Hello chaps, here's a quickie for you
We have been asked to set up a vpn connection from our pix firewall here to a business partner's checkpoint.
In our interesting traffic we specify our networks as the source address and their proxy server as the destination port 8080.
We put their proxy server into ie and launch the connection.
The vpn comes up and ipsec sa's are established. We can access their web applications over the vpn successfully.
The only problem is we are getting lots of syslog entries which is causing 10% load on the firewall. (see attached doc)
From the sysylog entries it looks like the crypto acls don't match however I have seen the checkpoint config & it looks sound.
Is it unusual to make a vpn connection in this way - ie to an end host which is a proxy server? Obviously the peer is the outside of their firewall.