chilifrei64 Posted August 20, 2005 Share Posted August 20, 2005 (edited) Ok here is the situation. Local American company moves to my location and parent company is in Germany. Each Company has their own IT StaffSince a lot of the people at this new location are new to the company as well, the Parent company constantly sends over their people from Germany to work in the local American Office.Problem:Germany has CheckPoint FW-1 as their VPN ServerWe have Cisco PIX 501(IOS6.3(4))This is where it gets tricky. When they connect to the VPN, the connection is established, they authenticate and FW-1 shows a connected status. HOWEVERI cannot see or talk to any host on their network. They have NO access to their file shares or Exchange E-mail. So even though it says they are connected, they still have no accesssounds like a problem on their side right?......Wrong.When they go to the hotel at the end of they day, they log on from their rooms and do the same thing and have full access to Exchange Email, their drives map and they have network accessAll computers are a mix of W2k/XP Pro/XP PRO TabletSince this works in their hotel with no problem, this tells me this is a problem on my site with my firewall. If I setup a static translation one to one NAT,(I have plenty of External IP's to do this) I have no problem, however, these guys seem to come and go faster than I am even out there. It would almost be a full time job re-writing the pix config. I am pretty familiar with Cisco Pix however I have NO experience with CheckPoint FW-1.Finally, after all this time.. here is your question:What do I have to configure in my PIX to allow these VPN connections to act like they do when they are at their hotels?*pfew* that was a long one Edited August 21, 2005 by chilifrei64 Link to comment Share on other sites More sharing options...
Porn Loader Posted August 21, 2005 Share Posted August 21, 2005 can we look at your config? Link to comment Share on other sites More sharing options...
chilifrei64 Posted August 21, 2005 Author Share Posted August 21, 2005 (edited) Yeah.. here it is.. this is a pretty simple config so there isnt much to fish throughItems in bold are what I have tried that have failed. PIX Version 6.3(4)interface ethernet0 autointerface ethernet1 100fullnameif ethernet0 outside security0nameif ethernet1 inside security100enable password xxxxxxxxxxxxxxxx encryptedpasswd xxxxxxxxxxxxxx encryptedhostname XXXXXdomain-name XXXXXX.localfixup protocol dns maximum-length 512fixup protocol esp-ikefixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol pptp 1723fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521fixup protocol tftp 69no namesaccess-list 100 permit icmp any anyaccess-list 100 permit icmp any any echoaccess-list 100 permit icmp any any echo-replyaccess-list 100 permit icmp any any unreachableaccess-list 100 permit tcp any interface outside eq smtpaccess-list 100 permit tcp any interface outside eq wwwaccess-list 100 permit tcp any interface outside eq 3389access-list 100 permit ip any host x.x.x.xaccess-list 100 permit ip any host x.x.x.xpager lines 24logging onlogging trap warningslogging host inside x.x.x.xmtu outside 1500mtu inside 1500ip address outside x.x.190.250 255.255.255.192ip address inside x.x.0.250 255.255.0.0ip audit info action alarmip audit attack action alarmarp timeout 14400global (outside) 1 interfacenat (inside) 1 0.0.0.0 0.0.0.0 0 0static (inside,outside) tcp interface www x.x.0.1 www netmask 255.255.255.2550 0static (inside,outside) tcp interface smtp x.x.0.1 smtp netmask 255.255.255.255 0 0static (inside,outside) tcp interface 3389 x.x.0.1 3389 netmask 255.255.255.255 0 0static (inside,outside) x.x.190.248 x.x.9.1 netmask 255.255.255.255 0 0access-group 100 in interface outsideroute outside 0.0.0.0 0.0.0.0 x.x.190.193 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absoluteaaa-server TACACS+ protocol tacacs+aaa-server TACACS+ max-failed-attempts 3aaa-server TACACS+ deadtime 10aaa-server RADIUS protocol radiusaaa-server RADIUS max-failed-attempts 3aaa-server RADIUS deadtime 10aaa-server LOCAL protocol localhttp server enableno snmp-server locationno snmp-server contactsnmp-server community publicno snmp-server enable trapsfloodguard enablesysopt connection permit-ipsectelnet timeout 5ssh timeout 5console timeout 0terminal width 80Cryptochecksum:6f4490e1c6670166e4eada7a02ce83ee: end Edited August 21, 2005 by chilifrei64 Link to comment Share on other sites More sharing options...
Porn Loader Posted August 23, 2005 Share Posted August 23, 2005 have you tried an acl like:access-list 100 permit ip 192.168.U.S 255.255.255.0 192.168.D.E 255.255.255.0I'm having similiar issues w/ a guy from dell in one of my branch offices behind a 506.The other option is to use the established command but that can be a VERY large security risk. Link to comment Share on other sites More sharing options...
chilifrei64 Posted August 23, 2005 Author Share Posted August 23, 2005 The problem with their VPN, atleast what I figure, is this Checkpoint uses UDP encapsulation and NAT Traversal. It doesnt give the remote client an IP address, it just sends the encapsulated packets to the VPN Gateway addressIf this doesnt make sense.. lemme explain it this way.. MS VPN -> you connect and you get like a RAS connection virtual adapter installed. and you get an ip address assigned to it.CheckPoint -> not so lucky.. it appears to just encapsulate and encrypt and sends the packet to the the public side of the vpn server. So when it sends it back my firewall is blocking (as it should) these return packets because I dont know what it is coming back on. Link to comment Share on other sites More sharing options...
chilifrei64 Posted August 23, 2005 Author Share Posted August 23, 2005 Well I just viewed my syslogd events and sure enough it is having port address translation. Which brings me another point.. IPSec and NAT/PAT have long standing issues and are highly incompatible. After doing some reading on the cisco website I have decided to add these commandsisakmp enable outsideisakmp nat-traversal 20in doing this, the PIX told me I had to remove my:fixup protocol esp statement. I also removed my sysopt connection permit-ipsecas further reading on the command tells me that this command is used for terminating IPSec traffic at the PIX and not passing it through.. It was a shot in the dark anyways...I'll keep ya posted with the results Link to comment Share on other sites More sharing options...
Porn Loader Posted August 24, 2005 Share Posted August 24, 2005 If I setup a static translation one to one NAT,(I have plenty of External IP's to do this) I have no problem, however, these guys seem to come and go faster than I am even out there. It would almost be a full time job re-writing the pix config.any chance of setting a tunnel up between the pix and fw-1? Link to comment Share on other sites More sharing options...
chilifrei64 Posted August 25, 2005 Author Share Posted August 25, 2005 any chance of setting a tunnel up between the pix and fw-1?<{POST_SNAPBACK}>I tried to run that route.. since the people are only temporary. They dont want to do this.. which I understand.. I mean... would you want a site to site vpn with a network you know nothing about.. I will be out at this location tomorrow so I will test the settings i mentioned the other day(as my syslog service stopped responding today so I have no feedback) Ill let you know what the status is. Link to comment Share on other sites More sharing options...
chilifrei64 Posted September 2, 2005 Author Share Posted September 2, 2005 Incase anybody is interested.. i found out my problem....I didnt have one.. The German company had a rule in their firewall that was old and never removed it which blocks a specific ip subnet.. it just so happens that I run the same subnet..I removed the options I configured in my PIX and it still works fine. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now