Re: WILL PAY. Need help to setup VPN between a PIX 506 and a Checkpoint 4.1 Firewall



Robert wrote:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

In article <1145535434.939043.232520@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
DerekC <derekc@xxxxxxxxxxxxxxxxxxxx> wrote:

Yeap, that will do except my PIX is running 6.34. I was still hoping to
pay some expert to do it for me thou.

Please quote context. Please see here for information on how to
do so from Google Groups: http://cfaj.freeshell.org/google/

I have reviewed the example referenced, and there is very little there
which is outdated by PIX 6.3(4):

- remove the line,
no sysopt route dnat
because dnat was dropped and so there is no need to disable it
- the first of the "timeout" commands shown is garbled with some
console output. Some of the minor details of the "timeout" command have
changed, but if you just don't leave that part out then the default
values are likely fine.

Also,

- remove the failover commands: failover is not supported on the PIX 506
- remove the line,
access-list 115 deny ip 192.168.1.0 255.255.255.0 any
because it is redundant (access-lists end in default deny)
- consider updating the transform set to 3DES or AES
- consider updating the isakmp policy to include 3DES or AES
- consider being more restrictive on the nat (inside) 1 statement.
When 0.0.0.0 0.0.0.0 is used, if some inside host forges random IPs
as the source for packets, the PIX would let the packets out (replies
are unlikely to get back, but in the meanwhile state is used up... and
single packets are sometimes enough to crack or DoS remote systems.)
If you instead use the inside IP range and netmask, then the forged
packets would at least have to have internal IPs as their source in order
to be allowed out.

.



Relevant Pages

  • Re: [fw-wiz] PIX Transparent proxy
    ... >> commands are not on the pix... ... >packets to a cache based on the port, protocol or any other ACL match) ... It appears the PIX will do a static PAT in order to ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Odd PIX / router behavior
    ... When you saw the original spoofed traffic, what kind of packets were ... My first thought was a misconfigured internal host too, ... 10.0.0.1 is the inside interface of the PIX. ...
    (Firewall-Wizards)
  • Re: Improving ntpd rate controls for busier servers
    ... two new ntpq commands, modeled on ntpdc's sysstats and monlist ... packets processed: 5112 ...
    (comp.protocols.time.ntp)
  • Re: PIX 506E as a router
    ... to use it as a simple router? ... as you *need* the responses coming from the WAN unless ... incoming packets that are responses to outgoing packets (a ... PIX 506E do -fairly- well in such configurations, ...
    (comp.dcom.sys.cisco)
  • Re: Pix as router?
    ... I don't need GRE or any dynamic routing. ... does not really understand the Pix but does understand ... No NAT no nothing - just a basic IP router. ... and build new outgoing packets. ...
    (comp.dcom.sys.cisco)