Cisco VPN client w/IPSEC over NBM
ball...@magid.com
their Cisco VPN client that we can use to connect into their VPN server.
On our side we have a Novell BorderMgr v3.5sp3 firewall. Working with
their tech engineers we are unable to connect to their VPN server. They
believe if could be an issue with our firewall.
Can a use a Cisco VPN client and pass through our BorderMgr firewall? Do
I need special filters to allow IPSEC traffic through? Do I need to open
certain ports to allow the Cisco VPN client through?
THANKS! Any advice or experience would be appreciated.
Brian Allison
Frank N. Magid Associates
Craig Johnson
NAT and filters. First test: Unload IPFLT. Does it work? If so, you
may need to open up outbound stateful exceptions for UDP and TCP ports
500 and 10000.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://nscsysop.hypermart.net ***
CSL
as far as I know, the Cisco VPN client will not work through the NW NAT.
--
Cat
Novell Support Connection Volunteer Sysop
ball...@magid.com
give this a try on Thursday when I return. Thanks for the idea!
ball...@magid.com
indicate to me that it is definitely a filter problem, and that NAT is
working and this VPN product will work over Novell NAT. You agree?
Your recommended ports, are those standard Cisco ports or should contact
remote client and see what ports they specified? I will establish the
filters when I get back in the office on Thursday.
Craig Johnson
> Your recommended ports, are those standard Cisco ports or should contact
> remote client and see what ports they specified? I will establish the
> filters when I get back in the office on Thursday
>
filter exceptions a year ago for a Cisco VPN, and it worked, but it was
quite a recent VPN client version. I'm pretty sure older versions did not
work.
Let me check my filtering book. OK - my example, which was taken from that
implementation, says you only need to allow UPD 500 and UDP 10000. (And
the source and destination ports are the same 500/500 and 10000/10000).
As to what the official ports are, I don't know. I only set up exceptions
for what the client was actually using, and I assume those are the official
ports.
ball...@magid.com
First I went out and got the 3rd Edition of your book. I had the old 1st
Edition, but decided it was time for an upgrade.
I created the exceptions just as you documented them in the book with UDP,
and NO luck. Then looking at the Cisco client, the remote admin had me
set it up using TCP port 10000 (not the UDP selection), so I went back and
changed the filters to use TCP instead of UDP, still NO luck. I am using
the Cisco VPN client v3.6.2, if that helps.
Do I need to have both the TCP and UDP exceptions defined for 500 &
10000? The client does work if I unload IPFLT, so it would appear to be a
definite filter problem.
THANKS!
Brian Allison
Frank N. Magid Associates
> In article <3E3r9.14263$CX6.2...@prv-forum2.provo.novell.com>, wrote:
Craig Johnson
SET TCP DISCARD FILTER DEBUG=1
SET UDP DISCARD FILTER DEBUG=1
That will show you the TCP and UDP ports being filtered. Test the VPN
and tell us what is being blocked. Best to capture the data with
CONLOG (if not NW 6.) If using NW 6, the data will go to the logger
screen, and you use F2 to capture that screen to a text file.
I don't have a Cisco VPN here, and I am unable to tell you what that
client uses for ports, but you can always find out with debug.
ball...@magid.com
First off, THANKS for sticking with me on this. I really appreciate your
help. Here is a copy of what I captured in CONLOG. Based on this, looks
like I need a filter TCP, source 1365, dest 10000. I tried that and still
no success. Maybe you can read something else in this CONLOG that I
missed. I look forward to your response, anxious user want's this to work.
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(RST)
Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
Source Port=(1365) Destination Port=(10000)
Source TOS=(Dynamic) Destination TOS=(Dynamic)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.197)
Source Port=(1375) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.197)
Source Port=(1375) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
OUTBOUND packet to "Discard"
Protocol Type=(TCP) Protocol Flag=(SYN)
Source Address=(192.168.1.181) Destination Address=(205.158.108.195)
Source Port=(1377) Destination Port=(80)
Source TOS=(Dynamic) Destination TOS=(HTTP)
Source Interface=(2) Destination Interface=(5)
Source Circuit=(43984) Destination Circuit=(41816)
Source GroupID=(-713906346) Destination GroupID=(-709321322)
Discard filter rule from "Filters" list
Filter Protocol Type=(IP)
Source Interface Type=(Any) Destination Interface Type=(BOARD)
Source Address=(Any Address) Destination Address=(Any Address)
Source Interface Number=(0) Destination Interface Number=(5)
Source Port Range=(0-0) Destination Port Range=(0-0)
Source TOS=(Reserved) Destination TOS=(Reserved)
Source Group Name=(None) Destination Group Name=(None)
Source Group ID=(0) Destination Group ID=(0)
Source Remote System ID=(None) Destination Remote System ID=(None)
Source Circuit=(0) Destination Circuit=(0)
***************************************************************************
***
Craig Johnson
wrote:
> OUTBOUND packet to "Discard"
> Protocol Type=(TCP) Protocol Flag=(SYN)
> Source Address=(192.168.1.181) Destination Address=(208.27.252.240)
> Source Port=(1365) Destination Port=(10000)
>
to tcp dest. port 10,000.
Just because the connection tried using source port 1365 this time
doesn't mean it will use it next time. Set your source ports to
1024-65535.
Brian Allison
step by step. I really appreciate your efforts.
THANKS again!
--
Brian Allison
Frank N. Magid Associates
In article <VA.00002b3...@p1000.bormanjohnsonhome.com>,
cra...@ix.netcom.com says...