need help with vpn issue

Unanswered Question
Apr 11th, 2007
User Badges:

I am not real familiar with networking so I may not have the correct terms here. I am trying to set up a vpn between 2 checkpoint routers but cant make it work thru a cisco 2620. Location one has just a checkpoint connected to the internet. Location 2 has a checkpoint behind a cisco 2620 connected to the internet. We opened all ports we thought we needed on the cisco but cant make it work. Something keeps getting blocked and the VPN never connects. Can I make this work with the cisco or am I out of luck?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owaisberg Wed, 04/11/2007 - 10:16
User Badges:

My understanding your setup is:


If yes, first make sure you have reachability

from FW1 to FW2. If there is one create VPN

site-to-site connection on both Firewalls

and watch SmartView Tracker on why tunnel is

failing to establish.



billfaith Wed, 04/11/2007 - 11:49
User Badges:

Close, its like this with only one cisco.


These are checkpoint safe@office appliances so they dont have advanced logging capabilities. The checkpoint behind the cisco can get out to the internet. When trying to establish a vpn from safe@office to safe@office it fails. We took the safe@office thats behind the cisco and hooked it up direct to another internet connection and the vpn works. But when hooked up behind the cisco, it fails.

owaisberg Wed, 04/11/2007 - 11:53
User Badges:

Can you send me config file from that

Cisco router ?



billfaith Fri, 04/13/2007 - 11:40
User Badges:


I have not gotten the config file yet but am told the OS version is 12.2(7b). Is there any limitation on this version for accomplising what I need? The router is a little older.

billfaith Mon, 04/16/2007 - 11:24
User Badges:

I got my config file. Am I safe putting my config file on here will my IP addresses or should I change the public ones?

billfaith Mon, 04/16/2007 - 12:37
User Badges:

Ok here it is.

clcinternet1#sho run

Building configuration...

Current configuration : 3213 bytes


! Last configuration change at 14:07:43 edt Fri Apr 6 2007 by NAVY


version 12.2

service nagle

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption


hostname clcinternet1


logging buffered 4096 debugging

aaa new-model

aaa authentication login default local-case

aaa authentication enable default enable

aaa authentication ppp default local-case

aaa authorization exec default local

aaa authorization network default local


clock timezone est -5

clock summer-time edt recurring

ip subnet-zero



ip name-server

ip name-server


call rsvp-sync









interface FastEthernet0/0

ip address

ip nat inside

duplex auto

speed auto

no cdp enable


interface Serial0/0

description APK T1

ip address

ip nat outside

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

no cdp enable


ip local pool default

ip nat inside source list 1 interface Serial0/0 overload

ip nat inside source static

ip nat inside source static

ip classless

ip route

ip route

no ip http server

ip pim bidir-enable



ip access-list extended WAN_IN

permit tcp any host eq telnet

permit tcp any host eq smtp

permit tcp any host eq pop3

permit tcp any host eq ftp

permit tcp any host eq ftp-data

permit tcp any host eq www

permit tcp any host eq 8080

permit esp any host

permit udp any host eq 4500

permit udp any host eq isakmp

permit tcp any host eq www

permit tcp any host eq 50

permit tcp any host eq 51

permit gre any host

permit udp any host eq 2746

permit tcp any host eq 264

permit udp any host eq 259

permit udp host eq ntp any

permit tcp any host gt 1024

permit udp any host gt 1024

permit tcp any host gt 1024 established

permit udp any host gt 1024

permit tcp any eq 1723

permit tcp any eq 1701

permit tcp any eq 1723

permit tcp any eq 5631

permit tcp any eq 5632

permit gre any

permit gre any

permit icmp any any

access-list 1 deny

access-list 1 deny

access-list 1 permit

access-list 1 permit

no cdp run

snmp-server engineID local xxx

snmp-server community xxx

snmp-server community xxx


dial-peer cor custom





line con 0

exec-timeout 0 0

line aux 0

line vty 0 4


ntp clock-period 17180607

ntp server


vlichina0605 Tue, 04/17/2007 - 02:31
User Badges:

HI, Maybe the check-point VPN can not support NAT traverse. So just remove NAT and test it.

billfaith Tue, 04/17/2007 - 05:19
User Badges:

Hi Thanks. The only thing I see in my checkpoint vpn setup about NAT is a checkbox to "Bypass NAT". I have turned that option and off with no success. I was reading about NAT transparency on cisco's site and saw that it said passing IPSEC vpn info isnt supported until version 12.2(13T) and I have 12.2(7B). I have no idea if this is my issue but maybe?

vlichina0605 Wed, 04/18/2007 - 22:30
User Badges:

Hi Billfaith, you should make sure that Checkponit VPN is your VPN device, not Cisco. Your cisco 2610 router just a connecting router with NAT before your VPN device. So if your VPN device supports NAT traversal, it can traverse your cisco router(NAT device) and establishs IPSec session successfully. If it can not support that, your network configuration will not work unless there is no any NAT device between two VPN devices.

billfaith Thu, 04/19/2007 - 11:03
User Badges:


My checkpoint is my vpn device. I have a safe@office 500 and it says nat traversal is supported and automatically used when needed. We have like 12 ports open on the 2620 but still no luck. I keep coming back to the UDP protocol 50 thats needed and talked about here

but nobody else seems to think that has anything to do with it.

owaisberg Thu, 04/19/2007 - 12:18
User Badges:

Can you post output from "show version"

command from your cisco router ?



vlichina0605 Thu, 04/19/2007 - 23:26
User Badges:

First, enable NAT-T(NAT traversal) on both safe@office devices.

Second, remove all access list and permit any on the cisco router. Make sure you can access internet behind the cisco router.

Third, Connect your vpn session and testing.

If it dosen't OK. I have no idea so far.

billfaith Tue, 04/24/2007 - 05:55
User Badges:

They tell me the checkpoint will do NAT traversal automatically if it needs to.

glenthms Thu, 04/19/2007 - 15:31
User Badges:

Bill had you tried to just allow all traffic in to the NAT ip of your internal FW? Does Protocol ESP need to be there?

billfaith Tue, 04/24/2007 - 05:54
User Badges:

Here is the show version output. I believe we had an allow all statement pointing to our checkpoint fw. I will need to check. My helper disconnected the checkpoint and is gone today so I cant try the vpn connection.

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(7b), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Tue 05-Mar-02 07:30 by pwade

Image text-base: 0x80008088, data-base: 0x81071B70

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

clc uptime is 3 weeks, 5 days, 16 hours, 47 minutes

System returned to ROM by power-on

System restarted at 16:00:38 est Wed Mar 28 2007

System image file is "flash:c2600-is-mz.122-7b.bin"

cisco 2620 (MPC860) processor (revision 0x102) with 45056K/4096K bytes of memory


Processor board ID JAD042107TW (506410786)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

palukuri77 Tue, 04/24/2007 - 08:48
User Badges:

Hi Bill,

Please try to repeat the process by removing the ACL on the router. It should be like the router is used as a device for internet access thats it, no control on it.

With this you can isolate the problem either its from the router or not.

mohmmad.imran Tue, 04/24/2007 - 14:28
User Badges:

Hi All,

Plz correct me if I mentioned something wrong considering the Checkpoint as VPN end points.

In your router configuartion pasted above, It shows that you only defined the access-list but you are not applying it to any interface.

What I would suggest is to troubleshoot the issue in two stpes:-

1) Confirm your router is performing that NAT:-

a) Remove the access-list

b) Ping the source and destination of the Ipsec peer from the both end, if you are able to ping that means the router performing NAT without any problem.

c)If you are not able to ping source and destination of IPSEC peer Then we need to check what exactly the router is doing when he gets the packet

# debug ip nat

#perform ping between the end points and Paste the output to so that everyone can have a look on that and Suggest what would be the next step

2) Assuming the Router performs NAT, then you should concentarte on your Firewall

I am not familiar with checkpoint but the IPSEC terminology will be the same for all the vendors

a) first make sure you have the same ISAKMP Policy for phase-I negotiation on both the end

b) make sure you have same transform-set on both the end

c) Most Important:- check crypto-protected address spaces between both the end point are same,

The protected address sapce must match on both the VPN endpointsto established the ipsec SA.



This Discussion