Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IBM SecureWay 4.1 issue with Cisco VPN client

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 2 Mar 2004 08:39:33 -0500
Kyle,

The most likely culprit is port address translation, or PAT (known as "Hide NAT" on CheckPoint and "masquerading" on 
Linux).  If the far end that the VPN client is connecting to is a PIX firewall, it will expect traffic to use UDP 4500 
for both the source -and- destination port.  If your firewall is performing PAT, which means that it is translating the 
source address and source port of traffic destined for the Internet, this will change the source port of your VPN 
client traffic.  

There are a couple of things you can do on your end, including configuring static-port for UDP/4500 (don't know if 
SecureWay can do this), and configuring a static NAT or one-to-one NAT rule for each machine that needs to connect out 
with the VPN client.  

The best solution, however, is for the organization on the other end to upgrade their PIX OS to v6.3 and add 'isakmp 
nat-traversal' to their config.  This will override the need for the source port to be 4500 as well.  The reason they 
should do this is that this won't be the last time they run into this problem.

Hope this helps.

PaulM


-----Original Message-----
Now IBM SecureWay has a VPN support set up, but it's only for direct
tunneling, IE from the firewall to another firewall. We must use the Cisco
VPN client. After some research, I have found that the client uses UDP 500,
and UDP 4500 (and sometimes UDP 10000) for its connection. So I created
custom rules on the firewall to allow those ports open for the computers
running the client. This allowed me to successfully sign in to the server
that's running the VPN host. However, I can not see the other computers
running on that network (as I should be able to over a VPN). Also, the .Net
tools do not get a reply from the databases we try to access. When I look at
the statistics page that the Cisco VPN client produces, the field labeled
'bytes received' stays at 0.

The next logical course of action is to determine if the problems aren't at
my end. So I removed a computer from the firewall (let it be its own entity
in the open world) and ran the VPN client again. It connected perfectly, and
when using the .Net tools everything worked fine. I also could see the other
computers in the Virtual Network.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: