> Hello People, This is a long problem relating to PIX/ISA & FW-1 > > I am hoping someone has seen this before and knows a way around. > Attached is a picture diagram > > Trying to create a VPN tunnel with the following scenario > > 192.168.1.0/24 is connected behind a MS ISA server, ISA has its own > NIC of 192.168.1.1/24 and a Public NIC IP 210.x.21.195, now ISA does > "Secure NAT" or something, I don't know I have never used it. But > anyhow > > All connections leaving 192.168.1.0/24 and then "Secure NATed" via ISA > to 210.x.21.195 which then traverses the PIX and in turn the PIX is > connected to the internet facing router. > > The Check Point is @ 203.x.x.26 and has an internal address of > 192.168.2.254/24. > > Now from the 192.168.2.0/24 LAN behind Check Point it initiates a > tunnel with the PIX, the tunnel authenticates and from the check point > logging you can see a packet leaving 192.168.2.0/24 for 192.168.1.0/24 > is encypted by check point, and on the PIX you can see it is > decrypted, as there are decrypted packets via 'show crypto ipsec sa' > > No reply packets come back up the tunnel. > > The PIX has a route inside 192.168.1.0 255.255.255.0 210.x.21.195 1 > (ISA Public IP NIC) > > Nor does it appear that when say a ping is sent from 192.168.1.0/24 > does it even fire up the vpn tunnel on the PIX. > > Taking into account that the ISA NATs the 192.168.1.0/24 traffic to > 210.x.21.195, that is the address we have tried on the crypto ACL with > the PIX > > access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 > 255.255.255.0 > access-list 101 permit ip host 210.54.214.195 192.168.2.0 > 255.255.255.0 > > It still does not seem to fire up the tunnel, and when a traceroute is > done from the internal LAN it would appear to leave ISA NATed with > 210.x.21.195 and then hit the router @ .206, the PIX does not seem to > want to do anything with it. i.e. force it into a tunnel > > SO the tunnel is actually authenticated; an established via the CP box > sending traffic and all is good, but getting traffic from the PIX/ISA > end is not happening. > > A 'show access-list' on the PIX reveals that access-list 101 is > getting matches > > I am rather certain it is related to ISA and the NATing, is there > anyone out there that has seen/done/succeeded/failed in doing this? > > Does anyone know if there is some form of like 'tcpdump' for PIX? Or > do you have to debug ip packet etc? > > Cheers, > Brendan > >
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
