Checkpoint VPN through Cisco PIX

kallan · ‎10-04-2001

Has anyone configured a PIX to allow Checkpoint Secure remote client through a PIX to a remote Checkpoint F/w. We have created a static mapping for the client, although NAT'd and he can connect and authenticate to the Checkpoint F/W but DNS/WINS does not work and he cannot connect to his Intranet. If we place the client outside the PIX it works OK. The "sh conn" shows the tunnel connection but then another connection appears when he tries to connect to the Intranet, this second connection has a different destination address as if the request is not going down the tunnel , but it all works when placed outside the PIX.

s.jankowski · ‎10-10-2001

Take a look at the log files in debugging mode and see if the PIX has all the ports & protocols open.

chrisd · ‎11-28-2001

Kallan

did you ever manage to get this to work??

rasoftware · ‎02-16-2006

Did you manage to get this working?

I have a similar problem getting Secure remote VPN client working over IOS firewall.

I did find out that Checkpoint use 500/TCP and UDP for IKE and also 264/UDP. Over NAT they also encapsulate in 2746/UDP rather than 4500/10000 with Cisco. No getting a lot of "love" from Cisco or Checkpoint on this - i'm sure many people have this configuration.

willskei · ‎02-17-2006

What version Secure Client are you using?

What version is the CP Firewall running?

rasoftware · ‎02-18-2006

I think its SecuRemote R56 and FW-1.

Basically I see on the router

UDP/500

Encap UDP/2746

When it stats failing we notice many connections on UDP/259 to various servers in the Checkpoint cluster. The guys in charge of the cluster tell me its failed to renegoiated the SA which would maybe explain the clients attempt to contact many servers.

Currently the router uses CBAC so any session traffic initiated inside should be permitted back. We also amended UDP session timeout and NAT which hasnt improved it. I even when as far as adding a second CBAC on the outside interface and an access rule from the FW-1 Ip to allow "any" traffic back, just in case it was trying to initiate a session. I also static mapped a single IP.

willskei · ‎02-18-2006

Not to get off topic … but it sounds like the CP firewalls are using very old and vulnerable code.

See the following

http://www.ciac.org/ciac/bulletins/l-109.shtml

Anyway back to the topic… The newer builds of CP allow for “firewall friendly” communication. In short you can configure your CP gateways to listen on 443 to terminate your IPSEC clients. Then configure the clients for Guest mode.

Now for the caveat … CP Upgrades are never easy.

On another note I have used Secure Remote (as well as Secure Client) behind just about every vendors firewall. The older versions of CP were very problematic with NAT but any build above CP 2000 SP5 up to NGX work well.

Now for the problem… it sounds like NAT. Can you give a Network Layout Example with the packet flow?

rasoftware · ‎02-19-2006

Pretty simple setup, we have private network on 10.0.129.0/17 with a single public IP over SDSL circuit. PAT and CBAC enabled.

If I look at the NAT on the router I see UDP/500 and UDP 2476 for encap and UDP 259 which apparently this client needs. I believe its a cluster on the other side and I do notice many connections to UDP 259 - which implies some issue with negotiating a key. The check point admins tell me there are problems in the logs with regards to the SA.

rasoftware · ‎02-20-2006

Its running

NG AI R55