I am currently running Fw-1 4.0 SR2 and Secure Remote 4005. We are using FWZ key management and I am trying to switch to ISAKMP. I have 130 remote access users so dropping one and installing the other is not a desireable option. I have done the following: 1. Added ISAKMP encryption method. 2. Added a user and configured them to use ISAKMP (no NAT, worked OK) 3. User authentication is via a shared secret. 4. Added ":userc_NAT (true)" and ":userc_IKE_NAT (true)" as per http://www.phoneboy.com/fw1/faq/0141.html 5. Followed all the associated instructions. 6. Nated user did not work. Here is what I got: 16Jul2000 19:47:33 "daemon" "FW-IP log authcrypt PICX-NAT-IP reason Client Encryption: Authenticated by Pre-shared secret scheme: ISAKMP methods: 3DES,ISAKMP,SHA1 16Jul2000 19:47:36 "daemon" FW-IP log keyinst Client-Private-IP Destination-Private-IP "0x3c0c86b8" "0xc51d69a0" " scheme: ISAKMP methods: Combined ESP: DES + SHA1 (phase 2 completion)" 16Jul2000 19:47:36 "daemon" FW-IP log decrypt http Client-Private-IP Destination-Private-IP tcp "0x3c0c86b8" "0xc51d69a0" " scheme: ISAKMP methods: Combined ESP: DES + SHA1" 16Jul2000 19:47:59 "daemon" FW-IP log "decrypt" http Client-Private-IP Destination-Private-IP tcp "0x3c0c86b8" "0xc51d69a0" " scheme: ISAKMP methods: Combined ESP: DES + SHA1" For some reason FW-1 is ignoring the CISCO PIX generated source address and using the actual source address provided by the remote client (10.x.x.x), which is encrypted and sent to the firewall. When the FW unencrypts the packet it sees the encapsulated private source and uses it for the reply. Unfortunately the Private address of the client (10.x.x.x) will not return the packet. I know I am close , any suggestions would be helpful. Please contact me directly if you wish. Phil Cummings ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
