Yes, You will need to configure Static NAT for the user, and it must be the same
static NAT for both the UDP 500 and IPSec flows.
You also will need to ensure that the remote end (Nortel Extranet) does not use AH
(protocol 51) but just ESP (protocol 50). This
is because AH uses the entire IP header in its digital signature. If the Checkpoint
NATs this header (which it will based on your note), the
AH digital signature will be invalidated by the Firewall because it changed the
packet in flight which is a security violation in IPSec.
ESP, on the other hand, still provides a digital signature but it does not include
the source IP as part of the digital signature, so it will
work even with the occurance of the checkpoint NAT.
Hope this helps.
Bob Brandt, 3M, [EMAIL PROTECTED]
"Oliva, Fabian J [Sprint]" wrote:
> Hello all,
>
> Im trying to configure (if possible) my firewall to allow a internal user to
> establish a Nortel Extranet VPN session through my FW-1.
> I have some documentation that says to configure these 3 ports:
>
> UDP 500 for IKE Key Management
> IP Protocol 50 for IPSEC Payload Encryption
> IP Protocol 51 for IPSEC Authentication Header
>
> What is the syntax for configuring the two IP Protocols?
> Also the users is on a private address space that is configured HIDE-NAT to
> the Internet.
> Would I have to configure static NAT for this to work?
>
> Thanks in advance for everyones help,
>
>
> Fabian J. Oliva
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
