The Cisco 3000 VPN concentrator can encapsulate IPSEC in TCP. This feature is used to bypass issues using IPSEC through NATing devices. That's probably why your logs show ESP with these high ports.
Regards,
Amir Akbari
Thrupoint Inc.
http://www.thrupoint.net
-----Original Message-----
From: Joe Matusiewicz
To: [EMAIL PROTECTED]
Sent: 10/8/02 11:41 AM
Subject: [FW-1] Strange FW-1 behavior with Cisco 3000 VPN concentrator
Greetings,
I have someone trying to make an outbound connection to a Cisco 3000
Concentrator using the Cisco VPN client software through my 4.1 SP4
firewall. I opened up UDP port 500 (IKE) and proto 50 (ESP) outbound.
The
tunnel to the Cisco always sets up successfully (according to their
logs)...however the user is unable to http/ping/telnet/whatever!
Tcpdump logs show UDP port 500 and ESP activity. The firewall log shows
accepted outbound port 500 traffic but it shows drops on random high
ports
coming from the remote Cisco Concentrator. The strange thing to me is
that
these high ports show that the protocol is ESP and I always thought that
ESP doesn't use ports:
30Sep2002 8:53:52 drop proto esp src 192.168.2.2 dst 10.10.10.10
service
58333 s_port 53917 len 200
To test if it was my firewall I opened up all ports from the
Concentrator
inbound and the outbound connection was successful and the user was able
to
do his work. Has anybody seen this before? A search at google, shmoo,
securepoint, cisco, and checkpoint revealed no clues.
-- Joe
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc.
