Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

BM and MobileXpress

1 view
Skip to first unread message

Ant

unread,
May 4, 2007, 6:59:54 AM5/4/07
to
Hi

We want to introduce a BT product called MobileXpress to our system that
can authenticate mobile users from the Internet through our BM server and
then have access to the internal system as if they were in the office.

The technical guy at BT is checkpoint trained and he is not aware of BM
whatsoever. The problem mentioned is that MobileXpress needs to setup a
direct authentication session (IPSec tunnel) with the Cisco VPN
concentrator (on our internal network) using UDP ports 500 (along with IKE
and ESP - for encryption?) and UDP port 10000 (NAT Traversal) and the BT
guy thought that it wouldn't be possible with our Firewall. Could someone
please confirm that this is possible with BM??

Kind regards,
Ant

Caterina Luppi

unread,
May 4, 2007, 11:27:36 AM5/4/07
to
hi,

what version of BM do you have? If you've 3.8 you *might* be able to
establish the VPN with the BM server itself, since it supports IPsec VPN.

Second, if you still want to connect to an internal Cisco concentrator
you've to have a Static NAT between the private IP address of the Cisco
box and a public IP address, and then unload ipflt and see if it works.
If it doesn't work with the filters unloaded it means that there is no
hope to get it to work, because the protocols used are corrupted by NAT.
If it works, then you can create the proper packet filter exceptions.

After the test, remember to reload ipflt.

--
Cat
NSC Volunteer Sysop

Craig Johnson

unread,
May 4, 2007, 11:57:25 PM5/4/07
to
What Cat said. Set up static NAT on the server, remembering to add a
secondary public IP address. Unload ipflt. If the NAT is working, but
the VPN doesn't, then filter exceptions won't help.

However, I think it will work just fine. All you need to do is to add
one canned and one custom filter exception in FILTCFG on the server
console. The canned exception is called IKE (UDP 500), and you will
have to create a definition (in INETCFG) called something like
CISCOVPN, using UDP and destination port 10,000. I actually have that
definition in one of the examples for a Cisco VPN (in the outbound
direction) in my BMgr Filtering book, at the URL below.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***


0 new messages