RE: little off topic PIX question

From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Thu Oct 04 2001 - 01:46:25 GMT-3

• Next message: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Previous message: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Maybe in reply to: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Next in thread: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi,

You need to be careful with your NAT policy here. If you use standard ESP
for the VPN traffic, you'll need one global IP address per VPN client and
will need to set up a static for each VPN client. You need to open up the
return traffic path through the PIX as well (similar to icmp where you need
to allow echo-replies back in). E.g. access-list OUTSIDE permit esp host
FIREWALL host VPN_CLIENT.

If you use Checkpoint UDP Encapsulation, you can then use hide NAT OK much
like a standard TCP/UDP connection. UDP encapsulation is supported on
Checkpoint 2000 SP2 or higher. I recommend running Checkpoint SecuRemote
2000 SP4 or higher as this has a GUI interface for forcing UDP encapsulation
on the client. (Checkpoint can autodetect to use UDP encapsulation, but
only if it detects the client port of the UDP ISAKMP exchange is not 500 -
i.e. NAT has occurred - this is OK if multiple clients are hitting the same
firewall from behind the NAT device, but if only one client is hitting the
firewall, the PIX does not change the client port).

If you apply ACLs on your inside interface you need to allow the following:

1. FW1 Topology service (TCP Port 256 from memory)
2. FW1 VPN Client Authentication service (TCP Port 259)
3. ISAKMP (UDP port 500)
4. ESP (IP Protocol 50) if using ESP
5. Checkpoint UDP Encapsulation service (UDP Port 3xxx - can't remember) if
using UDP Encapsulation

Regards
Justin Menga CCIE #6640
Network Solutions Architect
Wireless & E-Infrastructure
Compaq Computer New Zealand
DDI: +64-9-918-9381 Mobile: +64-21-349-599
mailto: justin.menga@compaq.com
web: http://www.compaq.co.nz

-----Original Message-----
From: michale_lee50@hotmail.com [mailto:michael_lee50@hotmail.com]
Sent: Thursday, 4 October 2001 3:51 p.m.
To: ccielab@groupstudy.com
Subject: little off topic PIX question

Hi Group,
Can I initiate a IPsec remote VPN client session from inside the PIX
firewall? Example, I have a checkpoint VPN client inside my network that
wants to connect to a firewall external to my PIX.

Thanks,
Mr. Lee
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Previous message: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Maybe in reply to: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Next in thread: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:12 GMT-3