RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 15 Oct 2003 02:08:13 -0500

Hi David,

You're welcome. I would be happy to send the moron admin that you're
dealing with a comprehensive disseration on why he needs to get an
education on VPN security technology. Its so very, very sad that dolts
like that have control over network security, esp. VPN
configuration..But like someone smarter than me said "it takes all kinds
to screw up a world" :-)

Thanks!
Tom
www.isaserver.org/shinder
 

-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] 
Sent: Wednesday, October 15, 2003 12:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Checkpoint Firewall-1 | SecureClient-1| Big Time
Help - this is a doosey!

AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: 
http://www.isaserver.org/thawte/
Hi Tom,
   Reason - corporate policy and that's all.   Pretty much stonewall the
PPTP solution from the start and there wasn't anyway to convince him to
utilized PPTP, it was there way or the highway.  Didn't have much
support from  their IT side.   

   Also the developers I am supporting required access to their clients
corporate public database and the admin feels paranoia that they will be
accessing it through PPTP a lack of security.  I had mention that he
could setup a rule to permit our site Public IP address to have only the
resource behind CP access through PPTP, but that idea was shunted as
well.

  Resolution - Their IT Admin suggested to lend us their hardware vpn
solution to provide the developers vpn access and this should provide
both outbound and inbound vpn for their developers for this environment.
They both agreed to this quick solution.   He will be shipping it
overnight, so I wasn't able to resolve the issue with ISA.  

   Thank you very much for your quick response and thoroughness answer.
I rarely request this response but I thought I exhausted everything that
ISA could provide support for CP environment.


Dave



   



-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Monday, October 13, 2003 9:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Checkpoint Firewall-1 | SecureClient-1| Big Time
Help - this is a doosey!

AD: Get Thawtes New Step-by-Step SSL Guide for MSIIS: 
http://www.isaserver.org/thawte/
Hi Dave,

Did the guy give you a reason for not allow PPTP? There must be some
sort of superstition he has, maybe he lost the clove of garlic that he
usually wears around his neck and he's afraid PPTP will bite his booty
or something? ;-)

It looks like they use a proprietary, non-RFC version of NAT-T (gee,
that's a surprize, next thing you'll tell me that the other firewall
vendors don't support L2TP/IPSec in VPN gateway mode). So, you need to
make sure that they are not using the firewall client and that they are
configured as SecureNAT clients. Make sure there are protocol defintions
to support all the required protocols. You don't need to allow outbound
IP Protocols fifty and fifty-one because they are encapsulated in
probably UDP 2746. I'd sure like to know why the heck they require TCP
443 open for a NAT-T IPSec connection to their dreaded CP firewall :-)

But enough of my whining. Check out:
http://www.isaserver.org/articles/IPSec_Passthrough.html

HTH,
Tom
www.isaserver.org/shinder
 

-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx]
Sent: Monday, October 13, 2003 7:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Checkpoint Firewall-1 | SecureClient-1| Big Time Help
- this is a doosey!

AD: Get Thawte's New Step-by-Step SSL Guide for MSIIS: 
http://www.isaserver.org/thawte/
Hi everyone,
  
   Been along time to post a question with yah guys and gays.  I ran
into tonight a stubber!   I customer of mine is evaluating ISA 2000
versus SonicWall Pro 100 but his requirements is to vpn to a project of
theirs that uses Checkpoint Firewall-1.   ISA 2000 VPN(pptp) is rock
solid to allow VPNClients to their network and outside their network.
The problem they are having is their deverpers are at their project site
behind FW-1 and attempting to vpn back to their HQ-ISA2K but the
connection fails.  Also, they attempt to vpnclient (using Checkpoint
SecureClient-1) behind HQ-ISA2K to the project site FW-1 and fail to
connect.  Their admin wants us to verify that the following ports are
enabled (notice I didn't say open :^):

SSL - 443
UDP - 500
TCP - 264
UDP - 2746
IP 50 + 51

I made the protocol rules with not results...

Looked at the IP Packet Logs and FWLogs with ALLOWED listed for just 264
and 500...I don't see anywhere else in the logs for SecureClient-1 uses
any other ports, then I just gave up and broke the Holy Moly ISA Golden
Rule, and created packet filters for the listed ports and still fails!
Gessh....

Yes, we are on a completely different subnet then project site

Yes, their admin will not allow PPTP in their site and out of their
site..(Company Policy)...that explains why MS VPN Client doesn't' work
from their site - talk about big fish eating the little fish!

Yes, we the moved the client to a public ip (dial-up) and their
SecureClient-1 functions correctly, but behind ISA...nadda!


So.....Is there something I have missed to make Checkpoint VPN Client
work behind ISA?   I would like to push ISA very much but I'm guessing
the customer is swaying towards a simple dummy hardware solution?
Either way, I'm interested in knowing what else I can do to allow
Checkpoint VPN Client to work behind ISA?


Sorry in advance to the multi-post newsgroups but I'm looking for an
answer tonight as soon as I can get an answer I'm going to work all
night until I find an answer on this

Thanks everyone

  _____  

Regards,
 
David V. Dellanno - MCSE, MCP+I, MCP
MSDEMO Consultants
Williams Place
2564 Bridgewood Lane
Snellville, Georgia 30078 USA
(770) 736-8794 (Office)
msdemo.net


Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to test,
purchase, and install a Thawte Digital Certificate on your MSIIS web
server: 
http://www.isaserver.org/thawte/

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')



Get Thawtes New Step-by-Step SSL Guide for MSIIS Find out how to test,
purchase, and install a Thawte Digital Certificate on your MSIIS web
server: 
http://www.isaserver.org/thawte/

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ddellanno@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.


Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

Get Thawte's New Step-by-Step SSL Guide for MSIIS Find out how to test,
purchase, and install a Thawte Digital Certificate on your MSIIS web
server: 
http://www.isaserver.org/thawte/

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

Other related posts:

• » Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!
• » RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!
• » RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!
• » RE: Checkpoint Firewall-1 | SecureClient-1| Big Time Help - this is a doosey!

1. Home
2. isalist
3. Archive
4. 10-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---