Good day Gentlemen,
I've finally managed to get SR working behind a NAT device. For
troubleshooting this project, I just added a line to our router's ACL to let
everything from the translated public IP of the machine I was working on
through the router, but now I need to make it more general. When I got it
working, I took a look at Checkpoint's site to see what to add. At
http://support.checkpoint.com/gold/publisher.asp?id=88a5d6a0-a4c6-11d4-9ec9-
080020cf9075&resource=&number=0&isExternal=0 I found:
----------------------------------------------------------------------------
-------------------------------------------------------------
2. To establish a connection between SecuRemote Client and the server:
For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and allow
traffic on protocol 50 (0x32) and 51 (0x33) which are the new protocol
numbers for ISAKMP
----------------------------------------------------------------------------
-------------------------------------------------------------
I've added these three lines to our Cisco router's ACL:
access-list 100 permit 50 any host my.fw.ex.ip
access-list 100 permit 51 any host my.fw.ex.ip
access-list 100 permit udp any host my.fw.ex.ip eq 500
But my session dies after auth. If I do a 'sh access-list 100', I can see
the hits on the third line for auth, but nothing on the first two. If I add
my test machine's external IP back in and allow any traffic from it, it
works again. Has anybody got any idea what I'm doing wrong here? Thanks!
Ian
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
