I have a network configured as follows:
Internal LAN PIX-535 { Internet } Customer CheckPoint FW/1
The internal LAN is NATted to the external address of the PIX and all internal hosts are PATted against this address (hence we have only one external "visible" IP address defined).
We are trying to establish a CheckPoint SecureClient connection from inside the network on the internal LAN to a customer site on the Internet running a CheckPoint firewall. The connection type we are doing is using the RSA keyfobs as security.
When attempting to connect using the SecureClient software. The connection always fails with an error from the SecureClient software "Make sure the user is properly defined on the firewall". From the logs on the customer site we only see the initial conversation but do not get any key exchange happening. It appears that the local firewall (ie: the pix) is the cause of the problem. If I take the same computer and software and plug into a home network behind a broadband router with VPN passthru, the connection establishes successfully. From the above network we do not block any outbound services and all outgoing protocols work fine (eg: web, IM, telnet, ssh, ftp, etc).
During my reading of this forum and others, it would appear that VPN traversal might be the problem, however I have enabled it (with "isakmp enable inside" and "isakmp nat-traversal 20") but this does not solve the problem. The PIX is runnnig 7.0(1).
I cannot see any local logs to see what is being dropped and do not understand what more is available to get the VPN to transgres the firewall. What special ports (if any) need to be opened to the NAT/PAT address?
Appreciate any help