Checkpoint firewall and Cisco VPN

pts.
Tags:
Cisco
Firewalls
Forensics
Incident response
Intrusion management
Network security
VPN
Wireless
Hi all - I have this problem now for 2 separate people and am a little perplexed. Here's what's happening: We have a Checkpoint firewall (Nokia), very restricted access. We have consultants or auditors that come in and need to access their Cisco VPN from inside our firewall and it always fails. I added them to a rule with no restrictions and it still failed. So here's my question to you all out there - it's been several years since I've had to work with the Cisco VPN and I'm not all the up on the Checkpoint firewall either - so is there something I'm missing here or is this a known issue? I appreciate any input you have. thanks! Lirria

Answer Wiki

Thanks. We'll let you know when a new response is added.

I don’t know the answer offhand, but here are some things to look at:

1) When the “no restrictions” rule was added, was it for TCP, UDP, or all IP?

2) When the “no restrictions” rule was added, is there anything in “front” of it?

3) When the auditors make the attempt and fail, what sort of log messages do you see? If you don’t see any, then ask the firewall admins if they would turn on more logging just to test – pretty please!!

4)Is this traffic going through any sort of NAT scheme. Some VPN solutions need to be tweaked to work in a NAT environment.

5) If I recall correctly, the cisco VPN client can be set up to use UDP or TCP for the VPN session – This often deals with trouble getting through firewalls.

Hope that helps,

Bob

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Lirria
    ok - here's my best answers to these questions: 1) it was added for all (set for any destination any service) 2) There had been, but I moved the rule up in the list and retested - same results. 3) This is the only error message I can really associate to them: (Not sure where to turn on more logging - still new to the checkpoint firewall configuration and it's all seat of the pants learning) Number: 113195 Date: 27Nov2006 Time: 14:17:40 Product: VPN-1 & FireWall-1 Interface: eth-s1p1c0 Origin: nbfw-gb (xx.xx.xxx.xxx) Type: Log Action: Reject Protocol: tcp Service: http (80) Source: Consultants (xx.x.x.x) Destination: xxx.xxx.xxx.xx Source Port: 1261 Information: message_info: Error parsing HTTP sub-header 4)We do have Nat enabled on the firewall (automatic address translation rules are added, translation method is Hide, hide behind gateway 5) I'll have to see if they know - I'm doubting they will as they don't even know their password... It's definately a start. Thanks!
    0 pointsBadges:
    report
  • Imazing
    It sounds to me that the VPN connection at the other end can't handle NAT traffic this is a common problem with VPN configs. try to get a hold of the techs on the other end to see if this is true.
    0 pointsBadges:
    report
  • Jhandjr1
    You should check to insure the required ports for CISCO IPSec VPN tunnels are open. The standard ones are 4500 for NAT-T, and UDP 500 for IPSec sessions in and out. Here is some reference info from Cisco: Both IP protocols and TCP/UDP ports must be opened in the Firewall. The UDP/TCP Ports necessary to forward through a firewall are: UDP 500 ISAKMP (Internet Security Association Key Management Protocol) All IKE Clients and LAN-to-LAN IKE tunnels require UDP Port 500 and their respective protocol to establish a tunnel. You can also go to the CISCO.com website and searchview the details. Just search on "ipsec tunnels and checkpoint firewall"
    0 pointsBadges:
    report
  • Lirria
    Thanks for the information - I have been out of the Cisco circles for so long I didn't even think out going to their website to look for the answer - sometimes the simplest solution is the best huh? Thanks again! Lirria
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following