Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2285
Views
0
Helpful
4
Replies

vpn client through a checkpoint firewall.

3msands
Level 1
Level 1

‎12-01-2005 06:22 AM

I have a client residing behind a checkpoint NG firewall that is experiencing issues. I am connecting to a 3000 concentrator and getting an assigned ip address just fine. Unfortunatly any attempts to connect to devices through the tunnel don't work after I have been connected.

The firewall is allowing:

AH

ESP

udp IKE

SKIP

VPN1_IPSEC_ENCAPSULATION

udp port 10000

udp port 4500

The client is on a private address and being hide nat'd by the checkpoint firewall.

I can't even ping the internal interface of the concentrator.

Does anybody have any ideas?

Labels:
0 Helpful
4 Replies 4

b.hsu
Level 5
Level 5

‎12-07-2005 07:00 AM

Verify that the PIX has a route to the internal networks trying to be accessed.

Verify that the pool of VPN addresses does not overlap with any other internal network, including that of the PIX itself.

Verify that there is a nat 0 access list on the PIX which includes the internal network trying to be reached and the VPN address pool network.

The nat [if_name] 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

Verify that the default gateway of the inside hosts is pointing to the inside interface of the firewall if they are a part of directly connected networks of the firewalls.

Note: The first two points are also applicable to Cisco routers and VPN 3000 Concentrators with VPN tunnels

0 Helpful

tkropp
Level 1
Level 1
In response to b.hsu

‎12-08-2005 05:27 AM

Do you have IPSec through NAT selected on the concentrator (NAT Transparent).

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a00800946af.shtml

Assuming ICMP is opened on CP?

0 Helpful

tkropp
Level 1
Level 1
In response to tkropp

‎12-08-2005 05:33 AM

scratch last comment, this was an issue with Cisco IPsec on router only. Not sure impact on CP.

Re-iteration of post prior to mine....check routes.

Tim

0 Helpful

3msands
Level 1
Level 1
In response to tkropp

‎12-09-2005 08:16 AM

I have ipsec over UDP port enabled, Interesting that the article points to Configuration > User Management > Groups.| Ipsec Tab I find in actually it under the client config tab. I tried the Global Nat-t over tcp but I can't seem to get connected using that. I'll have to play with it a bit more to see if I can get it to work.

The routes on the concentrator seem to be fine as if I connect without passing through the checkpoint firewall (ie behind a linksys nat device or directly connected) I can hit the the networks just fine. The ip scheme may be an issue but I have tried a few variations to try and eliminate that as an issue. Currently it is setup as follows

Client computer

10.13.1.100/24

Private interface of vpn concentrator

10.11.24.5/22

static ip address assigned to client by concentrator

10.11.25.253/22

The static ip is in the same subnet as the vpn device but I haven't had a problem with it before.

What kind of icmp traffic would I need to allow on the firewall? I do see some drops in the logs particularly a icmp TTL count exceeded/address spoofing message. I turned off spoofing protection to test if the checkpoint firewall was mucking it up but no change.

0 Helpful
Customers Also Viewed These Support Documents