CheckPoint FW-1 through Pix

[chilifrei64]

Ok here is the situation. Local American company moves to my location and parent company is in Germany. Each Company has their own IT Staff

Since a lot of the people at this new location are new to the company as well, the Parent company constantly sends over their people from Germany to work in the local American Office.

Problem:

Germany has CheckPoint FW-1 as their VPN Server

We have Cisco PIX 501(IOS6.3(4))

This is where it gets tricky.

When they connect to the VPN, the connection is established, they authenticate and FW-1 shows a connected status.

HOWEVER

I cannot see or talk to any host on their network. They have NO access to their file shares or Exchange E-mail. So even though it says they are connected, they still have no access

sounds like a problem on their side right?......

Wrong.

When they go to the hotel at the end of they day, they log on from their rooms and do the same thing and have full access to Exchange Email, their drives map and they have network access

All computers are a mix of W2k/XP Pro/XP PRO Tablet

Since this works in their hotel with no problem, this tells me this is a problem on my site with my firewall. If I setup a static translation one to one NAT,(I have plenty of External IP's to do this) I have no problem, however, these guys seem to come and go faster than I am even out there. It would almost be a full time job re-writing the pix config.

I am pretty familiar with Cisco Pix however I have NO experience with CheckPoint FW-1.

Finally, after all this time.. here is your question:

What do I have to configure in my PIX to allow these VPN connections to act like they do when they are at their hotels?

*pfew* that was a long one

Edited August 21, 2005 by chilifrei64

[Porn Loader]

can we look at your config?

[chilifrei64]

Yeah.. here it is.. this is a pretty simple config so there isnt much to fish through

Items in bold are what I have tried that have failed.

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname XXXXX

domain-name XXXXXX.local

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

no names

access-list 100 permit icmp any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any interface outside eq smtp

access-list 100 permit tcp any interface outside eq www

access-list 100 permit tcp any interface outside eq 3389

access-list 100 permit ip any host x.x.x.x

access-list 100 permit ip any host x.x.x.x

pager lines 24

logging on

logging trap warnings

logging host inside x.x.x.x

mtu outside 1500

mtu inside 1500

ip address outside x.x.190.250 255.255.255.192

ip address inside x.x.0.250 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www x.x.0.1 www netmask 255.255.255.2550 0

static (inside,outside) tcp interface smtp x.x.0.1 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 x.x.0.1 3389 netmask 255.255.255.255 0 0

static (inside,outside) x.x.190.248 x.x.9.1 netmask 255.255.255.255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.190.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:6f4490e1c6670166e4eada7a02ce83ee

: end

Edited August 21, 2005 by chilifrei64

[Porn Loader]

have you tried an acl like:

access-list 100 permit ip 192.168.U.S 255.255.255.0 192.168.D.E 255.255.255.0

I'm having similiar issues w/ a guy from dell in one of my branch offices behind a 506.

The other option is to use the established command but that can be a VERY large security risk.

[chilifrei64]

The problem with their VPN, atleast what I figure, is this Checkpoint uses UDP encapsulation and NAT Traversal. It doesnt give the remote client an IP address, it just sends the encapsulated packets to the VPN Gateway address

If this doesnt make sense.. lemme explain it this way..

MS VPN -> you connect and you get like a RAS connection virtual adapter installed. and you get an ip address assigned to it.

CheckPoint -> not so lucky.. it appears to just encapsulate and encrypt and sends the packet to the the public side of the vpn server.

So when it sends it back my firewall is blocking (as it should) these return packets because I dont know what it is coming back on.

[chilifrei64]

Well I just viewed my syslogd events and sure enough it is having port address translation. Which brings me another point..

IPSec and NAT/PAT have long standing issues and are highly incompatible.

After doing some reading on the cisco website I have decided to add these commands

isakmp enable outside

isakmp nat-traversal 20

in doing this, the PIX told me I had to remove my:

fixup protocol esp

statement.

I also removed my

sysopt connection permit-ipsec

as further reading on the command tells me that this command is used for terminating IPSec traffic at the PIX and not passing it through.. It was a shot in the dark anyways...

I'll keep ya posted with the results

[Porn Loader]

If I setup a static translation one to one NAT,(I have plenty of External IP's to do this) I have no problem, however, these guys seem to come and go faster than I am even out there. It would almost be a full time job re-writing the pix config.

any chance of setting a tunnel up between the pix and fw-1?

[chilifrei64]

any chance of setting a tunnel up between the pix and fw-1?

<{POST_SNAPBACK}>

I tried to run that route.. since the people are only temporary. They dont want to do this.. which I understand.. I mean... would you want a site to site vpn with a network you know nothing about..

I will be out at this location tomorrow so I will test the settings i mentioned the other day(as my syslog service stopped responding today so I have no feedback)

Ill let you know what the status is.

[chilifrei64]

Incase anybody is interested.. i found out my problem....

I didnt have one.. The German company had a rule in their firewall that was old and never removed it which blocks a specific ip subnet.. it just so happens that I run the same subnet..

I removed the options I configured in my PIX and it still works fine.