PIX to Checkpoint VPN issue

monkeyboy · ‎05-17-2007

Hello chaps, here's a quickie for you

We have been asked to set up a vpn connection from our pix firewall here to a business partner's checkpoint.

In our interesting traffic we specify our networks as the source address and their proxy server as the destination port 8080.

We put their proxy server into ie and launch the connection.

The vpn comes up and ipsec sa's are established. We can access their web applications over the vpn successfully.

The only problem is we are getting lots of syslog entries which is causing 10% load on the firewall. (see attached doc)

From the sysylog entries it looks like the crypto acls don't match however I have seen the checkpoint config & it looks sound.

Is it unusual to make a vpn connection in this way - ie to an end host which is a proxy server? Obviously the peer is the outside of their firewall.

Any ideas?

Cheers

Mark

acomiskey · ‎05-17-2007

Could you give us a little topology and a pix config? I wouldn't specify ports in crypto acl's.

access-list outside_cryptomap_80 permit ip 172.20.2.0 255.255.254.0 host 160.x.x.x

"Obviously the peer is the outside of their firewall."

I thought the peer for the pix was the firewall?

monkeyboy · ‎05-17-2007

Basically it is pix to checkpoint with their web proxy behind the checkpoint.

See attached vpn config of pix:

Cheers

acomiskey · ‎05-17-2007

I would specify ip in your outside_cryptomap_80 acl without the 8080 and see if the errors go away.

I don't know how you specify interesting traffic in the checkpoint but they would not match unless 8080 was configured as a source port.