Firewall Wizards mailing list archives
RE: IBM SecureWay 4.1 issue with Cisco VPN client
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 2 Mar 2004 08:39:33 -0500
Kyle, The most likely culprit is port address translation, or PAT (known as "Hide NAT" on CheckPoint and "masquerading" on Linux). If the far end that the VPN client is connecting to is a PIX firewall, it will expect traffic to use UDP 4500 for both the source -and- destination port. If your firewall is performing PAT, which means that it is translating the source address and source port of traffic destined for the Internet, this will change the source port of your VPN client traffic. There are a couple of things you can do on your end, including configuring static-port for UDP/4500 (don't know if SecureWay can do this), and configuring a static NAT or one-to-one NAT rule for each machine that needs to connect out with the VPN client. The best solution, however, is for the organization on the other end to upgrade their PIX OS to v6.3 and add 'isakmp nat-traversal' to their config. This will override the need for the source port to be 4500 as well. The reason they should do this is that this won't be the last time they run into this problem. Hope this helps. PaulM -----Original Message----- Now IBM SecureWay has a VPN support set up, but it's only for direct tunneling, IE from the firewall to another firewall. We must use the Cisco VPN client. After some research, I have found that the client uses UDP 500, and UDP 4500 (and sometimes UDP 10000) for its connection. So I created custom rules on the firewall to allow those ports open for the computers running the client. This allowed me to successfully sign in to the server that's running the VPN host. However, I can not see the other computers running on that network (as I should be able to over a VPN). Also, the .Net tools do not get a reply from the databases we try to access. When I look at the statistics page that the Cisco VPN client produces, the field labeled 'bytes received' stays at 0. The next logical course of action is to determine if the problems aren't at my end. So I removed a computer from the firewall (let it be its own entity in the open world) and ran the VPN client again. It connected perfectly, and when using the .Net tools everything worked fine. I also could see the other computers in the Virtual Network. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IBM SecureWay 4.1 issue with Cisco VPN client Kyle King (Mar 01)
- <Possible follow-ups>
- RE: IBM SecureWay 4.1 issue with Cisco VPN client Melson, Paul (Mar 02)