Can a use a Cisco VPN client and pass through our BorderMgr firewall? Do
I need special filters to allow IPSEC traffic through? Do I need to open
certain ports to allow the Cisco VPN client through?
THANKS! Any advice or experience would be appreciated.
Brian Allison
Frank N. Magid Associates
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://nscsysop.hypermart.net ***
as far as I know, the Cisco VPN client will not work through the NW NAT.
--
Cat
Novell Support Connection Volunteer Sysop
Your recommended ports, are those standard Cisco ports or should contact
remote client and see what ports they specified? I will establish the
filters when I get back in the office on Thursday.
Let me check my filtering book. OK - my example, which was taken from that
implementation, says you only need to allow UPD 500 and UDP 10000. (And
the source and destination ports are the same 500/500 and 10000/10000).
As to what the official ports are, I don't know. I only set up exceptions
for what the client was actually using, and I assume those are the official
ports.
First I went out and got the 3rd Edition of your book. I had the old 1st
Edition, but decided it was time for an upgrade.
I created the exceptions just as you documented them in the book with UDP,
and NO luck. Then looking at the Cisco client, the remote admin had me
set it up using TCP port 10000 (not the UDP selection), so I went back and
changed the filters to use TCP instead of UDP, still NO luck. I am using
the Cisco VPN client v3.6.2, if that helps.
Do I need to have both the TCP and UDP exceptions defined for 500 &
10000? The client does work if I unload IPFLT, so it would appear to be a
definite filter problem.
THANKS!
Brian Allison
Frank N. Magid Associates
> In article <3E3r9.14263$CX6.2...@prv-forum2.provo.novell.com>, wrote:
That will show you the TCP and UDP ports being filtered. Test the VPN
and tell us what is being blocked. Best to capture the data with
CONLOG (if not NW 6.) If using NW 6, the data will go to the logger
screen, and you use F2 to capture that screen to a text file.
I don't have a Cisco VPN here, and I am unable to tell you what that
client uses for ports, but you can always find out with debug.
First off, THANKS for sticking with me on this. I really appreciate your
help. Here is a copy of what I captured in CONLOG. Based on this, looks
like I need a filter TCP, source 1365, dest 10000. I tried that and still
no success. Maybe you can read something else in this CONLOG that I
missed. I look forward to your response, anxious user want's this to work.
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(RST)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.197)
Source Port=(1375) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.197)
Source Port=(1375) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.195)
Source Port=(1377) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
Just because the connection tried using source port 1365 this time
doesn't mean it will use it next time. Set your source ports to
1024-65535.
THANKS again!
--
Brian Allison
Frank N. Magid Associates
In article <VA.00002b3...@p1000.bormanjohnsonhome.com>,
cra...@ix.netcom.com says...