Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX VPN Client to Checkpoint

Hi,

can i connect to a checkpoint box with a cisco vpn client or is the special checkpoint vpn client needed?

The next question:

When i try to connect with a vpn client, behind a pix firewall, to a checkpoint box, which ports must be opend on the pix firewall for a successfully connection?

For PIX VPN's is this the UDP port 500, but which port is this for the checkpoint box?

Thanks!

2 REPLIES
Cisco Employee

Re: PIX VPN Client to Checkpoint

No, you will have to use the CP client, the Cisco client has some propietary XAuth stuff that won't work to a CP.

IPSec is a standard, so the port numbers are the same presumably. If the client is behind the PIX, then you shouldn't need to open anything cause the return traffic will be allowed back in. Having said that, you'll need to do some sort of IPSec encapsulation in TCP or UDP packets, cause the PIX won't PAT the IPSec packets properly. CP should offer this feature, and there documentation will tell you what port number it uses, but as I said, if this is an outbound connection thru the PIX then the PIX should allow it back in by default.

New Member

Re: PIX VPN Client to Checkpoint

Hi,

thanks for your answer. I know that the pix is a statefull inspection firewall and the answers coming back to the client must be not configurable but i have tested the following configuration with a customer.

Cisco VPN Client --> PIX --> Internet --> PIX --> LAN

This works not functional. What is the solution? The PIX makes NAT for any inside client hosts. With a sniffer i have seen udp traffic source port 1190/1191/1192 to the destination port 62514.

Another Config with NAT/PAT works fine.

Cisco VPN Client --> Router --> Internet --> PIX --> LAN

The ISDN router has a static NAT entry for the host with the vpn client and incoming traffic over udp/500 is allowed. When i delete this entry, the connection to the pix is not succcessfully.

I have no idea.

Thanks

152
Views
0
Helpful
2
Replies
CreatePlease login to create content