Hi Rico, >From what you say it sounds like you're trying to tunnel the two networks over a VPN. But the problem you describe is to get one machine VPN access to the FW1, so you only need to open the appropriate ports for SecureRemote on the Raptor - not to get the two Firewalls to tunnel or authenticate to each other. And it probably won't be running this traffic on port 80 as you suggested. I don't remember the right ports offhand though... I have done this across a corporate network to get access to a Notes server, and it does work. But it isn't pretty. So long as you don't expect speed you should be able to make it work... Take this in steps. o Install the the FW1 SecureRemote VPN client on a machine at your Raptor site, put the machine direct on your DMZ. (Not behind the Raptor) Get it to authenticate into the FW1 box. You should be able to see the network at the FW1 site. (This machine is a guinea pig unprotected on the net, so don't leave any important data on it!) o Now get FTP working against the target server machine across the VPN. Now you know that everything outside the Raptor config is taken care of. o Figure out what ports are being used by SecureRemote, and implement a(some) GSP(s) for them on the Raptor. If you can't get docs on SecureRemote you can always use a packet sniffer or other means* to figure out what it's using. o Move the client machine inside the Raptor and you should be rockin' If not, *you can always check the logs on the Raptor to see what requests were denied and correlate those to the address of the box after you bring it inside. That's a hint as to what ports to open. Denied traffic from the IP/MAC of the internal client machine will be on ports you want to open to the FW1 machine. Denied from the DMZ IP of the FW1 would be on the port you want to open to let VPN traffic in. As a rule, any GSPs you implement should be as restrictive as possible. You can make them only allow the traffic on the particular ports from the one client machine to the DMZ address of the FW1 box. That's more secure than opening up the Raptor on those ports to the whole world or subnet, or the whole subnet inside the Raptor. Best of luck, Rich Snow http://www.shore.net/~rich > Date: Tue, 14 Nov 2000 18:04:48 -0300 > From: [EMAIL PROTECTED] > Subject: Client -> VPN -> Raptor -> Internet -> FW-1 -> Server > > Hello, > > I have the following problem, I hope it's not OT: > > We need to establish a Securemote VPN linking a ftp client behind a Raptor > 6.5 to a remote ftp server behind a FW-1 4.1 SP2. > > (something like that -> Client -> VPN -> Raptor -> Internet -> FW-1 -> > Server) > > The case is: we openned the correct ports in the Raptor, and we were able > to authenticate Securemote on the remote FW-1, and then we're able to > open an http tunnelled connection between the two protected machines, but > when we openned or tryed to open any ftp connection, it has always timed > out (900s), without giving any prompt. We was (the remote admin and ppl > here) wondering if it could be something regarding passive FTP mode (we're > not using it) or some problem related oe specific to FTP, as FTP just don't > go through and http does. We're searching info over the Net, and nor > Phoneboy, AXENT knowledge base or Lance's web site have something related > to this problem. What could it be? > > > > > Regards, > > Rico Ferrari > > - - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
