Cisco VPN client behind FW/1

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I have a guy in China, and they have Firewall-1. He needs to access the UK
and normally he uses the Cisco VPN client, and connects to the PIX here. It
works fine if he dials an ISP, but not from the LAN. The Firewall-1 manager
has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
client cannot 'see' the PIx and timesout. They are using NAT on the
firewall, but I have had it working fine through NAT before.

There seems to be an option on the client for using TCP, rather than UDP,
but I cannot find anything for the PIX, only the VPN Concentrator.

Any help gratefully received. Thanks.

Reg

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BlankReg wrote:
> I have a guy in China, and they have Firewall-1. He needs to access the UK
> and normally he uses the Cisco VPN client, and connects to the PIX here. It
> works fine if he dials an ISP, but not from the LAN. The Firewall-1 manager
> has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
> client cannot 'see' the PIx and timesout. They are using NAT on the
> firewall, but I have had it working fine through NAT before.
>
> There seems to be an option on the client for using TCP, rather than UDP,
> but I cannot find anything for the PIX, only the VPN Concentrator.

AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
as well as answer packets from udp/10000.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Jens Hektor <hektor@rz.rwth-aachen.de> wrote in
news:c60hhh$6fb8p$1@ID-231202.news.uni-berlin.de:

> BlankReg wrote:
>> I have a guy in China, and they have Firewall-1. He needs to access the
>> UK and normally he uses the Cisco VPN client, and connects to the PIX
>> here. It works fine if he dials an ISP, but not from the LAN. The
>> Firewall-1 manager has allowed AH, ESP and UKE (UDP 500) through in
>> both directions, but the client cannot 'see' the PIx and timesout. They
>> are using NAT on the firewall, but I have had it working fine through
>> NAT before.
>>
>> There seems to be an option on the client for using TCP, rather than
>> UDP, but I cannot find anything for the PIX, only the VPN Concentrator.
>
> AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
> as well as answer packets from udp/10000.

Check to see that you are not using any ah- in your transform sets on the
UK firewall. AH has issues when working thru NAT.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Thanks Jens & ScriptBoy

I tried opening all ports, but still no luck. The transform set does not use
AH (I allowed the port through just for completeness) so although this may
have been the problem, in this case it is not the cause.

The client works fine behind other firewalls, but not FW-1 for some reason.
There must be something in the FW-1 config that is stopping this, or
intercepting the VPN traffic.

Any more ideas ?

Thanks,

Reg


> > AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
> > as well as answer packets from udp/10000.
>
> Check to see that you are not using any ah- in your transform sets on the
> UK firewall. AH has issues when working thru NAT.

 

[unkn2232324]

Archived from groups: comp.security.firewalls (More info?)

Check the Cisco Client setup. There is a setting for "transparent" that we
had to set for the same situation, running through a Checkpoint FW1 NAT. I
am not the Cisco VPN guy, I just remember we had to make this adjustment in
some way. Sorry I can't be more help.

"BlankReg" <me@here.now> wrote in message
news:c60crv$ko3$1@news.freedom2surf.net...
> I have a guy in China, and they have Firewall-1. He needs to access the UK
> and normally he uses the Cisco VPN client, and connects to the PIX here.
It
> works fine if he dials an ISP, but not from the LAN. The Firewall-1
manager
> has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
> client cannot 'see' the PIx and timesout. They are using NAT on the
> firewall, but I have had it working fine through NAT before.
>
> There seems to be an option on the client for using TCP, rather than UDP,
> but I cannot find anything for the PIX, only the VPN Concentrator.
>
> Any help gratefully received. Thanks.
>
> Reg
>
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <mFNhc.4648$eZ5.4076@newsread1.news.pas.earthlink.net>,
none@none.com says...
> Check the Cisco Client setup. There is a setting for "transparent" that we
> had to set for the same situation, running through a Checkpoint FW1 NAT. I
> am not the Cisco VPN guy, I just remember we had to make this adjustment in
> some way. Sorry I can't be more help.
>
> "BlankReg" <me@here.now> wrote in message
> news:c60crv$ko3$1@news.freedom2surf.net...
> > I have a guy in China, and they have Firewall-1. He needs to access the UK
> > and normally he uses the Cisco VPN client, and connects to the PIX here.
> It
> > works fine if he dials an ISP, but not from the LAN. The Firewall-1
> manager
> > has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
> > client cannot 'see' the PIx and timesout. They are using NAT on the
> > firewall, but I have had it working fine through NAT before.
> >
> > There seems to be an option on the client for using TCP, rather than UDP,
> > but I cannot find anything for the PIX, only the VPN Concentrator.
> >
> > Any help gratefully received. Thanks.

I had a similar problem when I tried to use a Windows 2000 VPN through a
Nokia CheckPoint NG AI Firewall. Even with a "any accept" rule the VPN
didn't work. The only solution I found was to use an ISA server firewall
wich appears transparent to a Windows 2000 VPN.

--
ICQ# 114297372

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Thanks also to G and Paul - I am getting the guy to try these and will
advise if we get a result.
I think the default for the client is transparent, but I will get him to
check.
The FW-1 has got to stay, so it either works, or the guy over there runs up
a big phone bill.

Regards,

Reg

"Paul Atreides" <ardennes@free.fr> wrote in message
news:MPG.1af2e36ba002fda7989757@news.free.fr...
> In article <mFNhc.4648$eZ5.4076@newsread1.news.pas.earthlink.net>,
> none@none.com says...
> > Check the Cisco Client setup. There is a setting for "transparent" that
we
> > had to set for the same situation, running through a Checkpoint FW1 NAT.
I
> > am not the Cisco VPN guy, I just remember we had to make this adjustment
in
> > some way. Sorry I can't be more help.
> >
> > "BlankReg" <me@here.now> wrote in message
> > news:c60crv$ko3$1@news.freedom2surf.net...
> > > I have a guy in China, and they have Firewall-1. He needs to access
the UK
> > > and normally he uses the Cisco VPN client, and connects to the PIX
here.
> > It
> > > works fine if he dials an ISP, but not from the LAN. The Firewall-1
> > manager
> > > has allowed AH, ESP and UKE (UDP 500) through in both directions, but
the
> > > client cannot 'see' the PIx and timesout. They are using NAT on the
> > > firewall, but I have had it working fine through NAT before.
> > >
> > > There seems to be an option on the client for using TCP, rather than
UDP,
> > > but I cannot find anything for the PIX, only the VPN Concentrator.
> > >
> > > Any help gratefully received. Thanks.
>
> I had a similar problem when I tried to use a Windows 2000 VPN through a
> Nokia CheckPoint NG AI Firewall. Even with a "any accept" rule the VPN
> didn't work. The only solution I found was to use an ISA server firewall
> wich appears transparent to a Windows 2000 VPN.
>
> --
> ICQ# 114297372