cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
0
Helpful
19
Replies

need help with vpn issue

billfaith
Level 1
Level 1

I am not real familiar with networking so I may not have the correct terms here. I am trying to set up a vpn between 2 checkpoint routers but cant make it work thru a cisco 2620. Location one has just a checkpoint connected to the internet. Location 2 has a checkpoint behind a cisco 2620 connected to the internet. We opened all ports we thought we needed on the cisco but cant make it work. Something keeps getting blocked and the VPN never connects. Can I make this work with the cisco or am I out of luck?

19 Replies 19

owaisberg
Level 1
Level 1

My understanding your setup is:

---(Internet)---

If yes, first make sure you have reachability

from FW1 to FW2. If there is one create VPN

site-to-site connection on both Firewalls

and watch SmartView Tracker on why tunnel is

failing to establish.

HTH,

OW

Close, its like this with only one cisco.

---(Internet)--

These are checkpoint safe@office appliances so they dont have advanced logging capabilities. The checkpoint behind the cisco can get out to the internet. When trying to establish a vpn from safe@office to safe@office it fails. We took the safe@office thats behind the cisco and hooked it up direct to another internet connection and the vpn works. But when hooked up behind the cisco, it fails.

Can you send me config file from that

Cisco router ?

Thx,

OW

I will see if I can get it. Thanks.

Hello

I have not gotten the config file yet but am told the OS version is 12.2(7b). Is there any limitation on this version for accomplising what I need? The router is a little older.

I got my config file. Am I safe putting my config file on here will my IP addresses or should I change the public ones?

Ok here it is.

clcinternet1#sho run

Building configuration...

Current configuration : 3213 bytes

!

! Last configuration change at 14:07:43 edt Fri Apr 6 2007 by NAVY

!

version 12.2

service nagle

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname clcinternet1

!

logging buffered 4096 debugging

aaa new-model

aaa authentication login default local-case

aaa authentication enable default enable

aaa authentication ppp default local-case

aaa authorization exec default local

aaa authorization network default local

!

clock timezone est -5

clock summer-time edt recurring

ip subnet-zero

!

!

ip name-server 207.54.159.4

ip name-server 207.54.159.2

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.0.1 255.255.0.0

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

description APK T1

ip address 207.54.1.1 255.255.255.252

ip nat outside

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

no cdp enable

!

ip local pool default 172.16.0.240 172.16.0.249

ip nat inside source list 1 interface Serial0/0 overload

ip nat inside source static 172.16.0.3 207.54.1.3

ip nat inside source static 172.16.0.4 207.54.1.41

ip classless

ip route 0.0.0.0 0.0.0.0 207.54.170.22

ip route 192.168.1.0 255.255.255.0 172.16.0.3

no ip http server

ip pim bidir-enable

!

!

ip access-list extended WAN_IN

permit tcp any host 207.54.1.1 eq telnet

permit tcp any host 207.54.1.3 eq smtp

permit tcp any host 207.54.1.3 eq pop3

permit tcp any host 207.54.1.3 eq ftp

permit tcp any host 207.54.1.3 eq ftp-data

permit tcp any host 207.54.1.3 eq www

permit tcp any host 207.54.1.3 eq 8080

permit esp any host 207.54.1.4

permit udp any host 207.54.1.4 eq 4500

permit udp any host 207.54.1.4 eq isakmp

permit tcp any host 207.54.1.4 eq www

permit tcp any host 207.54.1.4 eq 50

permit tcp any host 207.54.1.4 eq 51

permit gre any host 207.54.1.4

permit udp any host 207.54.1.4 eq 2746

permit tcp any host 207.54.1.4 eq 264

permit udp any host 207.54.1.4 eq 259

permit udp host 18.26.1.1 eq ntp any

permit tcp any host 207.54.1.3 gt 1024

permit udp any host 207.54.1.3 gt 1024

permit tcp any host 207.54.1.1 gt 1024 established

permit udp any host 207.54.1.1 gt 1024

permit tcp any 207.54.1.2 0.0.0.3 eq 1723

permit tcp any 207.54.1.2 0.0.0.7 eq 1701

permit tcp any 207.54.1.2 0.0.0.7 eq 1723

permit tcp any 207.54.1.2 0.0.0.7 eq 5631

permit tcp any 207.54.1.2 0.0.0.7 eq 5632

permit gre any 207.54.1.3 0.0.0.3

permit gre any 207.54.1.2 0.0.0.7

permit icmp any any

access-list 1 deny 172.16.0.4

access-list 1 deny 172.16.0.3

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

snmp-server engineID local xxx

snmp-server community xxx

snmp-server community xxx

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

!

ntp clock-period 17180607

ntp server 18.26.4.105

end

HI, Maybe the check-point VPN can not support NAT traverse. So just remove NAT and test it.

Hi Thanks. The only thing I see in my checkpoint vpn setup about NAT is a checkbox to "Bypass NAT". I have turned that option and off with no success. I was reading about NAT transparency on cisco's site and saw that it said passing IPSEC vpn info isnt supported until version 12.2(13T) and I have 12.2(7B). I have no idea if this is my issue but maybe?

Anyone? Is what I want to do even possible?

Hi Billfaith, you should make sure that Checkponit VPN is your VPN device, not Cisco. Your cisco 2610 router just a connecting router with NAT before your VPN device. So if your VPN device supports NAT traversal, it can traverse your cisco router(NAT device) and establishs IPSec session successfully. If it can not support that, your network configuration will not work unless there is no any NAT device between two VPN devices.

Thanks

My checkpoint is my vpn device. I have a safe@office 500 and it says nat traversal is supported and automatically used when needed. We have like 12 ports open on the 2620 but still no luck. I keep coming back to the UDP protocol 50 thats needed and talked about here

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm

but nobody else seems to think that has anything to do with it.

Can you post output from "show version"

command from your cisco router ?

Thanks,

OW

First, enable NAT-T(NAT traversal) on both safe@office devices.

Second, remove all access list and permit any on the cisco router. Make sure you can access internet behind the cisco router.

Third, Connect your vpn session and testing.

If it dosen't OK. I have no idea so far.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: