04-11-2007 05:50 AM - edited 03-03-2019 04:30 PM
I am not real familiar with networking so I may not have the correct terms here. I am trying to set up a vpn between 2 checkpoint routers but cant make it work thru a cisco 2620. Location one has just a checkpoint connected to the internet. Location 2 has a checkpoint behind a cisco 2620 connected to the internet. We opened all ports we thought we needed on the cisco but cant make it work. Something keeps getting blocked and the VPN never connects. Can I make this work with the cisco or am I out of luck?
04-11-2007 10:16 AM
My understanding your setup is:
If yes, first make sure you have reachability
from FW1 to FW2. If there is one create VPN
site-to-site connection on both Firewalls
and watch SmartView Tracker on why tunnel is
failing to establish.
HTH,
OW
04-11-2007 11:49 AM
Close, its like this with only one cisco.
These are checkpoint safe@office appliances so they dont have advanced logging capabilities. The checkpoint behind the cisco can get out to the internet. When trying to establish a vpn from safe@office to safe@office it fails. We took the safe@office thats behind the cisco and hooked it up direct to another internet connection and the vpn works. But when hooked up behind the cisco, it fails.
04-11-2007 11:53 AM
Can you send me config file from that
Cisco router ?
Thx,
OW
04-11-2007 12:32 PM
I will see if I can get it. Thanks.
04-13-2007 11:40 AM
Hello
I have not gotten the config file yet but am told the OS version is 12.2(7b). Is there any limitation on this version for accomplising what I need? The router is a little older.
04-16-2007 11:24 AM
I got my config file. Am I safe putting my config file on here will my IP addresses or should I change the public ones?
04-16-2007 12:37 PM
Ok here it is.
clcinternet1#sho run
Building configuration...
Current configuration : 3213 bytes
!
! Last configuration change at 14:07:43 edt Fri Apr 6 2007 by NAVY
!
version 12.2
service nagle
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname clcinternet1
!
logging buffered 4096 debugging
aaa new-model
aaa authentication login default local-case
aaa authentication enable default enable
aaa authentication ppp default local-case
aaa authorization exec default local
aaa authorization network default local
!
clock timezone est -5
clock summer-time edt recurring
ip subnet-zero
!
!
ip name-server 207.54.159.4
ip name-server 207.54.159.2
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.0.0
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
description APK T1
ip address 207.54.1.1 255.255.255.252
ip nat outside
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
no cdp enable
!
ip local pool default 172.16.0.240 172.16.0.249
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 172.16.0.3 207.54.1.3
ip nat inside source static 172.16.0.4 207.54.1.41
ip classless
ip route 0.0.0.0 0.0.0.0 207.54.170.22
ip route 192.168.1.0 255.255.255.0 172.16.0.3
no ip http server
ip pim bidir-enable
!
!
ip access-list extended WAN_IN
permit tcp any host 207.54.1.1 eq telnet
permit tcp any host 207.54.1.3 eq smtp
permit tcp any host 207.54.1.3 eq pop3
permit tcp any host 207.54.1.3 eq ftp
permit tcp any host 207.54.1.3 eq ftp-data
permit tcp any host 207.54.1.3 eq www
permit tcp any host 207.54.1.3 eq 8080
permit esp any host 207.54.1.4
permit udp any host 207.54.1.4 eq 4500
permit udp any host 207.54.1.4 eq isakmp
permit tcp any host 207.54.1.4 eq www
permit tcp any host 207.54.1.4 eq 50
permit tcp any host 207.54.1.4 eq 51
permit gre any host 207.54.1.4
permit udp any host 207.54.1.4 eq 2746
permit tcp any host 207.54.1.4 eq 264
permit udp any host 207.54.1.4 eq 259
permit udp host 18.26.1.1 eq ntp any
permit tcp any host 207.54.1.3 gt 1024
permit udp any host 207.54.1.3 gt 1024
permit tcp any host 207.54.1.1 gt 1024 established
permit udp any host 207.54.1.1 gt 1024
permit tcp any 207.54.1.2 0.0.0.3 eq 1723
permit tcp any 207.54.1.2 0.0.0.7 eq 1701
permit tcp any 207.54.1.2 0.0.0.7 eq 1723
permit tcp any 207.54.1.2 0.0.0.7 eq 5631
permit tcp any 207.54.1.2 0.0.0.7 eq 5632
permit gre any 207.54.1.3 0.0.0.3
permit gre any 207.54.1.2 0.0.0.7
permit icmp any any
access-list 1 deny 172.16.0.4
access-list 1 deny 172.16.0.3
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
snmp-server engineID local xxx
snmp-server community xxx
snmp-server community xxx
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
ntp clock-period 17180607
ntp server 18.26.4.105
end
04-17-2007 02:31 AM
HI, Maybe the check-point VPN can not support NAT traverse. So just remove NAT and test it.
04-17-2007 05:19 AM
Hi Thanks. The only thing I see in my checkpoint vpn setup about NAT is a checkbox to "Bypass NAT". I have turned that option and off with no success. I was reading about NAT transparency on cisco's site and saw that it said passing IPSEC vpn info isnt supported until version 12.2(13T) and I have 12.2(7B). I have no idea if this is my issue but maybe?
04-18-2007 05:57 AM
Anyone? Is what I want to do even possible?
04-18-2007 10:30 PM
Hi Billfaith, you should make sure that Checkponit VPN is your VPN device, not Cisco. Your cisco 2610 router just a connecting router with NAT before your VPN device. So if your VPN device supports NAT traversal, it can traverse your cisco router(NAT device) and establishs IPSec session successfully. If it can not support that, your network configuration will not work unless there is no any NAT device between two VPN devices.
04-19-2007 11:03 AM
Thanks
My checkpoint is my vpn device. I have a safe@office 500 and it says nat traversal is supported and automatically used when needed. We have like 12 ports open on the 2620 but still no luck. I keep coming back to the UDP protocol 50 thats needed and talked about here
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftipsnat.htm
but nobody else seems to think that has anything to do with it.
04-19-2007 12:18 PM
Can you post output from "show version"
command from your cisco router ?
Thanks,
OW
04-19-2007 11:26 PM
First, enable NAT-T(NAT traversal) on both safe@office devices.
Second, remove all access list and permit any on the cisco router. Make sure you can access internet behind the cisco router.
Third, Connect your vpn session and testing.
If it dosen't OK. I have no idea so far.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: