RE: [fw-wiz] Cisco VPN client behind a Netscreen
From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 11/06/03
- Previous message: List Account: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Maybe in reply to: Aram Smith: "[fw-wiz] Cisco VPN client behind a Netscreen"
- Next in thread: Andy Lyakhovetskiy: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Reply: Andy Lyakhovetskiy: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Aram Smith" <aram.smith@appiancorp.com>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 6 Nov 2003 08:45:28 -0500
Aram,
You do not need to create an IPSec policy on the NetScreen for VPN clients that are passing through it. (The same would be true if you had a VPN concentrator behind it and users were connecting inbound from the Internet.)
This problem most likely has to do with source port translation being performed by the NetScreen as part of its NAT rules for outbound traffic. The PIX will likely complain if the source port of the VPN client connection isn't 500 or 4500 as appropriate and prevent the tunnel from coming all the way up. The best fix for this is to upgrade the PIX OS version to a current release and enable the 'isakmp nat-traversal' feature.
However, since you don't have control over the PIX, another solution would be to configure a static NAT (NetScreen calls this MIP, or Mapped IP?) for just the VPN client workstation's IP address to an otherwise unused IP address on the firewall's outside subnet. This should prevent the source port from being modified when making the connection.
Good luck!
PaulM
-----Original Message-----
I have recently implemented a Netscreen 50 and I have users behind it that use a Cisco VPN client to connect to a Cisco Pix which I have no control over. Their VPN client is not functioning properly. Currently I have a policy allowing outbound traffic any from all inside. Does anyone know if I also need to create an IPSEC policy for inbound traffic? Thanks, Aram Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: List Account: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Maybe in reply to: Aram Smith: "[fw-wiz] Cisco VPN client behind a Netscreen"
- Next in thread: Andy Lyakhovetskiy: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Reply: Andy Lyakhovetskiy: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
