Cisco VPN client behind FW/1

Archived from groups: comp.security.firewalls (More info?)

I have a guy in China, and they have Firewall-1. He needs to access the UK
and normally he uses the Cisco VPN client, and connects to the PIX here. It
works fine if he dials an ISP, but not from the LAN. The Firewall-1 manager
has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
client cannot 'see' the PIx and timesout. They are using NAT on the
firewall, but I have had it working fine through NAT before.

There seems to be an option on the client for using TCP, rather than UDP,
but I cannot find anything for the PIX, only the VPN Concentrator.

Any help gratefully received. Thanks.

Reg
6 answers Last reply
More about cisco client
  1. Archived from groups: comp.security.firewalls (More info?)

    BlankReg wrote:
    > I have a guy in China, and they have Firewall-1. He needs to access the UK
    > and normally he uses the Cisco VPN client, and connects to the PIX here. It
    > works fine if he dials an ISP, but not from the LAN. The Firewall-1 manager
    > has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
    > client cannot 'see' the PIx and timesout. They are using NAT on the
    > firewall, but I have had it working fine through NAT before.
    >
    > There seems to be an option on the client for using TCP, rather than UDP,
    > but I cannot find anything for the PIX, only the VPN Concentrator.

    AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
    as well as answer packets from udp/10000.
  2. Archived from groups: comp.security.firewalls (More info?)

    Jens Hektor <hektor@rz.rwth-aachen.de> wrote in
    news:c60hhh$6fb8p$1@ID-231202.news.uni-berlin.de:

    > BlankReg wrote:
    >> I have a guy in China, and they have Firewall-1. He needs to access the
    >> UK and normally he uses the Cisco VPN client, and connects to the PIX
    >> here. It works fine if he dials an ISP, but not from the LAN. The
    >> Firewall-1 manager has allowed AH, ESP and UKE (UDP 500) through in
    >> both directions, but the client cannot 'see' the PIx and timesout. They
    >> are using NAT on the firewall, but I have had it working fine through
    >> NAT before.
    >>
    >> There seems to be an option on the client for using TCP, rather than
    >> UDP, but I cannot find anything for the PIX, only the VPN Concentrator.
    >
    > AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
    > as well as answer packets from udp/10000.

    Check to see that you are not using any ah- in your transform sets on the
    UK firewall. AH has issues when working thru NAT.
  3. Archived from groups: comp.security.firewalls (More info?)

    Thanks Jens & ScriptBoy

    I tried opening all ports, but still no luck. The transform set does not use
    AH (I allowed the port through just for completeness) so although this may
    have been the problem, in this case it is not the cause.

    The client works fine behind other firewalls, but not FW-1 for some reason.
    There must be something in the FW-1 config that is stopping this, or
    intercepting the VPN traffic.

    Any more ideas ?

    Thanks,

    Reg


    > > AFAIK from here, the fw-1 has to permit outgoing dport udp/10000
    > > as well as answer packets from udp/10000.
    >
    > Check to see that you are not using any ah- in your transform sets on the
    > UK firewall. AH has issues when working thru NAT.
  4. Archived from groups: comp.security.firewalls (More info?)

    Check the Cisco Client setup. There is a setting for "transparent" that we
    had to set for the same situation, running through a Checkpoint FW1 NAT. I
    am not the Cisco VPN guy, I just remember we had to make this adjustment in
    some way. Sorry I can't be more help.

    "BlankReg" <me@here.now> wrote in message
    news:c60crv$ko3$1@news.freedom2surf.net...
    > I have a guy in China, and they have Firewall-1. He needs to access the UK
    > and normally he uses the Cisco VPN client, and connects to the PIX here.
    It
    > works fine if he dials an ISP, but not from the LAN. The Firewall-1
    manager
    > has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
    > client cannot 'see' the PIx and timesout. They are using NAT on the
    > firewall, but I have had it working fine through NAT before.
    >
    > There seems to be an option on the client for using TCP, rather than UDP,
    > but I cannot find anything for the PIX, only the VPN Concentrator.
    >
    > Any help gratefully received. Thanks.
    >
    > Reg
    >
    >
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <mFNhc.4648$eZ5.4076@newsread1.news.pas.earthlink.net>,
    none@none.com says...
    > Check the Cisco Client setup. There is a setting for "transparent" that we
    > had to set for the same situation, running through a Checkpoint FW1 NAT. I
    > am not the Cisco VPN guy, I just remember we had to make this adjustment in
    > some way. Sorry I can't be more help.
    >
    > "BlankReg" <me@here.now> wrote in message
    > news:c60crv$ko3$1@news.freedom2surf.net...
    > > I have a guy in China, and they have Firewall-1. He needs to access the UK
    > > and normally he uses the Cisco VPN client, and connects to the PIX here.
    > It
    > > works fine if he dials an ISP, but not from the LAN. The Firewall-1
    > manager
    > > has allowed AH, ESP and UKE (UDP 500) through in both directions, but the
    > > client cannot 'see' the PIx and timesout. They are using NAT on the
    > > firewall, but I have had it working fine through NAT before.
    > >
    > > There seems to be an option on the client for using TCP, rather than UDP,
    > > but I cannot find anything for the PIX, only the VPN Concentrator.
    > >
    > > Any help gratefully received. Thanks.

    I had a similar problem when I tried to use a Windows 2000 VPN through a
    Nokia CheckPoint NG AI Firewall. Even with a "any accept" rule the VPN
    didn't work. The only solution I found was to use an ISA server firewall
    wich appears transparent to a Windows 2000 VPN.

    --
    ICQ# 114297372
  6. Archived from groups: comp.security.firewalls (More info?)

    Thanks also to G and Paul - I am getting the guy to try these and will
    advise if we get a result.
    I think the default for the client is transparent, but I will get him to
    check.
    The FW-1 has got to stay, so it either works, or the guy over there runs up
    a big phone bill.

    Regards,

    Reg

    "Paul Atreides" <ardennes@free.fr> wrote in message
    news:MPG.1af2e36ba002fda7989757@news.free.fr...
    > In article <mFNhc.4648$eZ5.4076@newsread1.news.pas.earthlink.net>,
    > none@none.com says...
    > > Check the Cisco Client setup. There is a setting for "transparent" that
    we
    > > had to set for the same situation, running through a Checkpoint FW1 NAT.
    I
    > > am not the Cisco VPN guy, I just remember we had to make this adjustment
    in
    > > some way. Sorry I can't be more help.
    > >
    > > "BlankReg" <me@here.now> wrote in message
    > > news:c60crv$ko3$1@news.freedom2surf.net...
    > > > I have a guy in China, and they have Firewall-1. He needs to access
    the UK
    > > > and normally he uses the Cisco VPN client, and connects to the PIX
    here.
    > > It
    > > > works fine if he dials an ISP, but not from the LAN. The Firewall-1
    > > manager
    > > > has allowed AH, ESP and UKE (UDP 500) through in both directions, but
    the
    > > > client cannot 'see' the PIx and timesout. They are using NAT on the
    > > > firewall, but I have had it working fine through NAT before.
    > > >
    > > > There seems to be an option on the client for using TCP, rather than
    UDP,
    > > > but I cannot find anything for the PIX, only the VPN Concentrator.
    > > >
    > > > Any help gratefully received. Thanks.
    >
    > I had a similar problem when I tried to use a Windows 2000 VPN through a
    > Nokia CheckPoint NG AI Firewall. Even with a "any accept" rule the VPN
    > didn't work. The only solution I found was to use an ISA server firewall
    > wich appears transparent to a Windows 2000 VPN.
    >
    > --
    > ICQ# 114297372
Ask a new question

Read More

Firewalls vpn Internet Service Providers Networking