As I hinted to in the prior post, depending on how
that rule(s) is/are setup, determines the outcome.
See Dameon's site for
http://www.phoneboy.com/fw1/faq/0078.html
and
http://www.phoneboy.com/fw1/encryption.html
http://www.phoneboy.com/fw1/securemote.html
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> <[EMAIL PROTECTED]> 6/21/00 9:49:13 AM >>>
>
>Forgot to mention that we do have "Accept Firewall-1 Control Connections"
>unchecked but still don't quite get the 'IKE' bit...
>
>Tim Higgins
>
>
> [EMAIL PROTECTED]
>
> Sent by: To: Jason Witty
><[EMAIL PROTECTED]>
> [EMAIL PROTECTED] cc:
>[EMAIL PROTECTED],
>[EMAIL PROTECTED]
> kpoint.com Subject: Re:
>[FW1] Secure Remote - required rules.
>
>Hi
>
>Is this changed in 4.1(2000) ? - we just use the "Firewall" group which
>includes ISAKMP - I believe that this is the IKE 'protocol' ?
>
>Tim Higgins
>
> Jason Witty <[EMAIL PROTECTED]>
> Sent by: To: Jim
>Shaw <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED]
>"'[EMAIL PROTECTED]'"
> kpoint.com
><[EMAIL PROTECTED]>
> cc:
> Subject:
>Re: [FW1] Secure Remote - required rules.
> 21/06/00 11:45
>
>According to a few of my friends at Check Point, you must use a "Any FW IKE
>ACCEPT) rule, if you uncheck the "Accept Firewall-1 Control Connections"
>box in the policy properties. Had that box been checked, you wouldn't need
>an explicit rule to allow IKE\SecuRemote - but then you'd be allowing a lot
>more... Hope this helps!
>
>Jason
>
>At 03:35 PM 6/21/00 +1200, Jim Shaw wrote:
>>
>>I have resolved a problem I had with SR but now find that unless the
>>client can do a key exchange using IKE to the firewall it does not
>>connect. The client sits saying "Exchanging Keys" and then errors out.
>>
>>I am using SR build 4157 - the most recent I think, talking to
>>Checkpoint 2000. I am using IKE with VPN-1 username/password
>>authentication.
>>
>>I downloaded the topology while on an internal network with a rule
>>permitting some clients to connect directly to the firewall. No problem
>>there. Dialing in from outside with the LAN card disabled I get a
>>connection failed error with log entries in the FW log indicating that
>>it is refusing IKE port connections because of my "Any, FW, Any Any
>>Drop" rule.
>>
>>I have a rule preceding that that permits "SRUsers@Any, MyNet, Any,
>>Client Encrypt" which is what I understand was all that is necessary to
>>get SR clients working.
>>
>>It works if I add a rule that says "Any, Firewall, IKE, Accept". I don't
>>like that but appear to have no option.
>>
>>Anyone got any ideas?
>>Jim
>>
>>Ryan Finnesey wrote:
>>>
>>> Is this the same thing has Mail Prory in Firewall 4.1. Because I am
>running
>>> 4.0 soon to be 4.1 on a Sun box. I need something to take the mail from
>the
>>> Internet and pass it to the Exchange Server that is on the LAN. What is
>the
>>> best thing to use ?
>>>
>>> Ryan V. Finnesey
>>> Network Administrator
>>> @tmosphere Interactive
>>> 1375 Broadway, 11th floor
>>> New York, NY 10018
>>> 212 827 2507 phone
>>> 212 827 2525 fax
>>> [EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================