Re: little off topic PIX question

From: michale_lee50@xxxxxxxxxxx
Date: Thu Oct 04 2001 - 02:03:15 GMT-3

• Next message: routerjocky: "Re: Alias list"
• Previous message: Menga, Justin: "RE: little off topic PIX question"
• Maybe in reply to: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Next in thread: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
WOW, thanks, I really did not expect to get a lovely responce like this.
I'll give it a shot in the morning and let you know how it works out. Now I
think I can get some rest, this looks really nice.

Mr.Lee

----- Original Message -----
From: "Menga, Justin" <Justin.Menga@Compaq.com>
To: "'michale_lee50@hotmail.com'" <michael_lee50@hotmail.com>;
<ccielab@groupstudy.com>
Sent: Thursday, October 04, 2001 12:46 AM
Subject: RE: little off topic PIX question

> Hi,
>
> You need to be careful with your NAT policy here. If you use standard ESP
> for the VPN traffic, you'll need one global IP address per VPN client and
> will need to set up a static for each VPN client. You need to open up the
> return traffic path through the PIX as well (similar to icmp where you
need
> to allow echo-replies back in). E.g. access-list OUTSIDE permit esp host
> FIREWALL host VPN_CLIENT.
>
> If you use Checkpoint UDP Encapsulation, you can then use hide NAT OK much
> like a standard TCP/UDP connection. UDP encapsulation is supported on
> Checkpoint 2000 SP2 or higher. I recommend running Checkpoint SecuRemote
> 2000 SP4 or higher as this has a GUI interface for forcing UDP
encapsulation
> on the client. (Checkpoint can autodetect to use UDP encapsulation, but
> only if it detects the client port of the UDP ISAKMP exchange is not 500 -
> i.e. NAT has occurred - this is OK if multiple clients are hitting the
same
> firewall from behind the NAT device, but if only one client is hitting the
> firewall, the PIX does not change the client port).
>
> If you apply ACLs on your inside interface you need to allow the
following:
>
> 1. FW1 Topology service (TCP Port 256 from memory)
> 2. FW1 VPN Client Authentication service (TCP Port 259)
> 3. ISAKMP (UDP port 500)
> 4. ESP (IP Protocol 50) if using ESP
> 5. Checkpoint UDP Encapsulation service (UDP Port 3xxx - can't remember)
if
> using UDP Encapsulation
>
> Regards
> Justin Menga CCIE #6640
> Network Solutions Architect
> Wireless & E-Infrastructure
> Compaq Computer New Zealand
> DDI: +64-9-918-9381 Mobile: +64-21-349-599
> mailto: justin.menga@compaq.com
> web: http://www.compaq.co.nz
>
>
>
> -----Original Message-----
> From: michale_lee50@hotmail.com [mailto:michael_lee50@hotmail.com]
> Sent: Thursday, 4 October 2001 3:51 p.m.
> To: ccielab@groupstudy.com
> Subject: little off topic PIX question
>
>
> Hi Group,
> Can I initiate a IPsec remote VPN client session from inside the PIX
> firewall? Example, I have a checkpoint VPN client inside my network that
> wants to connect to a firewall external to my PIX.
>
> Thanks,
> Mr. Lee
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: routerjocky: "Re: Alias list"
• Previous message: Menga, Justin: "RE: little off topic PIX question"
• Maybe in reply to: michale_lee50@xxxxxxxxxxx: "little off topic PIX question"
• Next in thread: michale_lee50@xxxxxxxxxxx: "Re: little off topic PIX question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:12 GMT-3