Re: VPN-1 Secureremote pass-through on a PIX 506
- From: tcollicutt@xxxxxxxxxxx
- Date: 3 Jan 2006 11:10:57 -0800
I've seen this happen when the client site (behind a NAT router) is
using the same IP range as a network behind the Checkpoint firewall.
If this is the issue, it is because the firewall uses the IP on the PC
for routing, rather than the IP it gets NATted to when it hits the
Internet. I've known this to be solved by setting up the Checkpoint
to NAT all VPN connections to an unused subnet that isn't used
internally.
Don't ask me how. I haven't set this up, I've only seen others do
this.
This might not be the issue, since it works with the PIX. The part
about working when hooked directly to the modem, but not through the
DSL router, fits with the symptoms I've seen.
PG wrote:
> Thanks,
>
> I understand the ISAKMP Nat traversal command but not sure on the
> transform sets and crypto maps etc. I'll go and do some searching.
>
> Tks
>
> Paul
>
>
>
> On Fri, 30 Dec 2005 23:45:36 +0000 (UTC), roberson@xxxxxxxxxxxxxxxxxx
> (Walter Roberson) wrote:
>
> >In article <virar1ti6tmf5m428d50gvbv9om7i0rgsm@xxxxxxx>,
> >PG <psg-1@xxxxxxxxxx> wrote:
> >> Can someone help with a configuration problem.
> >
> >>I've got hold of a second hand PIX 506. I've updated to PIX version
> >>6.3(4) and also the PDM to version 6.3.
> >
> >Out of curiosity, how much did Cisco charge you to "relicense" the
> >506?
> >
> >>The company I work for has a
> >>Checkpoint NG1 firewall and I use the secure remote to connect in. I
> >>have to connect my laptop directly to my Cable modem and pick up the
> >>public IP address to successfuly connect to the checkpoint. It will
> >>not work through my DSL router.
> >
> >>If I replace my DSL Router with the PIX it works OK for normal
> >>browsing etc but not the secureremote. I know it can be done but I
> >>lack the expertise to config it. The Secureremote is configured to use
> >>IKE over TCP and I've been told that I have to configure the PIX for
> >>NAT Traversal and to allow AH and ESP IP protocols through. I pick up
> >>a dynamic IP from my ISP.
> >
> >isakmp nat-traversal 20
> >
> >You do not need to configure anything to "let through" AH or ESP,
> >because access lists only control what goes -through- the PIX,
> >not packets that are addressed to the PIX itself (as would
> >be the case for the AH and ESP packets.)
> >
> >Turning on nat-traversal does not hurt, and it there is NAT
> >between you and the destination (and some cable ISPs do NAT
> >at their network edge!) then it can allow IPSec to work in
> >circumstances where it would otherwise fail. In particular,
> >you indicate AH was specifically mentioned to you: AH *cannot*
> >work with NAT unless you use nat-traversal .
> >
> >If you've been told to allow for AH and ESP, then the place
> >to do that is in configuring the transform set(s) that
> >will be associated with the crypto-map entry. It is also usually
> >a good idea to configure the isakmp layer to use the same encryption
> >and "group" as you use for the transform set: although it isn't
> >strictly necessary to have the two layers match, who needs the confusion?
.
- Follow-Ups:
- Prev by Date: Viewing and filtering a router log for GET/
- Next by Date: Re: Viewing and filtering a router log for GET/
- Previous by thread: Viewing and filtering a router log for GET/
- Next by thread: Re: VPN-1 Secureremote pass-through on a PIX 506
- Index(es):
Relevant Pages
|
