CryptoTech,

Thanks for your reply.

You are correct in saying that accept control connections in the properties
allows SecuRemote to work - this is what I've already discovered.  The issue
is that I don't want to allow control connections because it allows more than
I strictly need, and I didn't need to do so on v4.0

Unfortunately, the issue is not the Firewall workstation object IP address -
this is correctly defined as the Firewalls' external IP address.  Also note
that SecuRemote does work OK when accept control connections is
checked, so I can't see how it can be a Firewall object issue.

Now, my suspicion is that there's some bit of inspect code which is only
being activated when "allow Firewall-1 control connections" is checked and
just allowing the protocols concerned isn't enough.  Perhaps I need to allow
some other protocol (maybe IKE) that I don't really need (because I use FWZ)
just to activate this inspect code.

Roy Hills

At 08:40 22/11/00 -0500, CryptoTech wrote:
>Roy,
>4.1 uses port 264 for topology download and 265 for public key transfers.  You
>should need no explicit protocol accepts, as the 'accept firewall-1 control
>connections' allows for this.  Usually when you get a timeout after 
>authentication,
>it is because the firewall object has been defined based on the internal 
>ip address.
>
>So again, I wouldn't look at the rules, I would look at the fw workstation 
>object
>primary ip address.
>
>If you want to disable control connections, you must enable fw1_topo, and 
>fw1_key
>and IKE to get these connections to go through.
>
>HTH,
>CryptoTech
>
>Roy Hills wrote:
>
> > On Firewall-1 v4.0 I have been able to use SecuRemote with FWZ key
> > scheme by just allowing "FW1" (tcp port 256) from any to the Firewall
> > as well as the relevant client encrypt rules and unchecking the
> > "accept Firewall-1 control connections" box in the policy properties.
> >
> > However on Firewall-1 v4.1, I find that I need to select "accept VPN-1 &
> > Firewall-1
> > control connections" in the policy properties.  I cannot seem to get 
> SecuRemote
> > to work by using specific rules in the rulebase.
> >
> > I have tried the following two rules without success:
> >
> > a)
> >
> > Src: Any
> > Dst: Firewall
> > Svc: FW1, FW1_key, FW1_topo, RDP
> > Act: Accept
> > Trk: Long
> >
> > b)
> >
> > Src: SecuRemote-Client
> > Dst: Firewall
> > Svc: Any
> > Act: Accept
> > Trk: Long
> >
> > Src: Firewall
> > Dst: SecuRemote-Client
> > Svc: Any
> > Act: Accept
> > Trk: Long
> >
> > In both cases, I also had the appropriate client encrypt rules present.
> >
> > The symptoms I see are that I can add the Firewall "site" OK, and the
> > authentication dialog box appears.  However authentication fails with
> > "communication failed" message.
> >
> > Allowing "accept VPN-1 & Firewall-1 control connections" in the policy
> > properties makes SecuRemote work fine.
> >
> > Does anyone know what has changed from V4.0 to V4.1 regarding SecuRemote
> > that causes this?
> >
> > Is it possible to allow SecuRemote with just rules in the rulebase and not
> > with "accept VPN-1 & Firewall-1 control connections" in the policy 
> properties?
> >
> > I'm using Firewall-1 v4.1[DES] SP1 on Windows NT 4.0 SP5.  SecuRemote is
> > v4.1 [DES] on Win-95.  I am using DES encryption, MD5 integrity and FWZ key
> > exchange.
> >
> > Roy Hills
> > --
> > Roy Hills                                    Tel:   +44 1634 721855
> > NTA Monitor Ltd                              FAX:   +44 1634 721844
> > 14 Ashford House, Beaufort Court,
> > Medway City Estate,                          Email: 
> [EMAIL PROTECTED]
> > Rochester, Kent ME2 4FA, 
> UK                  WWW:   http://www.nta-monitor.com/
> >
> > 
> ================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > 
> ================================================================================

--
Roy Hills                                    Tel:   +44 1634 721855
NTA Monitor Ltd                              FAX:   +44 1634 721844
14 Ashford House, Beaufort Court,
Medway City Estate,                          Email: [EMAIL PROTECTED]
Rochester, Kent ME2 4FA, UK                  WWW:   http://www.nta-monitor.com/



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to