I have a client residing behind a checkpoint NG firewall that is experiencing issues. I am connecting to a 3000 concentrator and getting an assigned ip address just fine. Unfortunatly any attempts to connect to devices through the tunnel don't work after I have been connected.
The firewall is allowing:
udp port 10000
udp port 4500
The client is on a private address and being hide nat'd by the checkpoint firewall.
I can't even ping the internal interface of the concentrator.
Verify that the PIX has a route to the internal networks trying to be accessed.
Verify that the pool of VPN addresses does not overlap with any other internal network, including that of the PIX itself.
Verify that there is a nat 0 access list on the PIX which includes the internal network trying to be reached and the VPN address pool network.
The nat [if_name] 0 access-list acl_name command lets you exempt traffic that is matched by the access-list command statements from the NAT services. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.
Verify that the default gateway of the inside hosts is pointing to the inside interface of the firewall if they are a part of directly connected networks of the firewalls.
Note: The first two points are also applicable to Cisco routers and VPN 3000 Concentrators with VPN tunnels
I have ipsec over UDP port enabled, Interesting that the article points to Configuration > User Management > Groups.| Ipsec Tab I find in actually it under the client config tab. I tried the Global Nat-t over tcp but I can't seem to get connected using that. I'll have to play with it a bit more to see if I can get it to work.
The routes on the concentrator seem to be fine as if I connect without passing through the checkpoint firewall (ie behind a linksys nat device or directly connected) I can hit the the networks just fine. The ip scheme may be an issue but I have tried a few variations to try and eliminate that as an issue. Currently it is setup as follows
Private interface of vpn concentrator
static ip address assigned to client by concentrator
The static ip is in the same subnet as the vpn device but I haven't had a problem with it before.
What kind of icmp traffic would I need to allow on the firewall? I do see some drops in the logs particularly a icmp TTL count exceeded/address spoofing message. I turned off spoofing protection to test if the checkpoint firewall was mucking it up but no change.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :