I have a client who is attempting to access my network using the Cisco VPN client and it is not working. I know the connection works because the remote client was working when he was using the same client thru a PIX firewall he connects to the VPN 3030 concentrator and is able to athenticate to our networkin using NT authentication. If he attempts to establish connection going thru the Checkpoint firewall he gets a remote peer not responding error. The person who configured the Checkpoint firewall says he is not blocking any traffic and that it should work. If I configure his group on the concentrator for none for authentication his group is able to connect to our VPN box but he is not able to get to anything on our internal network. If I change the authentication to either NT Domain or Internal authentication it comes back withe the remote peer not responding error.
Has anyone else been able to connet using the client? Can this client connect elsewhere w/o problems? Initial guess is the Check Point firewall. What kind of person is using Check Point but not blocking anything? Make him show you where they are either allowing everything(yeah right) or at least allowing ESP 50, UDP 500 and UDP 10000 through.
The client works fine if it is going thru the PIX firewall but not when using the Check Point firewall. The person configuring the Check Point box says he setup the box to not block anything and it is still not working. I just found out that the Check Point box is attempting to estabish a VPN tunnel when it sees the ESP traffic. The Check Point box is running Firewall-1 and VPN-1. Is it possible to establish a tunnel between a Check Point VPN and a Cisco VPN 3030? And if not is there a work around so that the Check Point box will not try to establish a tunnel and past the traffic like a PIX firewall does?
There are a few pieces of information needed. First, is the Checkpint FW a proxy firewall? If so it can only handle PPTP VPN, maybe L2TP (I haven't tested this). Having everything open on the Checkpoint FW is not enough. You will need to go in and allow "Protocol" 50 through, thats not port 50, thats protocol 50. This is usually done in an ip filter.
If your VPN is IPSec, it will not work through a proxy firewall, only a NAT firewall.
Instructions about working thhrough a firewall are available in the VPNClient Administrator's guide.
Seems to me the easiest thing to do if they are not using the Checkpoint VPN is to turn off the auto-initiate when it sees ESP traffic? Are they actively using it? If memory server I belive it is possible to establish a VPN tunnel thorugh both those devices but its been a while for me
It seems i have the same problem between a Cisco VPN client 3.1/ VPN Concentrator 3005 / FW-1 4.1
The VPN is behind the FW-1 with a NAT static (1/1)...and for the test purpose all traffic between the
VPN and client is allowed (NO BLOCKING or DROPING RULES- just ALLOW ANY).
I can connect to the VPN and get identified by the internal account server, but then i can do nothing,
i try http connection et ping thru the tunnel (IPSEC only CA= ESP - 3DES -MD5) but no response...
So i try today to put the VPN directly on the public LAN, with no NAT and no big config change (i only change IP and GW) and i then could get ping and http working...
I thought when you have a rule with Allow ANY under FW-1 it means ANY,
NOT (ANY - PROTO 50) but i try instead to allow only IKE UDP / PROTO 50
and it works !!!.
Thanks SCOTT MORRIS you were right.
and i hope it worked for you too.
by the way i loved the " Instructions about working thhrough a firewall are available in the VPNClient Administrator's guide" ...
On the Client Admin manual, I was actually serios. There is a section on the client administration manual on what to do on a firewall. This is where I got the information I provided in the reply I sent.
We used that info to change our firewall and it worked.
sorry but i made a mistake....
In fact it doesn't work... i thought http was working, but in fact it
was in my browser cache (from the test without NAT)...
I was using "shift" but it seems it doesn't work under IE.
So I'm still looking for an issue.
I thought NAT would be a problem only with AH not with ESP....
So i'm now thinking to let the Cisco vpn with no FW protection..and it's frightening me.
any suggestions ? configuration issues?
Use an OpenBSD box ?
I saw NAT configuration around the LOAD BALANCING features, since we own two VPN 3005
il will try it tomorrow. Hope this will work.
I was suspicious with the ANY != ANY PROTOCOLS in FW-1 ...Maybe i was right.
what is the error in checkpoint sides ? Did you haves access to the log it is a cluster with Checkpoint (on NT or Nokia box or solaris ) I have access to checkpoint knowledge base if you give me the error i could check
if you do a FWinfo you get a lots of info useful for debugging.
I have found a document to do it on WEb sites but i doesn't find it actually . It could aslo depends of the service packs of Checkpoint !!(build number and after objects.C file ) on
this sites: http://www.imtek.com/IPSec.html will check tommorow on nokia and checkpoint sites for info
hope this helps
eumh....it's OK it's working NOW.
I checked the log of the FW-1. I t was bloking packet.
I made a mistake in my rule Concentrator -> CLIENT,
i was using the Public address not the Private in the rule
and the Proto 50 was blocked (stupid mistake).
Thanks for your advices.
So the vpn betwen a cisco client 3.1 and a concentrator 3005
thru a FW-14.1/NOKIA works well here with nothing in particular
to do...only allow IKE / PROTO 50.