IF you are connecting to a Cisco VPN Concentrator (? VPN Switch) and are
using the Cisco VPN client then you need to allow IPSEC IP 500 through the
firewall. If you are using the Windows PPTP client then as stated TCP 1723
and GRE IP 47. If you are using the Cisco VPN client and are NAT behind
your firewall then you also have to enable IPSEC through NAT on the client
and allow UDP high ports particularly the UDP port configured for NAT on the
Concentrator. By default UDP 10000.
-----Original Message-----
From: Jesus Gonzalez [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 12, 2001 7:12 PM
To: [EMAIL PROTECTED]
Subject: RE: IPSEC and GRE
Thanks to all of you for your help.
First off, I'm running SecureZone 3.x. We are upgrading to Sidewinder here
shortly.
Someone mentioned that for IPSEC, I would have to open up IP 50 (AH) and IP
51 (ESP). So to clarify again, AH and ESP would NOT fall under a TCP
property?
Then can someone explain to me why it is that a certain version of the Cisco
IOS is required (I believe higher than 12.x)?
Thanks.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Monday, March 12, 2001 1:38 PM
To: Jesus Gonzalez
Cc: [EMAIL PROTECTED]
Subject: Re: IPSEC and GRE
Jesus,
#Is GRE a protocol like TCP/UDP/ICMP? Or is it a subset of
#TCP?
GRE is a protocol that runs on top of IP instead of on top of TCP or UDP.
#In trying to configure my firewall (secure computing) I only see options
for
#TCP and UDP ports when trying to map a port.
First of all I am going to assume you are running Sidewinder instead of
Secure Zone since Secure Zone is no longer being sold by Secure Computing.
The reason you cannot create a generic proxy on the Sidewinder for this is
because you can only create generic TCP or UDP proxies. You will have to
create and IP Filter for GRE. If you are running Sidewinder V5.1 do the
following to create an IP filter.
1. Go to Policy Configuration -> IP Filter Rules. This is the main menu
for IP Filter configurations.
2. Select the Other Filter Rules tab.
3. Select 'new.'
4. Fill in the source addess for Address A. Fill in 32 for Bits A. If
Address A is a network instead of one IP address then you would fill in
something other than 32. Select the correct burb for Burb A.
5. Select the Address B tab. Fill in the source addess for Address B.
Fill in 32 for Bits B. Select the correct burb for Burb B.
6. Select the Properties tab. Since protocol 47 is the GRE protocol,
select GRE in the Protocol field. Put in 50000 for the threshold. the
direction should be A -> B.
Note: GRE will probably not be in your list of protocols. The list in the
drop down menu is created from the /etc/protocols file. If you put the
following line in the /etc/protocols file you will be able to select gre.
gre 47 GRE # GRE
7. Select <OK> and then <Apply>.
Something similar should work for Secure Zone too but since I do not have a
Secure Zone I cannot give you detailed instructions on how to do it. You
can always send an e-mail to support@securecomputing, though.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
