Has anyone configured a PIX to allow Checkpoint Secure remote client through a PIX to a remote Checkpoint F/w. We have created a static mapping for the client, although NAT'd and he can connect and authenticate to the Checkpoint F/W but DNS/WINS does not work and he cannot connect to his Intranet. If we place the client outside the PIX it works OK. The "sh conn" shows the tunnel connection but then another connection appears when he tries to connect to the Intranet, this second connection has a different destination address as if the request is not going down the tunnel , but it all works when placed outside the PIX.
I have a similar problem getting Secure remote VPN client working over IOS firewall.
I did find out that Checkpoint use 500/TCP and UDP for IKE and also 264/UDP. Over NAT they also encapsulate in 2746/UDP rather than 4500/10000 with Cisco. No getting a lot of "love" from Cisco or Checkpoint on this - i'm sure many people have this configuration.
When it stats failing we notice many connections on UDP/259 to various servers in the Checkpoint cluster. The guys in charge of the cluster tell me its failed to renegoiated the SA which would maybe explain the clients attempt to contact many servers.
Currently the router uses CBAC so any session traffic initiated inside should be permitted back. We also amended UDP session timeout and NAT which hasnt improved it. I even when as far as adding a second CBAC on the outside interface and an access rule from the FW-1 Ip to allow "any" traffic back, just in case it was trying to initiate a session. I also static mapped a single IP.
Anyway back to the topic The newer builds of CP allow for firewall friendly communication. In short you can configure your CP gateways to listen on 443 to terminate your IPSEC clients. Then configure the clients for Guest mode.
Now for the caveat CP Upgrades are never easy.
On another note I have used Secure Remote (as well as Secure Client) behind just about every vendors firewall. The older versions of CP were very problematic with NAT but any build above CP 2000 SP5 up to NGX work well.
Now for the problem it sounds like NAT. Can you give a Network Layout Example with the packet flow?
Pretty simple setup, we have private network on 10.0.129.0/17 with a single public IP over SDSL circuit. PAT and CBAC enabled.
If I look at the NAT on the router I see UDP/500 and UDP 2476 for encap and UDP 259 which apparently this client needs. I believe its a cluster on the other side and I do notice many connections to UDP 259 - which implies some issue with negotiating a key. The check point admins tell me there are problems in the logs with regards to the SA.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...