ACL for Checkpoint Secure Remote

[jolly403]

I have a Cisco 1841 w DSL card for my internet connecting router. It sits in front of a Checkpoint FW1 firewall...the checkpoint has a private ip address on it's external interface. The Cisco has basically two ACLs on it-one for all internal outbound traffic overloaded to Dialer1, and one inside source static port 25 from the FW external to the public IP for mail.

Question is, if I want to use Checkpoint's Secure Remote VPN client to establish a VPN from a remote client, what kind of ACL do I put on the Cisco?

Conversely, if I were to utilize Cisco's EasyVPN client and establish the connection to the Cisco, what type of rule would go on the Checkpoint FW?

Thanks much.
Brian

 

[ADB100]

I had problems when I initially set up Checkpoint Clients behind a MS ISA 2004 server. I know this isn't strictly Cisco but the list of ports should be useful

IPSec ESP IP Protocol 50
IKE over TCP : TCP 500
SecureRemote Auth/CheckPoint Key Control : UDP 500
CheckPoint UDP Encapsulation : UDP 2746
CheckPoint: Topology port : TCP 264
CheckPoint: used for SecureClient's logon to Policy Server protocol : TCP 18231
CheckPoint: used for SCV keep-alive packets : UDP 18233
CheckPoint: used for SecureClient's Software Distribution Server download protocol : TCP 18232
CheckPoint: used for IPSec NAT-T : UDP 4500

This got it working but I had a problem that if the client didn't transmit any packets for a period of time it stopped working (my workaround was to ping a device behind the firewall from the client). I eventually solved this when I had a bit more time and added the following to the firewall rule:

CheckPoint RDP : UDP 259


To get Cisco's VPN Client to work you I needed to add on UDP port 10000 in addition to the ones above. I think IP Protocol 50, UDP 500, TCP 500 and UDP 4500 are required by the Cisco VPN client but these were already covered by the Checkpoint rule.

HTH

Andy