You might want to check out doing a 1:1 NAT with a route-map, assuming that youb�ll still be in the scenario below with only a single address shared between the router and FW. To save yourself the headache, if you have another address available, use that for a 1:1 with the FW.
-ryan
From: W�W)W� W�W�W�W W� [mailto:eshedalonie_at_gmail.com]
Sent: Thursday, June 04, 2009 11:57 AM
To: Ryan West; Cisco certification
Subject: Re: PAT IPSec-FW Issue
I Do control the checkpoint FW.
After investigation in WireShark I Saw the client also requested TCP 264 for download Checkpoint Topology
After this - i've succeeded to create the site. but not able to fully connect. I will try to solve this.
I Also found some couple of more specific ports I need to pat them for secureremote / client
by looking in those sites.
http://www.fw-1.de/aerasec/ngx/ports-ngx.html
http://www.tomshardware.co.uk/forum/page-13069_17_0.html
One more question - Is there a way to do a nat/pat for Ip Protocol numbers like esp IP Protocol = 50 for other protocols
ip nat inside source static esp 192.168.1.1 80.1.1.1
for example - IPSec AH =IP Protocol 51 ?
On 6/4/09, Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
To answer your original question: yes, I have configured this in the past and it works. Since you do not control the CP (I assume), can you ask the remote party to send you traffic. You will gather much more useful information on the receiving end of the tunnel. If you run b�debug cry isa 2b� on your firewall, do you see any debug output?
The ESP and IKE traffic should be your only requirements to establish the tunnel. If youb�re having trouble passing traffic after phase2, then you might need to take a look at a few other things.
-ryan
________________________________
From: W�W)W� W�W�W�W W� [mailto:eshedalonie_at_gmail.com<mailto:eshedalonie_at_gmail.com>]
Sent: Thursday, June 04, 2009 3:27 AM
To: Ryan West
Cc: Cisco certification
Subject: Re: PAT IPSec-FW Issue
My mistake of the Topology
FW(192.168.1.1)----->(192.168.1.2)Router(80.1.1.1)
2009/6/3 Ryan West <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>>
Hello,
I'm not sure if I follow your scenario, are you trying to establish phase 1 using the public address of 80.1.1.1 to an internal router at 192.168.1.1? Forwarding ISAKMP and ESP to the internal host should work, are you sure aren't listening for IKE packets on R2 external interface?
-ryan
-----Original Message-----
Subject: PAT IPSec-FW Issue
I have tried today to make PAT IPSec to a checkpoint FW, but without
succeed.
R1(192.168.1.1) ----->(192.168.1.2) R2 (80.1.1.1)
ip nat inside source static tcp 192.168.1.1 500 80.1.1.1 500
ip nat inside source static udp 192.168.1.1 500 80.1.1.1 500
ip nat inside source static ucp 192.168.1.1 4500 80.1.1.1 4500
ip nat inside source static esp 192.168.1.1 80.1.1.1
Does anyone have ever tried to configure this even without a Checkpoint FW -
could be ASA or any other FW Vender ?
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 04 2009 - 12:45:39 ART