I Do control the checkpoint FW.
After investigation in WireShark I Saw the client also requested TCP 264 for
download Checkpoint Topology
After this - i've succeeded to create the site. but not able to fully
connect. I will try to solve this.
I Also found some couple of more specific ports I need to pat them for
secureremote / client
by looking in those sites.
http://www.fw-1.de/aerasec/ngx/ports-ngx.html
http://www.tomshardware.co.uk/forum/page-13069_17_0.html
One more question - Is there a way to do a nat/pat for Ip Protocol
numbers like esp IP Protocol = 50 for other protocols
ip nat inside source static esp 192.168.1.1 80.1.1.1
for example - IPSec AH =IP Protocol 51 ?
On 6/4/09, Ryan West <rwest_at_zyedge.com> wrote:
> To answer your original question: yes, I have configured this in the past
> and it works. Since you do not control the CP (I assume), can you ask the
> remote party to send you traffic. You will gather much more useful
> information on the receiving end of the tunnel. If you run b�debug cry
isa
> 2b� on your firewall, do you see any debug output?
>
>
>
> The ESP and IKE traffic should be your only requirements to establish the
> tunnel. If youb�re having trouble passing traffic after phase2, then you
> might need to take a look at a few other things.
>
>
>
> -ryan
>
>
> ------------------------------
>
> *From:* W�W)W� W�W�W�W W� [mailto:eshedalonie_at_gmail.com]
> *Sent:* Thursday, June 04, 2009 3:27 AM
> *To:* Ryan West
> *Cc:* Cisco certification
> *Subject:* Re: PAT IPSec-FW Issue
>
>
>
> My mistake of the Topology
>
>
>
> FW(192.168.1.1)----->(192.168.1.2)Router(80.1.1.1)
>
> 2009/6/3 Ryan West <rwest_at_zyedge.com>
>
> Hello,
>
> I'm not sure if I follow your scenario, are you trying to establish phase 1
> using the public address of 80.1.1.1 to an internal router at 192.168.1.1?
> Forwarding ISAKMP and ESP to the internal host should work, are you sure
> aren't listening for IKE packets on R2 external interface?
>
> -ryan
>
>
> -----Original Message-----
> Subject: PAT IPSec-FW Issue
>
> I have tried today to make PAT IPSec to a checkpoint FW, but without
> succeed.
>
> R1(192.168.1.1) ----->(192.168.1.2) R2 (80.1.1.1)
>
> ip nat inside source static tcp 192.168.1.1 500 80.1.1.1 500
> ip nat inside source static udp 192.168.1.1 500 80.1.1.1 500
> ip nat inside source static ucp 192.168.1.1 4500 80.1.1.1 4500
> ip nat inside source static esp 192.168.1.1 80.1.1.1
>
> Does anyone have ever tried to configure this even without a Checkpoint FW
> -
> could be ASA or any other FW Vender ?
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 04 2009 - 18:57:24 ART