Archived from groups: comp.security.firewalls (
More info?)
On Mon, 15 Aug 2005 19:30:48 GMT, Memnoch wrote:
> On Mon, 15 Aug 2005 13:15:56 +0200, no@no.no wrote:
>
>>m VPN gatewa is behind NAT and I cannot make SmartClient VPN connection. Is
>>there any cookbook how to configure Checkpoint for this?
>
> You will need to forward all ports on the machine doing NAT to the gateway
> related to SecurClient/SecureRemote.
>
> From their KB:
>
> If there are other firewalls along the path connecting the SecuRemote Client
> (that performs the encryption) and the VPN-1/FireWall-1 Server (the
> VPN-1/FireWall-1 Module that performs the decryption), configure the other
> firewalls to allow FW-1 services to pass from the SecuRemote Client to the
> SecuRemote Server.
>
> Allow the following services:
>
> TCP/264 (Topology Download)
> IKE
> IPSEC and IKE (UDP on port 500)
> IPSEC ESP (IP type 50)
> IPSEC AH (IP type 51)
> TCP/500 (if using IKE over TCP)
> UDP 2746 or another port (if using UDP encapsulation)
>
> SecureClient specific connections:
>
> FW1_scv_keep_alive (UDP port 18233) — used for SCV keep-alive packets
> FW1_pslogon_NG (TCP port 18231) or (TCP port 65524 for Application
> Intelligence) — used for SecureClient's logon to Policy Server protocol
> FW1_sds_logon (TCP port 18232) — used for SecureClient's Software Distribution
> Server download protocol
> tunnel_test (UDP port 18234) - used by Check Point tunnel testing application
abd how to solve source address that checkpoint use for packets. It uses
private IP address