open the acl to permit TCP esp and UDP isakmp

Check your PIX logs to see what is getting denied.
As long as you have a one-one static nat for this user, it should work just fine.

0
 

Author Comment

by:jaya31
ID: 8181083
This is my configuration of my pix firewall.  

The user that is in my firewall trying to connect to the Nokia 440 (xxx.xxx.xxx.xxx) is using Checkpoint VPN-1 SecuRemote NG Version 3

Any solutions?


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password  encrypted
passwd  encrypted
hostname domainpix
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
access-list 101 permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap errors
logging history errors
logging host inside xxx.xxx.xxx.xxx
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip address dmz xxx.xxx.xxx.xxx 255.255.255.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.0 dmz
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any
conduit permit tcp host xxx.xxx.xxx.xxx eq pop3 any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30
:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host xxx.xxx.xxx.xxx timeout 10 protocol UDP version 4
url-cache src_dst 128KB
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 inside
http xxx.xxx.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000-all address-pool pptp-pool
vpngroup vpn3000-all dns-server xxx.xxx.xxx.xxx
vpngroup vpn3000-all wins-server xxx.xxx.xxx.xxx
vpngroup vpn3000-all default-domain domain.com
vpngroup vpn3000-all split-tunnel 101
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password *****
telnet xxx.xxx.xxx.xxx 255.255.255.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.0 dmz
telnet timeout 60
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username vpnuserfg password ******
vpdn enable outside
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 8181342
Try
conduit permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

If the client software/Nokia VPN requires AH, you can't use it behind NAT. Your only solution would be to give this user a port directly on the hub between your PIX and Internet router directly on the xxx.xxx.xxx.x subnet

http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
0
 
LVL 2

Expert Comment

by:zekker
ID: 8181354
Jay, you shouldnt post your firewall config..............
0
 

Expert Comment

by:modulo
ID: 8183055
Removed sensitive IP information.

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question