He did
indeed mean IP protocol 50 and 51. In addition udp port 500 is needed. But I
don't know what 6030 is.. Probably some proprietary tunnel
mode.
-----Original Message-----
From: Russell Washington [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 23:50
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errorsHow does "opening" port 6030 help this? I ask because:(1) I've set up an FW-1 to VPN 3000 tunnel before and this 6030 thing never came up.(2) FW-1 doesn't listen on port 6030 so far as I know. So if you accept the packet in the rulebase, nothing gets done with it anyway, except maybe the attempt to talk to it might die faster/cleaner.Can someone fill in the blanks here? :)-----Original Message-----
From: Sutantyo, Danny [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 6:04 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errorsYou did mean protocol 50 & 51, right?DS-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 05:22 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errorsI just got off the phone with ISS in Atlanta and got it to work.In order for FW-1 to talk to Cisco VPN 3000 you have to have the following ports openUDP 50-UDP 51-UDP 500and the one we didn't have- UDP 6030-Now we have seamless VPN operation.-----Original Message-----
From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 24, 2002 3:43 PM
To: [EMAIL PROTECTED]
Subject: [FW-1] Checkpoint to Cisco 3000 VPN errorsOK,it goes like this---client -----( our Lan ) -------------( check point ) ------------------------------------------------------------------( up north somewhere ) ---------------------------( Cisco 3000 VPN ) -------------- other companies LAN -------))))))))We opened up IKE and ports 50,51 in our firewall ----- It's seems that the initial IKE auth is ok ---then the client on our network wants to send something to port 6030 --- or service 6030 and this is denied by FW-1.What is this service 6030???AND,If they are natting on the other network, the pool has to translate into a live ( routable ) ip before sending traffic back right?I see that this client machine is making outbound requests to a 10.x.x.x http service--- there's no way we can route that..We aren't even using NAT here.So , the problem is that when he clicks connect on the cisco vpn client it gets out to the other network to authenticate..he enters user/pass and seems to be in the system..BUT, he can't access files on the other end and 6080 service/ port keeps dropping...??ANy ideas?? should we open 10000 for nat on our end?Thanks,Josh Perrymon
Network Security Consultant
BE&K , INC
(205) 972-6745
