Re: [FW-1] Checkpoint to Cisco 3000 VPN errors

[Russell Washington]

Title: Message

How does "opening" port 6030 help this?  I ask because:

 

(1) I've set up an FW-1 to VPN 3000 tunnel before and this 6030 thing never came up.

(2) FW-1 doesn't listen on port 6030 so far as I know.  So if you accept the packet in the rulebase, nothing gets done with it anyway, except maybe the attempt to talk to it might die faster/cleaner.

 

Can someone fill in the blanks here? :)

-----Original Message-----
From: Sutantyo, Danny [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 6:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errors

You did mean protocol 50 & 51, right?

DS

-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 05:22 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errors

I just got off the phone with ISS in Atlanta and got it to work.

 

In order for FW-1 to talk to Cisco VPN 3000 you have to have the following ports open

 

UDP 50-

UDP 51-

UDP 500

 

and the one we didn't have- UDP 6030-

 

Now we have seamless VPN operation.

-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 3:43 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] Checkpoint to Cisco 3000 VPN errors

OK,

 

it goes like this---

 

client -----( our Lan ) -------------( check point ) ------------------------------------------------------------------( up north somewhere ) ---------------------------( Cisco 3000 VPN ) -------------- other companies LAN -------))))))))

 

 

We opened up IKE and ports 50,51 in our firewall -----  It's seems that the initial IKE auth is ok ---

then the client on our network wants to send something to port 6030  --- or service 6030 and this is denied by FW-1.

What is this service 6030???

 

AND,

 

If they are natting on the other network, the pool has to translate into a live ( routable ) ip before sending traffic back right?

I see that this client machine is making outbound requests to a 10.x.x.x  http service---  there's no way we can route that..

We aren't even using NAT here.

 

So ,   the problem is that when he clicks connect on the cisco vpn client it gets out to the other network to authenticate..

he enters user/pass and seems to be in the system..

 

BUT,  he can't access files on the other end and 6080 service/ port keeps dropping...??

 

ANy ideas??  should we open 10000 for nat on our end?

 

Thanks,

Josh Perrymon
Network Security Consultant
BE&K , INC
(205) 972-6745