Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client through Checkpoint FW1 terminating at a PIX

I'm trying to set up a VPN connection from a Cisco VPN client v3.6.1 that terminates at a PIX 515 6.2(2). The problem being is that the client is behind a Checkpoint FW1 firewall.

As it is the configuration works fine for mobile/home users. I have also so successfully connected through a Linux firewall box that uses netfilter/iptables, so I know it should work through NAT.

I as understand it, the PIX does not support IPsec over TCP.

We've tried opening up UDP/500(IKE) and ESP/Proto 50 but to no avail.

So are there some other ports we'd need to open or is it not possible to open a VPN connection through a Checkpoint FW1.

Any help greatly appreciated.



Cisco Employee

Re: VPN Client through Checkpoint FW1 terminating at a PIX

Not sure if the CheckPoint supports IPSec over NAT. If the NAT'ing is truly the problem then you should be able to build the tunnel (cause this is all done on UDP 500 packets), but then not pass any traffic (since this is done using ESP packets, which a lot of boxes can't NAT properly cause they're not TCP/UDP packets).

You could also see if the CheckPoint is the problem by creating a one-to-one static translation for this VPN client, since then the NAT'ing should work fine.

The PIX does not currently support the IPSec over UDP/TCP functionality available in the client.

CreatePlease login to create content