Re: WILL PAY. Need help to setup VPN between a PIX 506 and a Checkpoint 4.1 Firewall



Robert wrote:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

In article <1145535434.939043.232520@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
DerekC <derekc@xxxxxxxxxxxxxxxxxxxx> wrote:

Yeap, that will do except my PIX is running 6.34. I was still hoping to
pay some expert to do it for me thou.

Please quote context. Please see here for information on how to
do so from Google Groups: http://cfaj.freeshell.org/google/

I have reviewed the example referenced, and there is very little there
which is outdated by PIX 6.3(4):

- remove the line,
no sysopt route dnat
because dnat was dropped and so there is no need to disable it
- the first of the "timeout" commands shown is garbled with some
console output. Some of the minor details of the "timeout" command have
changed, but if you just don't leave that part out then the default
values are likely fine.

Also,

- remove the failover commands: failover is not supported on the PIX 506
- remove the line,
access-list 115 deny ip 192.168.1.0 255.255.255.0 any
because it is redundant (access-lists end in default deny)
- consider updating the transform set to 3DES or AES
- consider updating the isakmp policy to include 3DES or AES
- consider being more restrictive on the nat (inside) 1 statement.
When 0.0.0.0 0.0.0.0 is used, if some inside host forges random IPs
as the source for packets, the PIX would let the packets out (replies
are unlikely to get back, but in the meanwhile state is used up... and
single packets are sometimes enough to crack or DoS remote systems.)
If you instead use the inside IP range and netmask, then the forged
packets would at least have to have internal IPs as their source in order
to be allowed out.

.