PIX to Checkpoint VPN issue

Unanswered Question
May 17th, 2007
User Badges:

Hello chaps, here's a quickie for you


We have been asked to set up a vpn connection from our pix firewall here to a business partner's checkpoint.


In our interesting traffic we specify our networks as the source address and their proxy server as the destination port 8080.


We put their proxy server into ie and launch the connection.


The vpn comes up and ipsec sa's are established. We can access their web applications over the vpn successfully.


The only problem is we are getting lots of syslog entries which is causing 10% load on the firewall. (see attached doc)


From the sysylog entries it looks like the crypto acls don't match however I have seen the checkpoint config & it looks sound.


Is it unusual to make a vpn connection in this way - ie to an end host which is a proxy server? Obviously the peer is the outside of their firewall.


Any ideas?


Cheers


Mark





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 05/17/2007 - 07:26
User Badges:
  • Green, 3000 points or more

Could you give us a little topology and a pix config? I wouldn't specify ports in crypto acl's.


access-list outside_cryptomap_80 permit ip 172.20.2.0 255.255.254.0 host 160.x.x.x


"Obviously the peer is the outside of their firewall."


I thought the peer for the pix was the firewall?

monkeyboy Thu, 05/17/2007 - 07:53
User Badges:

Basically it is pix to checkpoint with their web proxy behind the checkpoint.


See attached vpn config of pix:


Cheers



Attachment: 
acomiskey Thu, 05/17/2007 - 07:59
User Badges:
  • Green, 3000 points or more

I would specify ip in your outside_cryptomap_80 acl without the 8080 and see if the errors go away.


I don't know how you specify interesting traffic in the checkpoint but they would not match unless 8080 was configured as a source port.

Actions

This Discussion