VPN-1 Secureremote pass-through on a PIX 506

Can someone help with a configuration problem.

I've got hold of a second hand PIX 506. I've updated to PIX version

6.3(4) and also the PDM to version 6.3. The company I work for has a Checkpoint NG1 firewall and I use the secure remote to connect in. I have to connect my laptop directly to my Cable modem and pick up the public IP address to successfuly connect to the checkpoint. It will not work through my DSL router.

If I replace my DSL Router with the PIX it works OK for normal browsing etc but not the secureremote. I know it can be done but I lack the expertise to config it. The Secureremote is configured to use IKE over TCP and I've been told that I have to configure the PIX for NAT Traversal and to allow AH and ESP IP protocols through. I pick up a dynamic IP from my ISP.

If anyone can give me the correct commands I'll be most grateful.


Reply to
Loading thread data ...

formatting link
some info.

I don't think that you need NAT Traversal which is to do with VPNs that terminate on the PIX (I suspect).

I don't know of the top of my head however a useful apprach is to log dropped traffic on the PIX. Then you get to see what you need to open up.

You could also run "srfw monitor" on the PC which is a packet sniffer which would show you the traffic.

Clearly you should check that the traffic is indeed legitimate SR traffic and that you do not already have malicious code on your network:-(

IRC there is a list in the Checkpoint docs which are available to registered users on the web site.

Reply to

My SecureRemote is configured to use Nat Traversal tunnelling and IKE over TCP.

Reply to

Out of curiosity, how much did Cisco charge you to "relicense" the


isakmp nat-traversal 20

You do not need to configure anything to "let through" AH or ESP, because access lists only control what goes -through- the PIX, not packets that are addressed to the PIX itself (as would be the case for the AH and ESP packets.)

Turning on nat-traversal does not hurt, and it there is NAT between you and the destination (and some cable ISPs do NAT at their network edge!) then it can allow IPSec to work in circumstances where it would otherwise fail. In particular, you indicate AH was specifically mentioned to you: AH *cannot* work with NAT unless you use nat-traversal .

If you've been told to allow for AH and ESP, then the place to do that is in configuring the transform set(s) that will be associated with the crypto-map entry. It is also usually a good idea to configure the isakmp layer to use the same encryption and "group" as you use for the transform set: although it isn't strictly necessary to have the two layers match, who needs the confusion?

Reply to
Walter Roberson


I understand the ISAKMP Nat traversal command but not sure on the transform sets and crypto maps etc. I'll go and do some searching.



Reply to

I've seen this happen when the client site (behind a NAT router) is using the same IP range as a network behind the Checkpoint firewall.

If this is the issue, it is because the firewall uses the IP on the PC for routing, rather than the IP it gets NATted to when it hits the Internet. I've known this to be solved by setting up the Checkpoint to NAT all VPN connections to an unused subnet that isn't used internally.

Don't ask me how. I haven't set this up, I've only seen others do this.

This might not be the issue, since it works with the PIX. The part about working when hooked directly to the modem, but not through the DSL router, fits with the symptoms I've seen.

PG wrote:

Reply to

Tks for the info. I deliberately set my IP Addresses to what I believed would be an unused IP range. I'll check with the Security Team.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.