Joe Matusiewicz wrote: > > Greetings, > > I have someone trying to make an outbound connection to a Cisco 3000 > Concentrator using the Cisco VPN client software through my 4.1 SP4 > firewall. I opened up UDP port 500 (IKE) and proto 50 (ESP) outbound. The > tunnel to the Cisco always sets up successfully (according to their > logs)...however the user is unable to http/ping/telnet/whatever! > > Tcpdump logs show UDP port 500 and ESP activity. The firewall log shows > accepted outbound port 500 traffic but it shows drops on random high ports > coming from the remote Cisco Concentrator. The strange thing to me is that > these high ports show that the protocol is ESP and I always thought that > ESP doesn't use ports: > > 30Sep2002 8:53:52 drop proto esp src 192.168.2.2 dst 10.10.10.10 service > 58333 s_port 53917 len 200 > > To test if it was my firewall I opened up all ports from the Concentrator > inbound and the outbound connection was successful and the user was able to > do his work. Has anybody seen this before? A search at google, shmoo, > securepoint, cisco, and checkpoint revealed no clues.
ESP does not have port numbers. The values in your logs are nonsense. Firewall-1 reports port numbers for lots of non-TCP or UDP protocols that don't have ports. The "port" values above just happen to be the first two 16-bit values in the IP payload. I believe your problem is that in the first case, you only allowed outgoing protocol 50 traffic? Firewall-1 does not do protocol 50 dynamically. Adding only an outgoing rule will not allow the reverse traffic. As you saw, creating an incoming rule fixed the problem. The rule need only allow protocol 50, not the "Any" rule you implied you added. Perhaps a better solution for you is to have the user use Cisco's UDP-encapsulation of the ESP. As ugly as it is, it is a good option for people going through stateful firewalls that don't keep state on ESP or do NAT. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
