Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

I have a client who is attempting to access my network using the Cisco VPN client and it is not working. I know the connection works because the remote client was working when he was using the same client thru a PIX firewall he connects to the VPN 3030 concentrator and is able to athenticate to our networkin using NT authentication. If he attempts to establish connection going thru the Checkpoint firewall he gets a remote peer not responding error. The person who configured the Checkpoint firewall says he is not blocking any traffic and that it should work. If I configure his group on the concentrator for none for authentication his group is able to connect to our VPN box but he is not able to get to anything on our internal network. If I change the authentication to either NT Domain or Internal authentication it comes back withe the remote peer not responding error.

9 REPLIES

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

Has anyone else been able to connet using the client? Can this client connect elsewhere w/o problems? Initial guess is the Check Point firewall. What kind of person is using Check Point but not blocking anything? Make him show you where they are either allowing everything(yeah right) or at least allowing ESP 50, UDP 500 and UDP 10000 through.

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

The client works fine if it is going thru the PIX firewall but not when using the Check Point firewall. The person configuring the Check Point box says he setup the box to not block anything and it is still not working. I just found out that the Check Point box is attempting to estabish a VPN tunnel when it sees the ESP traffic. The Check Point box is running Firewall-1 and VPN-1. Is it possible to establish a tunnel between a Check Point VPN and a Cisco VPN 3030? And if not is there a work around so that the Check Point box will not try to establish a tunnel and past the traffic like a PIX firewall does?

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

There are a few pieces of information needed. First, is the Checkpint FW a proxy firewall? If so it can only handle PPTP VPN, maybe L2TP (I haven't tested this). Having everything open on the Checkpoint FW is not enough. You will need to go in and allow "Protocol" 50 through, thats not port 50, thats protocol 50. This is usually done in an ip filter.

If your VPN is IPSec, it will not work through a proxy firewall, only a NAT firewall.

Instructions about working thhrough a firewall are available in the VPNClient Administrator's guide.

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

Seems to me the easiest thing to do if they are not using the Checkpoint VPN is to turn off the auto-initiate when it sees ESP traffic? Are they actively using it? If memory server I belive it is possible to establish a VPN tunnel thorugh both those devices but its been a while for me

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

It seems i have the same problem between a Cisco VPN client 3.1/ VPN Concentrator 3005 / FW-1 4.1

The VPN is behind the FW-1 with a NAT static (1/1)...and for the test purpose all traffic between the

VPN and client is allowed (NO BLOCKING or DROPING RULES- just ALLOW ANY).

I can connect to the VPN and get identified by the internal account server, but then i can do nothing,

i try http connection et ping thru the tunnel (IPSEC only CA= ESP - 3DES -MD5) but no response...

So i try today to put the VPN directly on the public LAN, with no NAT and no big config change (i only change IP and GW) and i then could get ping and http working...

I thought when you have a rule with Allow ANY under FW-1 it means ANY,

NOT (ANY - PROTO 50) but i try instead to allow only IKE UDP / PROTO 50

and it works !!!.

Thanks SCOTT MORRIS you were right.

and i hope it worked for you too.

by the way i loved the " Instructions about working thhrough a firewall are available in the VPNClient Administrator's guide" ...

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

On the Client Admin manual, I was actually serios. There is a section on the client administration manual on what to do on a firewall. This is where I got the information I provided in the reply I sent.

We used that info to change our firewall and it worked.

Scott

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

euhm...

sorry but i made a mistake....

Please apologize.

In fact it doesn't work... i thought http was working, but in fact it

was in my browser cache (from the test without NAT)...

I was using "shift" but it seems it doesn't work under IE.

So I'm still looking for an issue.

I thought NAT would be a problem only with AH not with ESP....

So i'm now thinking to let the Cisco vpn with no FW protection..and it's frightening me.

again

any suggestions ? configuration issues?

Use an OpenBSD box ?

I saw NAT configuration around the LOAD BALANCING features, since we own two VPN 3005

il will try it tomorrow. Hope this will work.

I was suspicious with the ANY != ANY PROTOCOLS in FW-1 ...Maybe i was right.

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

hi

what is the error in checkpoint sides ? Did you haves access to the log it is a cluster with Checkpoint (on NT or Nokia box or solaris ) I have access to checkpoint knowledge base if you give me the error i could check

if you do a FWinfo you get a lots of info useful for debugging.

I have found a document to do it on WEb sites but i doesn't find it actually . It could aslo depends of the service packs of Checkpoint !!(build number and after objects.C file ) on

this sites: http://www.imtek.com/IPSec.html will check tommorow on nokia and checkpoint sites for info

hope this helps

phil

New Member

Re: Using Cisco VPN Client 3.1 thru a Checkpoint Firewall

eumh....it's OK it's working NOW.

I checked the log of the FW-1. I t was bloking packet.

I made a mistake in my rule Concentrator -> CLIENT,

i was using the Public address not the Private in the rule

and the Proto 50 was blocked (stupid mistake).

Thanks for your advices.

So the vpn betwen a cisco client 3.1 and a concentrator 3005

thru a FW-14.1/NOKIA works well here with nothing in particular

to do...only allow IKE / PROTO 50.

995
Views
0
Helpful
9
Replies
CreatePlease login to create content