05-17-2007 07:15 AM - edited 02-21-2020 03:03 PM
Hello chaps, here's a quickie for you
We have been asked to set up a vpn connection from our pix firewall here to a business partner's checkpoint.
In our interesting traffic we specify our networks as the source address and their proxy server as the destination port 8080.
We put their proxy server into ie and launch the connection.
The vpn comes up and ipsec sa's are established. We can access their web applications over the vpn successfully.
The only problem is we are getting lots of syslog entries which is causing 10% load on the firewall. (see attached doc)
From the sysylog entries it looks like the crypto acls don't match however I have seen the checkpoint config & it looks sound.
Is it unusual to make a vpn connection in this way - ie to an end host which is a proxy server? Obviously the peer is the outside of their firewall.
Any ideas?
Cheers
Mark
05-17-2007 07:26 AM
Could you give us a little topology and a pix config? I wouldn't specify ports in crypto acl's.
access-list outside_cryptomap_80 permit ip 172.20.2.0 255.255.254.0 host 160.x.x.x
"Obviously the peer is the outside of their firewall."
I thought the peer for the pix was the firewall?
05-17-2007 07:53 AM
05-17-2007 07:59 AM
I would specify ip in your outside_cryptomap_80 acl without the 8080 and see if the errors go away.
I don't know how you specify interesting traffic in the checkpoint but they would not match unless 8080 was configured as a source port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide