Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 3362 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it even possible???

To0w1r3d
I have a checkpoint securemote cleint on the inside of ASL, connecting through ASL NAT to a checkpoint firewall at HQ.  So far I have tried some of the NAT passthru options in ASL and on the securemote cleint without success.  

Is it even possible that a VPN client can pass through a stateful firewall using NAT?  

Any help would be greatly appreciated, I love using ASL, however not having a connection back into the office is a show stopper.

Thanks!    


This thread was automatically locked due to age.
Parents
  • 0
    To0w1r3d,

    go to services and create a new one: protocol ESP SPI 256:4294967295. Proceed with setting packet filter rules allowing udp/500 (IKE) and the recently created ESP service as destination select the CP definition.

    Please note that due to the ipsec protocol characteristics only one connection at the same time is possible.

    read u
    o|iver

      
  • 0 in reply to oliver.desch
    Everyone, thank you for your response.  I created the ESP service and packet filter allowing IKE and ESP to pass.  I still couldn't make a connection with the client that I had used to connect with in the past.

    Good news it does look like it's possible...so I will press further until I get it.  Just knowing it can be done, is a HUGE help, thanks again for your help!   
  • 0 in reply to To0w1r3d
    Hi !
    As promised, here is what I had to do to make the « Checkpoint-client » work:
       1.) Define 2 additional services
                     Name      Protocol    S-Port/Client    D-Port/Server
                Checkpoint      udp            2746                  2746
                Cisco xout       udp        1024:65535          62516 

       2.) Create the following filter rules
                 From (Client)          Service           To (Server)             Action 
                LAN_Network__    Cisco xout          Broadcast               Allow 
                LAN_Network__    Checkpoint             Any                     Allow
                LAN_Network__    ISAKMP                  Any                     Allow
                LAN_Network__         ESP                   Any                     Allow
                MyOffice_LAN        ISAKMP          LAN_Network__         Allow
                MyOffice_LAN        ISAKMP         DMZ_Interface__       Allow
                MyOffice_LAN            ESP            LAN_Network__         Allow

         LAN_Network__    ..........   my internal network
         DMZ_Interface__  ..........   my external interface
         MyOffice_LAN       ..........   my office network

    After that and an additional restart of the checkpoint client, everything came right up.
    Good luck –
    Regards,
    Erich
       
  • 0 in reply to ehudler
    Success...thank you Erich and Oliver...:::Awesome:::

        
Reply Children
  • 0 in reply to To0w1r3d
    Just a quick note by default Checkpoint Securemote/SecureClient uses UDP 2746 for its nat-traversal mechanism... so the client needs outbound 2746 and possibly outbound UDP 500 or TCP 500 depending on what the admin is using for IKE.... Checkpoint NG w/ AI has a new mode called visitor mode which will actually tunnel all the traffic over http or https or basically whatever you define it to use... kinda cool but not widely used yet.   
Cookie Information Banner