Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!
- From: "David V. Dellanno" <ddellanno@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 13 Oct 2003 20:45:11 -0400
Hi everyone,
Been along time to post a question with yah guys and gays. I ran
into tonight a stubber! I customer of mine is evaluating ISA 2000
versus SonicWall Pro 100 but his requirements is to vpn to a project of
theirs that uses Checkpoint Firewall-1. ISA 2000 VPN(pptp) is rock
solid to allow VPNClients to their network and outside their network.
The problem they are having is their deverpers are at their project site
behind FW-1 and attempting to vpn back to their HQ-ISA2K but the
connection fails. Also, they attempt to vpnclient (using Checkpoint
SecureClient-1) behind HQ-ISA2K to the project site FW-1 and fail to
connect. Their admin wants us to verify that the following ports are
enabled (notice I didn't say open :^):
SSL - 443
UDP - 500
TCP - 264
UDP - 2746
IP 50 + 51
I made the protocol rules with not results...
Looked at the IP Packet Logs and FWLogs with ALLOWED listed for just 264
and 500...I don't see anywhere else in the logs for SecureClient-1 uses
any other ports, then I just gave up and broke the Holy Moly ISA Golden
Rule, and created packet filters for the listed ports and still fails!
Gessh....
Yes, we are on a completely different subnet then project site
Yes, their admin will not allow PPTP in their site and out of their
site..(Company Policy)...that explains why MS VPN Client doesn't' work
from their site - talk about big fish eating the little fish!
Yes, we the moved the client to a public ip (dial-up) and their
SecureClient-1 functions correctly, but behind ISA...nadda!
So.....Is there something I have missed to make Checkpoint VPN Client
work behind ISA? I would like to push ISA very much but I'm guessing
the customer is swaying towards a simple dummy hardware solution?
Either way, I'm interested in knowing what else I can do to allow
Checkpoint VPN Client to work behind ISA?
Sorry in advance to the multi-post newsgroups but I'm looking for an
answer tonight as soon as I can get an answer I'm going to work all
night until I find an answer on this
Thanks everyone
_____
Regards,
David V. Dellanno - MCSE, MCP+I, MCP
MSDEMO Consultants
Williams Place
2564 Bridgewood Lane
Snellville, Georgia 30078 USA
(770) 736-8794 (Office)
msdemo.net
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message.
Other related posts:
