Re: [FW-1] Checkpoint to Cisco 3000 VPN errors

[Bob Brandt]

Title: Message

I believe that 6030 is for udp encapsulation through NATs.     This is often needed in cases where many-to-1 address translation is going on.    There is an ietf rfc which describes this.   Your best bet is to reference the rfcs your vpn equipment complies with, and then find out which one talks about udp encapsulation.   It would probably be one of the higher numbered ones.   Bob ----- Original Message ----- From: Russell Washington To: [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 4:50 PM Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errors How does "opening" port 6030 help this?  I ask because:   (1) I've set up an FW-1 to VPN 3000 tunnel before and this 6030 thing never came up. (2) FW-1 doesn't listen on port 6030 so far as I know.  So if you accept the packet in the rulebase, nothing gets done with it anyway, except maybe the attempt to talk to it might die faster/cleaner.   Can someone fill in the blanks here? :) -----Original Message----- From: Sutantyo, Danny [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 6:04 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errors You did mean protocol 50 & 51, right? DS -----Original Message----- From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 05:22 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Checkpoint to Cisco 3000 VPN errors I just got off the phone with ISS in Atlanta and got it to work.   In order for FW-1 to talk to Cisco VPN 3000 you have to have the following ports open   UDP 50- UDP 51- UDP 500   and the one we didn't have- UDP 6030-   Now we have seamless VPN operation. -----Original Message----- From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 3:43 PM To: [EMAIL PROTECTED] Subject: [FW-1] Checkpoint to Cisco 3000 VPN errors OK,   it goes like this---   client -----( our Lan ) -------------( check point ) ------------------------------------------------------------------( up north somewhere ) ---------------------------( Cisco 3000 VPN ) -------------- other companies LAN -------))))))))     We opened up IKE and ports 50,51 in our firewall -----  It's seems that the initial IKE auth is ok --- then the client on our network wants to send something to port 6030  --- or service 6030 and this is denied by FW-1. What is this service 6030???   AND,   If they are natting on the other network, the pool has to translate into a live ( routable ) ip before sending traffic back right? I see that this client machine is making outbound requests to a 10.x.x.x  http service---  there's no way we can route that.. We aren't even using NAT here.   So ,   the problem is that when he clicks connect on the cisco vpn client it gets out to the other network to authenticate.. he enters user/pass and seems to be in the system..   BUT,  he can't access files on the other end and 6080 service/ port keeps dropping...??   ANy ideas??  should we open 10000 for nat on our end?   Thanks, Josh Perrymon Network Security Consultant BE&K , INC (205) 972-6745