From: michale_lee50@xxxxxxxxxxx
Date: Tue Oct 09 2001 - 12:26:07 GMT-3
This worked just fine with a static address and the UDP encap with sp4. Did
not have to open anything extra in the PIX
Thanks, gain
----- Original Message -----
From: "michale_lee50@hotmail.com" <michael_lee50@hotmail.com>
To: "Menga, Justin" <Justin.Menga@Compaq.com>; <ccielab@groupstudy.com>
Sent: Thursday, October 04, 2001 1:03 AM
Subject: Re: little off topic PIX question
> WOW, thanks, I really did not expect to get a lovely responce like this.
> I'll give it a shot in the morning and let you know how it works out. Now
I
> think I can get some rest, this looks really nice.
>
> Mr.Lee
>
> ----- Original Message -----
> From: "Menga, Justin" <Justin.Menga@Compaq.com>
> To: "'michale_lee50@hotmail.com'" <michael_lee50@hotmail.com>;
> <ccielab@groupstudy.com>
> Sent: Thursday, October 04, 2001 12:46 AM
> Subject: RE: little off topic PIX question
>
>
> > Hi,
> >
> > You need to be careful with your NAT policy here. If you use standard
ESP
> > for the VPN traffic, you'll need one global IP address per VPN client
and
> > will need to set up a static for each VPN client. You need to open up
the
> > return traffic path through the PIX as well (similar to icmp where you
> need
> > to allow echo-replies back in). E.g. access-list OUTSIDE permit esp
host
> > FIREWALL host VPN_CLIENT.
> >
> > If you use Checkpoint UDP Encapsulation, you can then use hide NAT OK
much
> > like a standard TCP/UDP connection. UDP encapsulation is supported on
> > Checkpoint 2000 SP2 or higher. I recommend running Checkpoint
SecuRemote
> > 2000 SP4 or higher as this has a GUI interface for forcing UDP
> encapsulation
> > on the client. (Checkpoint can autodetect to use UDP encapsulation, but
> > only if it detects the client port of the UDP ISAKMP exchange is not
500 -
> > i.e. NAT has occurred - this is OK if multiple clients are hitting the
> same
> > firewall from behind the NAT device, but if only one client is hitting
the
> > firewall, the PIX does not change the client port).
> >
> > If you apply ACLs on your inside interface you need to allow the
> following:
> >
> > 1. FW1 Topology service (TCP Port 256 from memory)
> > 2. FW1 VPN Client Authentication service (TCP Port 259)
> > 3. ISAKMP (UDP port 500)
> > 4. ESP (IP Protocol 50) if using ESP
> > 5. Checkpoint UDP Encapsulation service (UDP Port 3xxx - can't
remember)
> if
> > using UDP Encapsulation
> >
> > Regards
> > Justin Menga CCIE #6640
> > Network Solutions Architect
> > Wireless & E-Infrastructure
> > Compaq Computer New Zealand
> > DDI: +64-9-918-9381 Mobile: +64-21-349-599
> > mailto: justin.menga@compaq.com
> > web: http://www.compaq.co.nz
> >
> >
> >
> > -----Original Message-----
> > From: michale_lee50@hotmail.com [mailto:michael_lee50@hotmail.com]
> > Sent: Thursday, 4 October 2001 3:51 p.m.
> > To: ccielab@groupstudy.com
> > Subject: little off topic PIX question
> >
> >
> > Hi Group,
> > Can I initiate a IPsec remote VPN client session from inside the PIX
> > firewall? Example, I have a checkpoint VPN client inside my network that
> > wants to connect to a firewall external to my PIX.
> >
> > Thanks,
> > Mr. Lee
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:16 GMT-3