Firewall Wizards mailing list archives
RE: Pix to Checkpoint VPN Connectivity
From: <mlists () tdbnetworks org>
Date: Mon, 10 May 2004 15:38:12 +0100
Thanks to Darrens help I seem to have got a little further but true to form have hit another brick wall. ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 40 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 50 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of -2067221398:84c8b46aIPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x36c44056(918831190) for SA from x.x.19.139 to x.x.4.83 for prot 3 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2227745898 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 ISAKMP (0): processing NONCE payload. message ID = 2227745898 ISAKMP (0): processing KE payload. message ID = 2227745898 ISAKMP (0): processing ID payload. message ID = 2227745898 ISAKMP (0): processing ID payload. message ID = 2227745898map_alloc_entry: allocating entry 3 map_alloc_entry: allocating entry 4 ISAKMP (0): Creating IPSec SAs inbound SA from x.x.19.139 to x.x.4.83 (proxy x.x.19.65 to x.x.0.253) has spi 918831190 and conn_id 3 and flags 25 lifetime of 28800 seconds lifetime of 4608000 kilobytes outbound SA from x.x.4.83 to x.x.19.139 (proxy x.x.0.253 to x.x.19.65) has spi 3145190809 and conn_id 4 and flags 25 lifetime of 28800 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= x.x.4.83, src= x.x.19.139, dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x36c44056(918831190), conn_id= 3, keysize= 0, flags= 0x25 IPSEC(initialize_sas): , (key eng. msg.) src= x.x.4.83, dest= x.x.19.139, src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0xbb77cd99(3145190809), conn_id= 4, keysize= 0, flags= 0x25 VPN Peer: IPSEC: Peer Info not found during IPSEC addition: Peer ip:x.x.19.139/500 VPN Peer: IPSEC: Peer Info not found during IPSEC addition: Peer ip:x.x.19.139/500 return status is IKMP_NO_ERROR VPN Peer: ISAKMP: Added new peer: ip:x.x.19.139/500 Total VPN Peers:2 VPN Peer: ISAKMP: Peer ip:x.x.19.139/500 Ref cnt incremented to:1 Total VPN Peers:2 crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3319682682 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: group is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: authenticator is HMAC-SHA ISAKMP: encaps is 1IPSEC(validate_proposal): invalid transform proposal flags -- 0x14 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP (0): atts are not acceptable. Next payload is 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 30 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP: no pre-shared key for 4.24.220.6 ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to another IOS box! return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response tdb-fw01# tdb-fw01# tdb-fw01# crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): beginning Quick Mode exchange, M-ID of 1680169563:64255a5bIPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xe2569566(3797325158) for SA from x.x.4.84 to x.x.4.83 for prot 3 crypto_isakmp_process_block:src:x.x.4.84, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1680169563 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.4.84, src= x.x.4.83, dest_proxy= x.x.0.252/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1680169563 ISAKMP (0): processing ID payload. message ID = 1680169563 ISAKMP (0): processing ID payload. message ID = 1680169563map_alloc_entry: allocating entry 5 map_alloc_entry: allocating entry 6 ISAKMP (0): Creating IPSec SAs inbound SA from x.x.4.84 to x.x.4.83 (proxy x.x.0.252 to x.x.0.0) has spi 3797325158 and conn_id 5 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytes outbound SA from x.x.4.83 to x.x.4.84 (proxy x.x.0.0 to x.x.0.252) has spi 4148531421 and conn_id 6 and flags 4 lifetime of 28800 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= x.x.4.83, src= x.x.4.84, dest_proxy= x.x.0.0/255.255.255.0/0/0 (type=4), src_proxy= x.x.0.252/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0xe2569566(3797325158), conn_id= 5, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= x.x.4.83, dest= x.x.4.84, src_proxy= x.x.0.0/255.255.255.0/0/0 (type=4), dest_proxy= x.x.0.252/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi= 0xf74590dd(4148531421), conn_id= 6, keysize= 0, flags= 0x4 VPN Peer: IPSEC: Peer ip:x.x.4.84/500 Ref cnt incremented to:4 Total VPN Peers:2 VPN Peer: IPSEC: Peer ip:x.x.4.84/500 Ref cnt incremented to:5 Total VPN Peers:2 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: reserved not zero on payload 5! ISAKMP: malformed payload ISAKMP (0): deleting SA: src 4.24.220.6, dst x.x.4.83 ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xc5de567a ISADB: reaper checking SA 0x11b78b4, conn_id = 0 ISADB: reaper checking SA 0x124ccbc, conn_id = 0 ISADB: reaper checking SA 0x1257fc4, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 4.24.220.6/500 not found - peers:2 ISADB: reaper checking SA 0x11b78b4, conn_id = 0 ISADB: reaper checking SA 0x124ccbc, conn_id = 0 crypto_isakmp_process_block:src:4.24.220.6, dest:x.x.4.83 spt:500 dpt:500 ISAKMP: sa not found for ike msg Richard ________________________________________________________ Richard Worwood, TDB Networks 4 High Street, Twyford, Berkshire RG10 9AE Office: +44 (0) 118 934 0056 Mobile: +44 (0) 7771 662880 Email: richardw () tdbnetworks com Web: www.tdbnetworks.com -----Original Message----- From: Hartman, Darren [mailto:dhartman () icsalabs com] Sent: 10 May 2004 14:22 To: Richard Worwood Subject: RE: [fw-wiz] Pix to Checkpoint VPN Connectivity Possible problem:
From the debug info:
dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1) It looks like the peer is configured for "ANY" (0/0) protocol/port for traffic selectors, but the PIX is configured for "ICMP" (1/0).
From your config, the crypto-map references the ACL which permits only
ICMP: "crypto map internal-vpn-tunnel 90 match address x.x.19.65-us-ftp-vpn-traffic" "access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host x.x.19.65" To troubleshoot, try using your other ACL in the "match address" line, which should match the 0/0 traffic selectors: "access-list vpn_connect permit ip host x.x.0.253 host x.x.19.65" Good Luck, Darren Hartman Sr. Lab Analyst ICSA Labs 1000 Bent Creek Blvd, Suite 200 Mechanicsburg PA 17050 Phone: 717.790.8123 Fax: 717.790.8170 www.icsalabs.com -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Richard Worwood Sent: Monday, May 10, 2004 2:41 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Pix to Checkpoint VPN Connectivity I'm in the process of trying to setup a vpn connection between our Pix 515 and a supplier who have a checkpoint firewall but not having an awful lot of luck. It looks to me as from the debugs I've captured as if the VPN is establishing successfully but for some reason is unable to establish a credible proxy relationship to allow communications to flow. I've include copies of the debug capture and the config of my firewall for review as I suspect I'm just doing something stupid but as ever any help will be gratefully received. Regards Richard Pix Debug Log ISAKMP (0): beginning Quick Mode exchange, M-ID of -1779604032:95ed65c0IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xd7e65927(3622197543) for SA from x.x.19.139 to x.x.4.83 for prot 3 crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2515363264 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 1, (identity) local= x.x.4.83, remote= x.x.19.139, local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1) ISAKMP (0): beginning Quick Mode exchange, M-ID of 52913619:32765d3IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x3985d33c(965071676) for SA from x.x.19.139 to x.x.4.83 for prot 3 crypto_isakmp_process_block:src:x.x.19.139, dest:x.x.4.83 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 52913619 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), src_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= x.x.19.139, src= x.x.4.83, dest_proxy= x.x.0.253/255.255.255.255/0/0 (type=1), src_proxy= x.x.19.65/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 3 return status is IKMP_ERR_NO_RETRANSIPSEC(key_engine): request timer fired: count = 2, (identity) local= x.x.4.83, remote= x.x.19.139, local_proxy= x.x.0.253/255.255.255.255/1/0 (type=1), remote_proxy= x.x.19.65/255.255.255.255/1/0 (type=1) Config file PIX Version 6.3(2) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 tdb-vpn security10 enable password xxxxxxxxxxxxxxxx passwd xxxxxxxxxxxxxxxx hostname fw01 domain-name tester.com clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list inbound-acl permit icmp any any echo-reply access-list inbound-acl permit icmp any any unreachable access-list inbound-acl permit icmp any any time-exceeded access-list inbound-acl permit udp any eq domain any access-list vpn_connect permit ip host x.x.0.253 host x.x.19.65 access-list x.x.19.65-us-ftp-vpn-traffic permit icmp host x.x.0.253 host x.x.19.65 access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host x.x.19.65 eq ftp-data access-list x.x.19.65-us-ftp-vpn-traffic permit tcp host x.x.0.253 host x.x.19.65 eq ftp pager lines 25 logging on logging console warnings logging buffered warnings logging trap notifications logging history warnings logging facility 22 logging queue 0 logging host inside x.x.0.251 logging host inside x.x.0.15 mtu outside 1500 mtu inside 1500 mtu tdb-vpn 1500 ip address outside x.x.4.83 255.255.255.248 ip address inside x.x.0.254 255.255.255.0 ip address tdb-vpn 127.0.0.1 255.255.255.248 ip verify reverse-path interface outside ip audit name Anal attack action drop ip audit name Anal_Info info action alarm ip audit interface outside Anal_Info ip audit interface outside Anal ip audit info action alarm ip audit attack action alarm ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2002 disable ip audit signature 2003 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 2006 disable ip audit signature 2007 disable ip audit signature 2008 disable ip audit signature 2009 disable ip audit signature 2010 disable ip audit signature 2011 disable ip audit signature 2012 disable pdm location x.x.0.0 255.255.255.0 inside pdm logging errors 100 pdm history enable arp timeout 14400 global (outside) 17 interface nat (inside) 0 access-list vpn_connect nat (inside) 17 0.0.0.0 0.0.0.0 0 0 access-group inbound-acl in interface outside router ospf 1 network x.x.0.0 255.255.255.0 area 0 log-adj-changes redistribute static route outside 0.0.0.0 0.0.0.0 x.x.4.86 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server AuthInbound protocol radius aaa-server AuthInbound (inside) host x.x.0.253 cisco timeout 10 floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map internal-vpn-tunnel 90 ipsec-isakmp crypto map internal-vpn-tunnel 90 match address x.x.19.65-us-ftp-vpn-traffic crypto map internal-vpn-tunnel 90 set pfs group2 crypto map internal-vpn-tunnel 90 set peer x.x.19.139 crypto map internal-vpn-tunnel 90 set transform-set ESP-3DES-SHA crypto map internal-vpn-tunnel interface outside isakmp enable outside isakmp key <Private Key> address x.x.19.139 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash sha isakmp policy 30 group 1 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 3600 isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2 isakmp policy 50 lifetime 86400 console timeout 10 terminal width 80 banner exec ************************************************************************ **** *** banner exec *************************** Private Computer System *************************** banner exec ************************************************************************ **** *** banner exec The data held on this TDB Networks Ltd. host system is PRIVATE PROPERTY.Access banner exec to the data is only available for authorised users and purposes. Unauthorised banner exec entry contravenes the Computer Misuse Act 1990 and may incur criminal penalties banner exec as well as damages. Please proceed if you are an authorised user. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix to Checkpoint VPN Connectivity Richard Worwood (May 10)
- <Possible follow-ups>
- RE: Pix to Checkpoint VPN Connectivity mlists (May 10)
- Pix to Checkpoint VPN Connectivity cs 2004 (May 27)