Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Client inside our pix firewall connecting to a checkpoint firewall problems

Posted on 2003-03-20
Medium Priority
Last Modified: 2013-11-16
I have a user in our Cisco Pix 515 firewall.  It's a Windows 2000 professional environment.  He is connecting to another office that uses a checkpoint nokia 440.  The client that the user on my side is using to connect is checkpoint vpn securemote version 53328.  It will ask for authentication but after authentication it seems that my firewall drops it because of security settings.  I have opened up gre and esp protocol for their server to come in and connect to a global ip address that was assigned to the user.  Does anyone have any suggestions?
Question by:jaya31
LVL 79

Expert Comment

ID: 8178042
Need more information on the client configuration. GRE and ESP don't generally work together. GRE goes with Microsoft PPTP, tcp port 1723. ESP works with ISAKMP UDP 500, so open the acl to permit TCP esp and UDP isakmp

Check your PIX logs to see what is getting denied.
As long as you have a one-one static nat for this user, it should work just fine.


Author Comment

ID: 8181083
This is my configuration of my pix firewall.  

The user that is in my firewall trying to connect to the Nokia 440 (xxx.xxx.xxx.xxx) is using Checkpoint VPN-1 SecuRemote NG Version 3

Any solutions?

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password  encrypted
passwd  encrypted
hostname domainpix
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
no names
access-list 101 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
pager lines 24
logging on
logging timestamp
logging trap errors
logging history errors
logging host inside xxx.xxx.xxx.xxx
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.xxx.xxx
ip address inside xxx.xxx.xxx.xxx
ip address dmz xxx.xxx.xxx.xxx
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address dmz
pdm location xxx.xxx.xxx.xxx inside
pdm location xxx.xxx.xxx.xxx inside
pdm location xxx.xxx.xxx.xxx inside
pdm location xxx.xxx.xxx.xxx dmz
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
global (outside) 1 xxx.xxx.xxx.xxx
global (dmz) 1 xxx.xxx.xxx.xxx
nat (inside) 0 access-list 101
nat (inside) 1 0 0
nat (dmz) 1 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 0 0
conduit permit icmp any any
conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any
conduit permit tcp host xxx.xxx.xxx.xxx eq pop3 any
route outside xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30
:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host xxx.xxx.xxx.xxx timeout 10 protocol UDP version 4
url-cache src_dst 128KB
filter url http allow
http server enable
http xxx.xxx.xxx.xxx inside
http xxx.xxx.xxx.xxx inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000-all address-pool pptp-pool
vpngroup vpn3000-all dns-server xxx.xxx.xxx.xxx
vpngroup vpn3000-all wins-server xxx.xxx.xxx.xxx
vpngroup vpn3000-all default-domain domain.com
vpngroup vpn3000-all split-tunnel 101
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password *****
telnet xxx.xxx.xxx.xxx inside
telnet xxx.xxx.xxx.xxx dmz
telnet timeout 60
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username vpnuserfg password ******
vpdn enable outside
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 8181342
conduit permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

If the client software/Nokia VPN requires AH, you can't use it behind NAT. Your only solution would be to give this user a port directly on the hub between your PIX and Internet router directly on the xxx.xxx.xxx.x subnet


Expert Comment

ID: 8181354
Jay, you shouldnt post your firewall config..............

Expert Comment

ID: 8183055
Removed sensitive IP information.


Community Support Moderator
Experts Exchange

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question