Firewall Wizards mailing list archives

RE: Cisco VPN client behind a Netscreen

From: "Andy Lyakhovetskiy" <andy () net4bay com>
Date: Mon, 10 Nov 2003 23:30:08 -0800

If you have OS v2.6., then you have to use MIPs, in v3.x and v4.x there
is setting Configure->"Bypass-others-ipsec"

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Melson,
Paul
Sent: Thursday, November 06, 2003 5:45 AM
To: Aram Smith; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Cisco VPN client behind a Netscreen

Aram,

You do not need to create an IPSec policy on the NetScreen for VPN
clients that are passing through it.  (The same would be true if you had
a VPN concentrator behind it and users were connecting inbound from the
Internet.)

This problem most likely has to do with source port translation being
performed by the NetScreen as part of its NAT rules for outbound
traffic.  The PIX will likely complain if the source port of the VPN
client connection isn't 500 or 4500 as appropriate and prevent the
tunnel from coming all the way up.  The best fix for this is to upgrade
the PIX OS version to a current release and enable the 'isakmp
nat-traversal' feature.  

However, since you don't have control over the PIX, another solution
would be to configure a static NAT (NetScreen calls this MIP, or Mapped
IP?) for just the VPN client workstation's IP address to an otherwise
unused IP address on the firewall's outside subnet.  This should prevent
the source port from being modified when making the connection.

Good luck!

PaulM

-----Original Message-----
I have recently implemented a Netscreen 50 and I have users behind it
that use a Cisco VPN client to connect to a Cisco Pix which I have no
control over. Their VPN client is not functioning properly. Currently I
have a policy allowing outbound traffic any from all inside. Does anyone
know if I also need to create an IPSEC policy for inbound traffic?
Thanks, Aram Smith _______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco VPN client behind a Netscreen Aram Smith (Nov 05)
- Re: Cisco VPN client behind a Netscreen Ravi Kumar (Nov 06)
- Re: Cisco VPN client behind a Netscreen Luigi Mori (Nov 06)
- RE: Cisco VPN client behind a Netscreen List Account (Nov 06)
- <Possible follow-ups>
- RE: Cisco VPN client behind a Netscreen Melson, Paul (Nov 06)
  - RE: Cisco VPN client behind a Netscreen Andy Lyakhovetskiy (Nov 11)