Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
10
Helpful
7
Replies

No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

Go to solution
drvbaysued
Level 1
Level 1

‎03-19-2013 06:36 AM

Hello!

We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".

From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.

The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).

Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.

Any help would be very much appreciated!

Jakob J. Blaette

Labels:
15356688-show_run_cisco876.cfg.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9
In response to drvbaysued

‎03-20-2013 06:40 AM

Hi Jakob,

Adding my two cents here.

You always need to confirm that the following ports and protocol are opened:

1- UDP port 500 --> ISAKMP

2- UDP port 4500 --> NAT-T

3- Protocol 50 ---> ESP

A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.

HTH.

Portu.

Please rate any helpful posts and mark this post as answered.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-19-2013 11:20 AM

There are can be lotsa things related to it. How can you guess if you don't even know if tunnel is established or not? Do the show crypto ipsec sa, sh crypto isakmp sa and see if tunnel gets established. If not, do debug crypto ipsec/isakmp and configure logging properly so you can see the logs. If there's no logs, that means tnat traffic that matches crypto-acl doesnt go through the router (in that case check if devices on the router side know the route toward subnet behind checkpoint firewall) or maybe your crypto-acl/nat exemption rules configured not correctly or anything. Start with sh crypto ipsec/isakmp and debugging.

0 Helpful

Go to solution
drvbaysued
Level 1
Level 1
In response to Andrew Phirsov

‎03-20-2013 04:28 AM

Hello, Andrew!

Thank you for your kind answer!

Meanwhile we could solve the problem: As I wrote in the first message, the Cisco 876 is behind a DSL-Router with port-forwarding. Now we did not only open ports 500/udp and 4500/udp but also ports 10000/tcp and esp/ip and with this configuration the ping respondes.

Thank you again for your answer.

Jakob J. Blaette

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to drvbaysued

‎03-20-2013 06:40 AM

Hi Jakob,

Adding my two cents here.

You always need to confirm that the following ports and protocol are opened:

1- UDP port 500 --> ISAKMP

2- UDP port 4500 --> NAT-T

3- Protocol 50 ---> ESP

A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.

HTH.

Portu.

Please rate any helpful posts and mark this post as answered.

0 Helpful

Go to solution
drvbaysued
Level 1
Level 1
In response to Javier Portuguez

‎03-20-2013 07:50 AM

Hi Marty, hi Javier,

thank you for the kind additional answers!

I will try the suggestion not opening port 10000/tcp asap and will then post the results in this discussion thread.

Jakob

0 Helpful

Go to solution
drvbaysued
Level 1
Level 1
In response to drvbaysued

‎03-21-2013 08:07 AM

Hi,

meanwhile I could test the IPSec-connection when not  opening port 10000/tcp. I could find out that port 10000/tcp is  necessary for a Cisco VPN-Client connection to our Cisco 876 (that is  also configured on the Cisco 876). So I left the configuration on the  DSL-Router as it was.

Jakob

Go to solution
Javier Portuguez
Level 9
Level 9
In response to drvbaysued

‎03-21-2013 10:22 AM

Very good Christian

Thanks for sharing your findings, the IPsec client is able to connect over TCP, which is called IPsec over TCP on port 10000 (by default).

Another alternative is to use NAT-T, IPsec over UDP on port 4500.

Marty's post is very true as well, packet-captures will reveal whether the packets are making from one point to the other.

Well done

Hope you have a nice day.

Take care.

0 Helpful

Go to solution
marstoyanoff
Level 1
Level 1

‎03-20-2013 06:57 AM

Hi Christian,

I would go with Javier. However, my best advice is to configure captures and then generated traffic from one of the devices behind the firewall or the router. This will prove if the traffic is being sent over the tunnel or it goes to the Internet.

Cheers

Marty

Customers Also Viewed These Support Documents